Add Vitastor support

bump version to 9.0.2-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-11-16 11:21:31 +03:00 · 2024-11-10 11:23:14 +01:00 · 2024-11-10 11:20:39 +01:00 · 2024-09-06 16:22:13 +02:00 · 2024-09-05 14:44:54 +02:00 · 2024-09-05 14:44:54 +02:00
164 changed files with 8915 additions and 13896 deletions
--- a/35
+++ b/35
@@ -3,24 +3,28 @@ include /usr/share/dpkg/default.mk
 PACKAGE = pve-qemu-kvm

 SRCDIR := qemu
-BUILDDIR ?= ${PACKAGE}-${DEB_VERSION_UPSTREAM}
+BUILDDIR ?= $(PACKAGE)-$(DEB_VERSION_UPSTREAM)
 ORIG_SRC_TAR=$(PACKAGE)_$(DEB_VERSION_UPSTREAM).orig.tar.gz

 GITVERSION := $(shell git rev-parse HEAD)

 DSC=$(PACKAGE)_$(DEB_VERSION_UPSTREAM_REVISION).dsc
-DEB = ${PACKAGE}_${DEB_VERSION_UPSTREAM_REVISION}_${DEB_BUILD_ARCH}.deb
-DEB_DBG = ${PACKAGE}-dbg_${DEB_VERSION_UPSTREAM_REVISION}_${DEB_BUILD_ARCH}.deb
+DEB = $(PACKAGE)_$(DEB_VERSION_UPSTREAM_REVISION)_$(DEB_BUILD_ARCH).deb
+DEB_DBG = $(PACKAGE)-dbgsym_$(DEB_VERSION_UPSTREAM_REVISION)_$(DEB_BUILD_ARCH).deb
 DEBS = $(DEB) $(DEB_DBG)

 all: $(DEBS)

 .PHONY: submodule
 submodule:
-	test -f "${SRCDIR}/configure" || git submodule update --init --recursive
+ifeq ($(shell test -f "$(SRCDIR)/configure" && echo 1 || echo 0), 0)
+	git submodule update --init --recursive
+	cd $(SRCDIR); meson subprojects download
+endif

 PC_BIOS_FW_PURGE_LIST_IN = \
 	hppa-firmware.img \
+	hppa-firmware64.img \
 	openbios-ppc \
 	openbios-sparc32 \
 	openbios-sparc64 \
@@ -28,7 +32,8 @@ PC_BIOS_FW_PURGE_LIST_IN = \
 	s390-ccw.img \
 	s390-netboot.img \
 	u-boot.e500 \
-	.*\.dtb \
+	.*[a-zA-Z0-9]\.dtb \
+	.*[a-zA-Z0-9]\.dts \
 	qemu_vga.ndrv \
 	slof.bin \
 	opensbi-riscv.*-generic-fw_dynamic.bin \
@@ -36,15 +41,14 @@ PC_BIOS_FW_PURGE_LIST_IN = \
 BLOB_PURGE_SED_CMDS = $(foreach FILE,$(PC_BIOS_FW_PURGE_LIST_IN),-e "/$(FILE)/d")
 BLOB_PURGE_FILTER = $(foreach FILE,$(PC_BIOS_FW_PURGE_LIST_IN),-e "$(FILE)")

-$(BUILDDIR): keycodemapdb | submodule
+$(BUILDDIR): submodule
 	# check if qemu/ was used for a build
 	# if so, please run 'make distclean' in the submodule and try again
 	test ! -f $(SRCDIR)/build/config.status
 	rm -rf $@.tmp $@
 	cp -a $(SRCDIR) $@.tmp
 	cp -a debian $@.tmp/debian
-	rm -rf $@.tmp/ui/keycodemapdb
-	cp -a keycodemapdb $@.tmp/ui/
+	rm -rf $@.tmp/roms/edk2 # packaged separately
 	find $@.tmp/pc-bios -type f | grep $(BLOB_PURGE_FILTER) | xargs rm -f
 	sed -i $(BLOB_PURGE_SED_CMDS) $@.tmp/pc-bios/meson.build
 	echo "git clone git://git.proxmox.com/git/pve-qemu.git\\ngit checkout $(GITVERSION)" > $@.tmp/debian/SOURCE
@@ -54,7 +58,7 @@ $(BUILDDIR): keycodemapdb | submodule
 deb kvm: $(DEBS)
 $(DEB_DBG): $(DEB)
 $(DEB): $(BUILDDIR)
-	cd $(BUILDDIR); dpkg-buildpackage -b -us -uc -j
+	cd $(BUILDDIR); dpkg-buildpackage -b -us -uc -j32
 	lintian $(DEBS)

 sbuild: $(DSC)
@@ -72,21 +76,10 @@ dsc:
 $(DSC): $(ORIG_SRC_TAR) $(BUILDDIR)
 	cd $(BUILDDIR); dpkg-buildpackage -S -us -uc -d

-.PHONY: update
-update:
-	cd $(SRCDIR) && git submodule deinit ui/keycodemapdb || true
-	rm -rf $(SRCDIR)/ui/keycodemapdb
-	mkdir $(SRCDIR)/ui/keycodemapdb
-	cd $(SRCDIR) && git submodule update --init ui/keycodemapdb
-	rm -rf keycodemapdb
-	mkdir keycodemapdb
-	cp -R $(SRCDIR)/ui/keycodemapdb/* keycodemapdb/
-	git add keycodemapdb
-
 .PHONY: upload
 upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
 upload: $(DEBS)
-	tar cf - ${DEBS} | ssh repoman@repo.proxmox.com upload --product pve --dist $(UPLOAD_DIST)
+	tar cf - $(DEBS) | ssh repoman@repo.proxmox.com upload --product pve --dist $(UPLOAD_DIST)

 .PHONY: distclean clean
 distclean: clean
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,287 @@
+pve-qemu-kvm (9.0.2-4+vitastor1) bookworm; urgency=medium
+
+  * Add Vitastor support
+
+ -- Vitaliy Filippov <vitalif@yourcmc.ru>  Sat, 16 Nov 2024 11:18:15 +0300
+
+pve-qemu-kvm (9.0.2-4) bookworm; urgency=medium
+
+  * async snapshot: ensure any dynamic vCPU-throttling applied for
+    auto-converge gets always disabled again after finishing the snapshot.
+
+ -- Proxmox Support Team <support@proxmox.com>  Sun, 10 Nov 2024 11:23:09 +0100
+
+pve-qemu-kvm (9.0.2-3) bookworm; urgency=medium
+
+  * pick up fix for VirtIO PCI regressions
+
+  * pick up stable fixes for 9.0, including fixes for VirtIO-net, ARM and
+    x86(_64) emulation, CVEs to harden NBD server against malicious clients,
+    as well as a few others (VNC, physmem, Intel IOMMU, ...).
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 06 Sep 2024 16:21:42 +0200
+
+pve-qemu-kvm (9.0.2-2) bookworm; urgency=medium
+
+  * actually update submodule to QEMU 9.0.2. The previous release was still
+    based on 9.0.0 by mistake.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 07 Aug 2024 10:16:01 +0200
+
+pve-qemu-kvm (9.0.2-1) bookworm; urgency=medium
+
+  * update submodule and patches to QEMU 9.0.2. While our version had most
+    stable fixes included already, there are new fixes for VirtIO and VGA
+    display screen blanking (#4786)
+
+  * backport fix for a regression with the LSI-53c895a controller and one for
+    the boot order getting ignored for USB storage
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Jul 2024 18:59:40 +0200
+
+pve-qemu-kvm (9.0.0-6) bookworm; urgency=medium
+
+  * fix a regression in the zeroinit block driver that prevented importing and
+    cloning disks to RBD storages which are not using the krbd setting
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Jul 2024 16:11:15 +0200
+
+pve-qemu-kvm (9.0.0-5) bookworm; urgency=medium
+
+  * backport fix for CVE-2024-4467 to prevent malicious qcow2 image files from
+    already causing bad effects if being queried via 'qemu-img info'. For
+    Proxmox VE, this is an additional safe guard, as currently it directly
+    creates and manages the qcow2 images used by VMs and does not allow
+    unprivileged users to import them
+
+  * fix #4726: code cleanup: avoid superfluous check in vma backup code
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 03 Jul 2024 13:13:35 +0200
+
+pve-qemu-kvm (9.0.0-4) bookworm; urgency=medium
+
+  * fix crash after saving a snapshot without including VM state when a VirtIO
+    block device with iothread is configured.
+
+  * fix edge case in error handling when opening a block device from PBS fails
+
+  * minor code cleanup in backup code
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 01 Jul 2024 11:26:11 +0200
+
+pve-qemu-kvm (9.0.0-3) bookworm; urgency=medium
+
+  * fix crash when doing resize after hotplugging a disk using io_uring
+
+  * fix some minor issues in software CPU emulation (i.e. non-KVM) for ARM and
+    x86(_64)
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 29 May 2024 15:55:44 +0200
+
+pve-qemu-kvm (9.0.0-2) bookworm; urgency=medium
+
+  * fix #5409: backup: fix copy-before-write timeout
+
+  * backup: improve error when copy-before-write fails for fleecing
+
+  * fix forwards and backwards migration with VirtIO-GPU display
+
+  * fix a regression in pflash device introduced in 8.2
+
+  * revert a commit for VirtIO PCI devices that turned out to cause more
+    potential security issues than what it fixed
+
+  * move compatibility flags for a new VirtIO-net feature to the correct
+    machine type. The feature was introduced in QEMU 8.2, but the
+    compatibility flags got added to machine version 8.0 instead of 8.1. This
+    breaks backwards migration with machine version 8.1 from a 8.2/9.0 binary
+    to an 8.1 binary, in cases where the guest kernel enables the feature
+    (e.g. Ubuntu 23.10).
+    While that breaks migration with machine version 8.1 from an unpatched to
+    a patched binary, Proxmox VE only ever had 8.2 on the test repository and
+    9.0 not yet in any public repository.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 17 May 2024 17:04:52 +0200
+
+pve-qemu-kvm (9.0.0-1) bookworm; urgency=medium
+
+  * update submodule and patches to QEMU 9.0.0
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Apr 2024 10:51:37 +0200
+
+pve-qemu-kvm (8.2.2-1) bookworm; urgency=medium
+
+  * update submodule and patches to QEMU 8.2.2
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 27 Apr 2024 12:44:30 +0200
+
+pve-qemu-kvm (8.1.5-5) bookworm; urgency=medium
+
+  * implement support for backup fleecing
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 11 Apr 2024 17:46:48 +0200
+
+pve-qemu-kvm (8.1.5-4) bookworm; urgency=medium
+
+  * fix live-import for certain kinds of VMDK images that rely on padding
+
+  * backup: avoid bubbling up first error if it's an ECANCELED one, as those
+    are often a result of cancling the job due to running into an actual
+    issue.
+
+  * backup: factor out & clean up gathering device info into helper
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 12 Mar 2024 14:08:40 +0100
+
+pve-qemu-kvm (8.1.5-3) bookworm; urgency=medium
+
+  * backport fix for potential deadlock during QMP stop command if the VM has
+    disks attached through VirtIO-Block and IO-Thread enabled
+
+  * fix #4507: add patch to automatically increase NOFILE soft limit
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 21 Feb 2024 20:11:23 +0100
+
+pve-qemu-kvm (8.1.5-2) bookworm; urgency=medium
+
+  * work around for a situation where guest IO might get stuck, if the VM is
+    configure  with iothread and VirtIO block/SCSI
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Feb 2024 19:41:27 +0100
+
+pve-qemu-kvm (8.1.5-1) bookworm; urgency=medium
+
+  * update to 8.1.5 stable release, including more relevant fixes like:
+    - virtio-net: correctly copy vnet header when flushing TX
+    - hw/pflash: implement update buffer for block writes
+    - Fixes to i386 emulation and ARM emulation.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Feb 2024 19:08:13 +0100
+
+pve-qemu-kvm (8.1.2-6) bookworm; urgency=medium
+
+  * revert attempted fix to avoid rare issue with stuck guest IO when using
+    iothread, because it caused a much more common issue with iothreads
+    consuming too much CPU
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 15 Dec 2023 14:22:06 +0100
+
+pve-qemu-kvm (8.1.2-5) bookworm; urgency=medium
+
+  * backport workaround for stuck guest IO with iothread and VirtIO block/SCSI
+    in some rare edge cases
+
+  * backport fix for potential deadlock when issuing the "resize" QMP command
+    for a disk that is using iothread
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 11 Dec 2023 16:58:27 +0100
+
+pve-qemu-kvm (8.1.2-4) bookworm; urgency=medium
+
+  * fix vnc clipboard in the host to guest direction
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 22 Nov 2023 14:28:21 +0100
+
+pve-qemu-kvm (8.1.2-3) bookworm; urgency=medium
+
+  * fix #5054: backport fix for software reset with SATA, avoiding breakage
+    with, e.g., some FreeBSD VMs
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 20 Nov 2023 10:24:50 +0100
+
+pve-qemu-kvm (8.1.2-2) bookworm; urgency=medium
+
+  * revert "x86: acpi: workaround Windows not handling name references in
+    Package properly" as that seems to have broken networking (and possibly
+    other things) one some localized variants of Windows (e.g., the German
+    versions).
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 17 Nov 2023 11:55:23 +0100
+
+pve-qemu-kvm (8.1.2-1) bookworm; urgency=medium
+
+  * update submodule and patches to QEMU 8.1.2
+
+  * use QEMU's keycode-map-db again instead of our static copy from QEMU 6.0
+
+  * disable graph locking, newly introduced in the 8.1 release, as it has
+    still various deadlock issuess, e.g., during canceling backup jobs.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 24 Oct 2023 13:42:45 +0200
+
+pve-qemu-kvm (8.0.2-7) bookworm; urgency=medium
+
+  * fix #2874: SATA: avoid unsolicited write to sector 0 during reset
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 04 Oct 2023 08:33:35 +0200
+
+pve-qemu-kvm (8.0.2-6) bookworm; urgency=medium
+
+  * fix #1534: vma: add extract-filter for disk images allowing users to pass
+    a comma separated list of the disks they want to extract from an archive.
+
+  * backup: create jobs in a drained section to avoid subtle bugs where
+    something interferes with the block-copy-state bitmap on initialization
+
+  * backup: drop experimental, and since a while also fully broken, directory
+    backup format (BACKUP_FORMAT_DIR). This format was never exposed via the
+    Proxmox VE API, but only available via QMP, as its broken since QEMU 8 and
+    we got zero reports about that, it's safe to assume that there are no
+    public users, so just remove it completely.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 06 Sep 2023 17:03:59 +0200
+
+pve-qemu-kvm (8.0.2-5) bookworm; urgency=medium
+
+  * improve memory footprint after backup by not keeping as much memory
+    resident.
+
+  * fix file descriptor leak for vhost (used by default by vNICs).
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 16 Aug 2023 11:52:24 +0200
+
+pve-qemu-kvm (8.0.2-4) bookworm; urgency=medium
+
+  * fix resume for snapshot and hibernate in combination with iothread and
+    dirty bitmap
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 28 Jul 2023 12:58:22 +0200
+
+pve-qemu-kvm (8.0.2-3) bookworm; urgency=medium
+
+  * fix regression in QEMU 8.0 for drive mirror with bitmap
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 15 Jun 2023 13:57:46 +0200
+
+pve-qemu-kvm (8.0.2-2) bookworm; urgency=medium
+
+  * drop custom get_link_status QMP command, was never really used.
+
+  * drop custom & deprecated drive snapshot QMP commands, we use a better
+    alternative since a while.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 09 Jun 2023 07:57:56 +0200
+
+pve-qemu-kvm (8.0.2-1) bookworm; urgency=medium
+
+  * update to QEMU stable release 8.0.2
+
+  * update patches for avoiding issues with DMA reentrancy to current,
+    slightly optimized version.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 06 Jun 2023 16:34:50 +0200
+
+pve-qemu-kvm (8.0.0-1) bookworm; urgency=medium
+
+  * update to QEMU stable release 8.0.0
+
+  * re-build for Proxmox VE 8 / Debian 12 Bookworm
+
+  * adapt to the local virtiofsd C variant being dropped, it has been
+    rewritten in Rust and is now hosted in a separate source repository.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 22 May 2023 13:45:49 +0200
+
 pve-qemu-kvm (7.2.0-8) bullseye; urgency=medium

  * backport fix for ACPI CPU hotplug issue with TCG
--- a/debian/compat
+++ b/debian/compat
@@ -1 +0,0 @@
-10
--- a/debian/control
+++ b/debian/control
@@ -2,9 +2,8 @@ Source: pve-qemu-kvm
 Section: admin
 Priority: optional
 Maintainer: Proxmox Support Team <support@proxmox.com>
-Build-Depends: autotools-dev,
+Build-Depends: debhelper-compat (= 13),
               check,
-               debhelper (>= 9),
               libacl1-dev,
               libaio-dev,
               libattr1-dev,
@@ -38,9 +37,8 @@ Build-Depends: autotools-dev,
               python3-minimal,
               python3-sphinx,
               python3-sphinx-rtd-theme,
+               python3-venv,
               quilt,
-               texi2html,
-               texinfo,
               uuid-dev,
               xfslibs-dev,
 Standards-Version: 3.7.2
@@ -61,6 +59,7 @@ Depends: ceph-common (>= 0.48),
         libspice-server1 (>= 0.14.0~),
         libusb-1.0-0 (>= 1.0.17-1),
         libusbredirparser1 (>= 0.6-2),
+         vitastor-client (>= 0.9.4),
         libuuid1,
         ${misc:Depends},
         ${shlibs:Depends},
@@ -82,14 +81,8 @@ Replaces: pve-kvm,
          qemu-system-arm,
          qemu-system-x86,
          qemu-utils,
+Breaks: qemu-server (<= 8.0.6)
 Description: Full virtualization on x86 hardware
 Using KVM, one can run multiple virtual PCs, each running unmodified Linux or
 Windows images. Each virtual machine has private virtualized hardware: a
 network card, disk, graphics adapter, etc.
-
-Package: pve-qemu-kvm-dbg
-Architecture: any
-Section: debug
-Depends: pve-qemu-kvm (= ${binary:Version}),
-Description: pve qemu debugging symbols
- This package contains the debugging symbols for pve-qemu-kvm.
--- a/debian/parse-machines.pl
+++ b/debian/parse-machines.pl
@@ -24,4 +24,5 @@ while (<STDIN>) {

 die "no QEMU machine types detected from STDIN input" if scalar (@$machines) <= 0;

-print to_json($machines, { utf8 => 1 }) or die "$!\n";
+print to_json($machines, { utf8 => 1, canonical => 1 })
+    or die "failed to encode detected machines as JSON - $!\n";
--- a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
+++ b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
@@ -27,16 +27,18 @@ Signed-off-by: Ma Haocong <mahaocong@didichuxing.com>
 Signed-off-by: John Snow <jsnow@redhat.com>
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: rebased for 8.2.2]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- block/mirror.c                         | 98 +++++++++++++++++++++-----
- blockdev.c                             | 39 +++++++++-
+ block/mirror.c                         | 99 ++++++++++++++++++++------
+ blockdev.c                             | 38 +++++++++-
 include/block/block_int-global-state.h |  4 +-
- qapi/block-core.json                   | 29 ++++++--
+ qapi/block-core.json                   | 25 ++++++-
 tests/unit/test-block-iothread.c       |  4 +-
- 5 files changed, 145 insertions(+), 29 deletions(-)
+ 5 files changed, 142 insertions(+), 28 deletions(-)

 diff --git a/block/mirror.c b/block/mirror.c
-index 251adc5ae0..8ead5f77a0 100644
+index 1bdce3b657..0c5c72df2e 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
@@ -51,7 +51,7 @@ typedef struct MirrorBlockJob {
@@ -48,7 +50,7 @@ index 251adc5ae0..8ead5f77a0 100644
     BlockMirrorBackingMode backing_mode;
     /* Whether the target image requires explicit zero-initialization */
     bool zero_target;
-@@ -65,6 +65,8 @@ typedef struct MirrorBlockJob {
+@@ -73,6 +73,8 @@ typedef struct MirrorBlockJob {
     size_t buf_size;
     int64_t bdev_length;
     unsigned long *cow_bitmap;
@@ -57,9 +59,9 @@ index 251adc5ae0..8ead5f77a0 100644
     BdrvDirtyBitmap *dirty_bitmap;
     BdrvDirtyBitmapIter *dbi;
     uint8_t *buf;
-@@ -699,7 +701,8 @@ static int mirror_exit_common(Job *job)
-     bdrv_child_refresh_perms(mirror_top_bs, mirror_top_bs->backing,
+@@ -722,7 +724,8 @@ static int mirror_exit_common(Job *job)
                              &error_abort);
+ 
     if (!abort && s->backing_mode == MIRROR_SOURCE_BACKING_CHAIN) {
 -        BlockDriverState *backing = s->is_none_mode ? src : s->base;
 +        BlockDriverState *backing;
@@ -67,7 +69,7 @@ index 251adc5ae0..8ead5f77a0 100644
         BlockDriverState *unfiltered_target = bdrv_skip_filters(target_bs);
 
         if (bdrv_cow_bs(unfiltered_target) != backing) {
-@@ -797,6 +800,16 @@ static void mirror_abort(Job *job)
+@@ -819,6 +822,16 @@ static void mirror_abort(Job *job)
     assert(ret == 0);
 }
 
@@ -84,7 +86,7 @@ index 251adc5ae0..8ead5f77a0 100644
 static void coroutine_fn mirror_throttle(MirrorBlockJob *s)
 {
     int64_t now = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
-@@ -977,7 +990,8 @@ static int coroutine_fn mirror_run(Job *job, Error **errp)
+@@ -1015,7 +1028,8 @@ static int coroutine_fn mirror_run(Job *job, Error **errp)
     mirror_free_init(s);
 
     s->last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
@@ -94,7 +96,7 @@ index 251adc5ae0..8ead5f77a0 100644
         ret = mirror_dirty_init(s);
         if (ret < 0 || job_is_cancelled(&s->common.job)) {
             goto immediate_exit;
-@@ -1224,6 +1238,7 @@ static const BlockJobDriver mirror_job_driver = {
+@@ -1304,6 +1318,7 @@ static const BlockJobDriver mirror_job_driver = {
         .run                    = mirror_run,
         .prepare                = mirror_prepare,
         .abort                  = mirror_abort,
@@ -102,7 +104,7 @@ index 251adc5ae0..8ead5f77a0 100644
         .pause                  = mirror_pause,
         .complete               = mirror_complete,
         .cancel                 = mirror_cancel,
-@@ -1240,6 +1255,7 @@ static const BlockJobDriver commit_active_job_driver = {
+@@ -1322,6 +1337,7 @@ static const BlockJobDriver commit_active_job_driver = {
         .run                    = mirror_run,
         .prepare                = mirror_prepare,
         .abort                  = mirror_abort,
@@ -110,7 +112,7 @@ index 251adc5ae0..8ead5f77a0 100644
         .pause                  = mirror_pause,
         .complete               = mirror_complete,
         .cancel                 = commit_active_cancel,
-@@ -1627,7 +1643,10 @@ static BlockJob *mirror_start_job(
+@@ -1714,7 +1730,10 @@ static BlockJob *mirror_start_job(
                              BlockCompletionFunc *cb,
                              void *opaque,
                              const BlockJobDriver *driver,
@@ -122,9 +124,9 @@ index 251adc5ae0..8ead5f77a0 100644
                              bool auto_complete, const char *filter_node_name,
                              bool is_mirror, MirrorCopyMode copy_mode,
                              Error **errp)
-@@ -1639,10 +1658,39 @@ static BlockJob *mirror_start_job(
-     uint64_t target_perms, target_shared_perms;
-     int ret;
+@@ -1728,10 +1747,39 @@ static BlockJob *mirror_start_job(
+ 
+     GLOBAL_STATE_CODE();
 
 -    if (granularity == 0) {
 -        granularity = bdrv_get_default_bitmap_granularity(target);
@@ -164,7 +166,7 @@ index 251adc5ae0..8ead5f77a0 100644
     assert(is_power_of_2(granularity));
 
     if (buf_size < 0) {
-@@ -1774,7 +1822,9 @@ static BlockJob *mirror_start_job(
+@@ -1871,7 +1919,9 @@ static BlockJob *mirror_start_job(
     s->replaces = g_strdup(replaces);
     s->on_source_error = on_source_error;
     s->on_target_error = on_target_error;
@@ -174,10 +176,10 @@ index 251adc5ae0..8ead5f77a0 100644
 +    s->bitmap_mode = bitmap_mode;
     s->backing_mode = backing_mode;
     s->zero_target = zero_target;
-     s->copy_mode = copy_mode;
-@@ -1795,6 +1845,18 @@ static BlockJob *mirror_start_job(
-         bdrv_disable_dirty_bitmap(s->dirty_bitmap);
-     }
+     qatomic_set(&s->copy_mode, copy_mode);
+@@ -1897,6 +1947,18 @@ static BlockJob *mirror_start_job(
+      */
+     bdrv_disable_dirty_bitmap(s->dirty_bitmap);
 
 +    if (s->sync_bitmap) {
 +        bdrv_dirty_bitmap_set_busy(s->sync_bitmap, true);
@@ -191,10 +193,10 @@ index 251adc5ae0..8ead5f77a0 100644
 +        }
 +    }
 +
+     bdrv_graph_wrlock();
     ret = block_job_add_bdrv(&s->common, "source", bs, 0,
                              BLK_PERM_WRITE_UNCHANGED | BLK_PERM_WRITE |
-                              BLK_PERM_CONSISTENT_READ,
-@@ -1872,6 +1934,9 @@ fail:
+@@ -1979,6 +2041,9 @@ fail:
         if (s->dirty_bitmap) {
             bdrv_release_dirty_bitmap(s->dirty_bitmap);
         }
@@ -204,7 +206,7 @@ index 251adc5ae0..8ead5f77a0 100644
         job_early_fail(&s->common.job);
     }
 
-@@ -1889,31 +1954,25 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
+@@ -2001,35 +2066,28 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
                   BlockDriverState *target, const char *replaces,
                   int creation_flags, int64_t speed,
                   uint32_t granularity, int64_t buf_size,
@@ -229,8 +231,12 @@ index 251adc5ae0..8ead5f77a0 100644
 -                   MirrorSyncMode_str(mode));
 -        return;
 -    }
+-
+     bdrv_graph_rdlock_main_loop();
 -    is_none_mode = mode == MIRROR_SYNC_MODE_NONE;
     base = mode == MIRROR_SYNC_MODE_TOP ? bdrv_backing_chain_next(bs) : NULL;
+     bdrv_graph_rdunlock_main_loop();
+ 
     mirror_start_job(job_id, bs, creation_flags, target, replaces,
                      speed, granularity, buf_size, backing_mode, zero_target,
                      on_source_error, on_target_error, unmap, NULL, NULL,
@@ -241,7 +247,7 @@ index 251adc5ae0..8ead5f77a0 100644
 }
 
 BlockJob *commit_active_start(const char *job_id, BlockDriverState *bs,
-@@ -1940,7 +1999,8 @@ BlockJob *commit_active_start(const char *job_id, BlockDriverState *bs,
+@@ -2056,7 +2114,8 @@ BlockJob *commit_active_start(const char *job_id, BlockDriverState *bs,
                      job_id, bs, creation_flags, base, NULL, speed, 0, 0,
                      MIRROR_LEAVE_BACKING_CHAIN, false,
                      on_error, on_error, true, cb, opaque,
@@ -252,33 +258,32 @@ index 251adc5ae0..8ead5f77a0 100644
                      errp);
     if (!job) {
 diff --git a/blockdev.c b/blockdev.c
-index 3f1dec6242..2ee30323cb 100644
+index 4c33c3f5f0..f3e508a6a7 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -2946,6 +2946,10 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2776,6 +2776,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
                                    BlockDriverState *target,
-                                    bool has_replaces, const char *replaces,
+                                    const char *replaces,
                                    enum MirrorSyncMode sync,
-+                                   bool has_bitmap,
 +                                   const char *bitmap_name,
 +                                   bool has_bitmap_mode,
 +                                   BitmapSyncMode bitmap_mode,
                                    BlockMirrorBackingMode backing_mode,
                                    bool zero_target,
                                    bool has_speed, int64_t speed,
-@@ -2965,6 +2969,7 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2794,6 +2797,7 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
 {
     BlockDriverState *unfiltered_bs;
     int job_flags = JOB_DEFAULT;
 +    BdrvDirtyBitmap *bitmap = NULL;
 
-     if (!has_speed) {
-         speed = 0;
-@@ -3019,6 +3024,29 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+     GLOBAL_STATE_CODE();
+     GRAPH_RDLOCK_GUARD_MAINLOOP();
+@@ -2848,6 +2852,29 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
         sync = MIRROR_SYNC_MODE_FULL;
     }
 
-+    if (has_bitmap) {
+    if (bitmap_name) {
 +        if (granularity) {
 +            error_setg(errp, "Granularity and bitmap cannot both be set");
 +            return;
@@ -301,53 +306,53 @@ index 3f1dec6242..2ee30323cb 100644
 +        }
 +    }
 +
-     if (!has_replaces) {
+     if (!replaces) {
         /* We want to mirror from @bs, but keep implicit filters on top */
         unfiltered_bs = bdrv_skip_implicit_filters(bs);
-@@ -3065,8 +3093,8 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2889,8 +2916,8 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
      * and will allow to check whether the node still exist at mirror completion
      */
     mirror_start(job_id, bs, target,
-                 has_replaces ? replaces : NULL, job_flags,
+-                 replaces, job_flags,
 -                 speed, granularity, buf_size, sync, backing_mode, zero_target,
-+                 has_replaces ? replaces : NULL, job_flags, speed, granularity,
-+                 buf_size, sync, bitmap, bitmap_mode, backing_mode, zero_target,
+                 replaces, job_flags, speed, granularity, buf_size, sync,
+                 bitmap, bitmap_mode, backing_mode, zero_target,
                  on_source_error, on_target_error, unmap, filter_node_name,
                  copy_mode, errp);
 }
-@@ -3211,6 +3239,8 @@ void qmp_drive_mirror(DriveMirror *arg, Error **errp)
+@@ -3034,6 +3061,8 @@ void qmp_drive_mirror(DriveMirror *arg, Error **errp)
 
-     blockdev_mirror_common(arg->has_job_id ? arg->job_id : NULL, bs, target_bs,
-                            arg->has_replaces, arg->replaces, arg->sync,
-+                           arg->has_bitmap, arg->bitmap,
+     blockdev_mirror_common(arg->job_id, bs, target_bs,
+                            arg->replaces, arg->sync,
+                           arg->bitmap,
 +                           arg->has_bitmap_mode, arg->bitmap_mode,
                            backing_mode, zero_target,
                            arg->has_speed, arg->speed,
                            arg->has_granularity, arg->granularity,
-@@ -3232,6 +3262,8 @@ void qmp_blockdev_mirror(bool has_job_id, const char *job_id,
+@@ -3053,6 +3082,8 @@ void qmp_blockdev_mirror(const char *job_id,
                          const char *device, const char *target,
-                          bool has_replaces, const char *replaces,
+                          const char *replaces,
                          MirrorSyncMode sync,
-+                         bool has_bitmap, const char *bitmap,
+                         const char *bitmap,
 +                         bool has_bitmap_mode, BitmapSyncMode bitmap_mode,
                          bool has_speed, int64_t speed,
                          bool has_granularity, uint32_t granularity,
                          bool has_buf_size, int64_t buf_size,
-@@ -3281,7 +3313,8 @@ void qmp_blockdev_mirror(bool has_job_id, const char *job_id,
+@@ -3093,7 +3124,8 @@ void qmp_blockdev_mirror(const char *job_id,
     }
 
-     blockdev_mirror_common(has_job_id ? job_id : NULL, bs, target_bs,
-                           has_replaces, replaces, sync, backing_mode,
-+                           has_replaces, replaces, sync, has_bitmap,
+     blockdev_mirror_common(job_id, bs, target_bs,
+-                           replaces, sync, backing_mode,
+                           replaces, sync,
 +                           bitmap, has_bitmap_mode, bitmap_mode, backing_mode,
                            zero_target, has_speed, speed,
                            has_granularity, granularity,
                            has_buf_size, buf_size,
 diff --git a/include/block/block_int-global-state.h b/include/block/block_int-global-state.h
-index b49f4eb35b..9d744db618 100644
+index eb2d92a226..f0c642b194 100644
 --- a/include/block/block_int-global-state.h
 +++ b/include/block/block_int-global-state.h
-@@ -149,7 +149,9 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
+@@ -158,7 +158,9 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
                   BlockDriverState *target, const char *replaces,
                   int creation_flags, int64_t speed,
                   uint32_t granularity, int64_t buf_size,
@@ -359,31 +364,26 @@ index b49f4eb35b..9d744db618 100644
                   BlockdevOnError on_source_error,
                   BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 95ac4fa634..7daaf545be 100644
+index b179d65520..905da8be72 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -2000,10 +2000,19 @@
- #        (all the disk, only the sectors allocated in the topmost image, or
- #        only new I/O).
+@@ -2174,6 +2174,15 @@
+ #     destination (all the disk, only the sectors allocated in the
+ #     topmost image, or only new I/O).
 #
-+# @bitmap: The name of a bitmap to use for sync=bitmap mode. This argument must
-+#          be present for bitmap mode and absent otherwise. The bitmap's
-+#          granularity is used instead of @granularity (since 4.1).
+# @bitmap: The name of a bitmap to use for sync=bitmap mode. This
+#     argument must be present for bitmap mode and absent otherwise.
+#     The bitmap's granularity is used instead of @granularity (Since
+#     4.1).
 +#
-+# @bitmap-mode: Specifies the type of data the bitmap should contain after
-+#               the operation concludes. Must be present if sync is "bitmap".
-+#               Must NOT be present otherwise. (Since 4.1)
+# @bitmap-mode: Specifies the type of data the bitmap should contain
+#     after the operation concludes. Must be present if sync is
+#     "bitmap". Must NOT be present otherwise. (Since 4.1)
 +#
- # @granularity: granularity of the dirty bitmap, default is 64K
- #               if the image format doesn't have clusters, 4K if the clusters
- #               are smaller than that, else the cluster size.  Must be a
-#               power of 2 between 512 and 64M (since 1.4).
-+#               power of 2 between 512 and 64M. Must not be specified if
-+#               @bitmap is present (since 1.4).
- #
- # @buf-size: maximum amount of data in flight from source to
- #            target (since 1.4).
-@@ -2043,7 +2052,9 @@
+ # @granularity: granularity of the dirty bitmap, default is 64K if the
+ #     image format doesn't have clusters, 4K if the clusters are
+ #     smaller than that, else the cluster size.  Must be a power of 2
+@@ -2216,7 +2225,9 @@
 { 'struct': 'DriveMirror',
   'data': { '*job-id': 'str', 'device': 'str', 'target': 'str',
             '*format': 'str', '*node-name': 'str', '*replaces': 'str',
@@ -394,28 +394,23 @@ index 95ac4fa634..7daaf545be 100644
             '*speed': 'int', '*granularity': 'uint32',
             '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
             '*on-target-error': 'BlockdevOnError',
-@@ -2322,10 +2333,19 @@
- #        (all the disk, only the sectors allocated in the topmost image, or
- #        only new I/O).
+@@ -2496,6 +2507,15 @@
+ #     destination (all the disk, only the sectors allocated in the
+ #     topmost image, or only new I/O).
 #
-+# @bitmap: The name of a bitmap to use for sync=bitmap mode. This argument must
-+#          be present for bitmap mode and absent otherwise. The bitmap's
-+#          granularity is used instead of @granularity (since 4.1).
+# @bitmap: The name of a bitmap to use for sync=bitmap mode. This
+#     argument must be present for bitmap mode and absent otherwise.
+#     The bitmap's granularity is used instead of @granularity (since
+#     4.1).
 +#
-+# @bitmap-mode: Specifies the type of data the bitmap should contain after
-+#               the operation concludes. Must be present if sync is "bitmap".
-+#               Must NOT be present otherwise. (Since 4.1)
+# @bitmap-mode: Specifies the type of data the bitmap should contain
+#     after the operation concludes. Must be present if sync is
+#     "bitmap". Must NOT be present otherwise. (Since 4.1)
 +#
- # @granularity: granularity of the dirty bitmap, default is 64K
- #               if the image format doesn't have clusters, 4K if the clusters
- #               are smaller than that, else the cluster size.  Must be a
-#               power of 2 between 512 and 64M
-+#               power of 2 between 512 and 64M . Must not be specified if
-+#               @bitmap is present.
- #
- # @buf-size: maximum amount of data in flight from source to
- #            target
-@@ -2375,7 +2395,8 @@
+ # @granularity: granularity of the dirty bitmap, default is 64K if the
+ #     image format doesn't have clusters, 4K if the clusters are
+ #     smaller than that, else the cluster size.  Must be a power of 2
+@@ -2544,7 +2564,8 @@
 { 'command': 'blockdev-mirror',
   'data': { '*job-id': 'str', 'device': 'str', 'target': 'str',
             '*replaces': 'str',
@@ -426,7 +421,7 @@ index 95ac4fa634..7daaf545be 100644
             '*buf-size': 'int', '*on-source-error': 'BlockdevOnError',
             '*on-target-error': 'BlockdevOnError',
 diff --git a/tests/unit/test-block-iothread.c b/tests/unit/test-block-iothread.c
-index 8ca5adec5e..dae80e5a5f 100644
+index 3766d5de6b..afa44cbd34 100644
 --- a/tests/unit/test-block-iothread.c
 +++ b/tests/unit/test-block-iothread.c
@@ -755,8 +755,8 @@ static void test_propagate_mirror(void)
@@ -439,4 +434,4 @@ index 8ca5adec5e..dae80e5a5f 100644
 +                 false, BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
                  false, "filter_node", MIRROR_COPY_MODE_BACKGROUND,
                  &error_abort);
-     WITH_JOB_LOCK_GUARD() {
+ 
--- a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
+++ b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
@@ -24,10 +24,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 18 insertions(+), 6 deletions(-)

 diff --git a/block/mirror.c b/block/mirror.c
-index 8ead5f77a0..35c1b8f25d 100644
+index 0c5c72df2e..37fee3fa25 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -676,8 +676,6 @@ static int mirror_exit_common(Job *job)
+@@ -693,8 +693,6 @@ static int mirror_exit_common(Job *job)
         bdrv_unfreeze_backing_chain(mirror_top_bs, target_bs);
     }
 
@@ -36,9 +36,9 @@ index 8ead5f77a0..35c1b8f25d 100644
     /* Make sure that the source BDS doesn't go away during bdrv_replace_node,
      * before we can call bdrv_drained_end */
     bdrv_ref(src);
-@@ -778,6 +776,18 @@ static int mirror_exit_common(Job *job)
-     block_job_remove_all_bdrv(bjob);
-     bdrv_replace_node(mirror_top_bs, mirror_top_bs->backing->bs, &error_abort);
+@@ -800,6 +798,18 @@ static int mirror_exit_common(Job *job)
+     bdrv_drained_end(target_bs);
+     bdrv_unref(target_bs);
 
 +    if (s->sync_bitmap) {
 +        if (s->bitmap_mode == BITMAP_SYNC_MODE_ALWAYS ||
@@ -55,7 +55,7 @@ index 8ead5f77a0..35c1b8f25d 100644
     bs_opaque->job = NULL;
 
     bdrv_drained_end(src);
-@@ -1668,10 +1678,6 @@ static BlockJob *mirror_start_job(
+@@ -1757,10 +1767,6 @@ static BlockJob *mirror_start_job(
                        " sync mode",
                        MirrorSyncMode_str(sync_mode));
             return NULL;
@@ -66,7 +66,7 @@ index 8ead5f77a0..35c1b8f25d 100644
         }
     } else if (bitmap) {
         error_setg(errp,
-@@ -1688,6 +1694,12 @@ static BlockJob *mirror_start_job(
+@@ -1777,6 +1783,12 @@ static BlockJob *mirror_start_job(
             return NULL;
         }
         granularity = bdrv_dirty_bitmap_granularity(bitmap);
--- a/debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
+++ b/debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
@@ -16,10 +16,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 3 insertions(+)

 diff --git a/blockdev.c b/blockdev.c
-index 2ee30323cb..dd1c2cdef7 100644
+index f3e508a6a7..37b8437f3e 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -3045,6 +3045,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2873,6 +2873,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
         if (bdrv_dirty_bitmap_check(bitmap, BDRV_BITMAP_ALLOW_RO, errp)) {
             return;
         }
@@ -28,4 +28,4 @@ index 2ee30323cb..dd1c2cdef7 100644
 +        return;
     }
 
-     if (!has_replaces) {
+     if (!replaces) {
--- a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
+++ b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch
@@ -16,10 +16,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 4 insertions(+), 7 deletions(-)

 diff --git a/block/mirror.c b/block/mirror.c
-index 35c1b8f25d..4969c6833c 100644
+index 37fee3fa25..6b3cce1007 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -782,8 +782,8 @@ static int mirror_exit_common(Job *job)
+@@ -804,8 +804,8 @@ static int mirror_exit_common(Job *job)
              job->ret == 0 && ret == 0)) {
             /* Success; synchronize copy back to sync. */
             bdrv_clear_dirty_bitmap(s->sync_bitmap, NULL);
@@ -30,7 +30,7 @@ index 35c1b8f25d..4969c6833c 100644
         }
     }
     bdrv_release_dirty_bitmap(s->dirty_bitmap);
-@@ -1862,11 +1862,8 @@ static BlockJob *mirror_start_job(
+@@ -1964,11 +1964,8 @@ static BlockJob *mirror_start_job(
     }
 
     if (s->sync_mode == MIRROR_SYNC_MODE_BITMAP) {
@@ -43,4 +43,4 @@ index 35c1b8f25d..4969c6833c 100644
 +                                         NULL, true);
     }
 
-     ret = block_job_add_bdrv(&s->common, "source", bs, 0,
+     bdrv_graph_wrlock();
--- a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
+++ b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch
@@ -12,6 +12,8 @@ uniform w.r.t. backup block jobs.

 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: rebase for 8.2.2]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 block/mirror.c             | 28 +++------------
 blockdev.c                 | 29 +++++++++++++++
@@ -19,12 +21,12 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 3 files changed, 70 insertions(+), 59 deletions(-)

 diff --git a/block/mirror.c b/block/mirror.c
-index 4969c6833c..cf85ae1074 100644
+index 6b3cce1007..2f1223852b 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
-@@ -1668,31 +1668,13 @@ static BlockJob *mirror_start_job(
-     uint64_t target_perms, target_shared_perms;
-     int ret;
+@@ -1757,31 +1757,13 @@ static BlockJob *mirror_start_job(
+ 
+     GLOBAL_STATE_CODE();
 
 -    if (sync_mode == MIRROR_SYNC_MODE_INCREMENTAL) {
 -        error_setg(errp, "Sync mode '%s' not supported",
@@ -60,17 +62,17 @@ index 4969c6833c..cf85ae1074 100644
 
         if (bitmap_mode != BITMAP_SYNC_MODE_NEVER) {
 diff --git a/blockdev.c b/blockdev.c
-index dd1c2cdef7..756e980889 100644
+index 37b8437f3e..ed8198f351 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -3024,7 +3024,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2852,7 +2852,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
         sync = MIRROR_SYNC_MODE_FULL;
     }
 
 +    if ((sync == MIRROR_SYNC_MODE_BITMAP) ||
 +        (sync == MIRROR_SYNC_MODE_INCREMENTAL)) {
 +        /* done before desugaring 'incremental' to print the right message */
-+        if (!has_bitmap) {
+        if (!bitmap_name) {
 +            error_setg(errp, "Must provide a valid bitmap name for "
 +                       "'%s' sync mode", MirrorSyncMode_str(sync));
 +            return;
@@ -91,7 +93,7 @@ index dd1c2cdef7..756e980889 100644
 +        bitmap_mode = BITMAP_SYNC_MODE_ON_SUCCESS;
 +    }
 +
-     if (has_bitmap) {
+     if (bitmap_name) {
 +        if (sync != MIRROR_SYNC_MODE_BITMAP) {
 +            error_setg(errp, "Sync mode '%s' not supported with bitmap.",
 +                       MirrorSyncMode_str(sync));
--- a/debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
+++ b/debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
@@ -48,7 +48,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 6 files changed, 59 insertions(+), 5 deletions(-)

 diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
-index 737e750670..38804b8595 100644
+index 965f5d5450..e04bd059b6 100644
 --- a/include/monitor/monitor.h
 +++ b/include/monitor/monitor.h
@@ -16,6 +16,7 @@ extern QemuOptsList qemu_mon_opts;
@@ -60,10 +60,10 @@ index 737e750670..38804b8595 100644
 void monitor_init_globals(void);
 void monitor_init_globals_core(void);
 diff --git a/monitor/monitor-internal.h b/monitor/monitor-internal.h
-index a2cdbbf646..b531bd50e7 100644
+index 252de85681..8db28f9272 100644
 --- a/monitor/monitor-internal.h
 +++ b/monitor/monitor-internal.h
-@@ -152,6 +152,13 @@ typedef struct {
+@@ -151,6 +151,13 @@ typedef struct {
     QemuMutex qmp_queue_lock;
     /* Input queue that holds all the parsed QMP requests */
     GQueue *qmp_requests;
@@ -78,10 +78,10 @@ index a2cdbbf646..b531bd50e7 100644
 
 /**
 diff --git a/monitor/monitor.c b/monitor/monitor.c
-index 86949024f6..c306cadcf4 100644
+index 01ede1babd..5681bca346 100644
 --- a/monitor/monitor.c
 +++ b/monitor/monitor.c
-@@ -135,6 +135,21 @@ bool monitor_cur_is_qmp(void)
+@@ -117,6 +117,21 @@ bool monitor_cur_is_qmp(void)
     return cur_mon && monitor_is_qmp(cur_mon);
 }
 
@@ -104,10 +104,10 @@ index 86949024f6..c306cadcf4 100644
  * Is @mon is using readline?
  * Note: not all HMP monitors use readline, e.g., gdbserver has a
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 092c527b6f..6b8cfcf6d8 100644
+index a239945e8d..589c9524f8 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
-@@ -141,6 +141,8 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
+@@ -165,6 +165,8 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
     QDict *rsp;
     QDict *error;
 
@@ -116,7 +116,7 @@ index 092c527b6f..6b8cfcf6d8 100644
     rsp = qmp_dispatch(mon->commands, req, qmp_oob_enabled(mon),
                        &mon->common);
 
-@@ -156,7 +158,17 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
+@@ -180,7 +182,17 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
         }
     }
 
@@ -135,7 +135,7 @@ index 092c527b6f..6b8cfcf6d8 100644
     qobject_unref(rsp);
 }
 
-@@ -444,6 +456,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
+@@ -461,6 +473,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
 
     switch (event) {
     case CHR_EVENT_OPENED:
@@ -144,7 +144,7 @@ index 092c527b6f..6b8cfcf6d8 100644
         monitor_qmp_caps_reset(mon);
         data = qmp_greeting(mon);
 diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index 0990873ec8..e605003771 100644
+index 176b549473..790bb7d1da 100644
 --- a/qapi/qmp-dispatch.c
 +++ b/qapi/qmp-dispatch.c
@@ -117,16 +117,28 @@ typedef struct QmpDispatchBH {
@@ -180,13 +180,13 @@ index 0990873ec8..e605003771 100644
     aio_co_wake(data->co);
 }
 
-@@ -231,6 +243,7 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
+@@ -253,6 +265,7 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
             .ret        = &ret,
             .errp       = &err,
             .co         = qemu_coroutine_self(),
 +            .conn_nr    = monitor_get_connection_nr(cur_mon),
         };
-         aio_bh_schedule_oneshot(qemu_get_aio_context(), do_qmp_dispatch_bh,
+         aio_bh_schedule_oneshot(iohandler_get_aio_context(), do_qmp_dispatch_bh,
                                 &data);
 diff --git a/stubs/monitor-core.c b/stubs/monitor-core.c
 index afa477aae6..d3ff124bf3 100644
--- a/debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
+++ b/debian/patches/extra/0002-init-daemonize-defuse-PID-file-resolve-error.patch
@@ -1,42 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Fri, 28 Oct 2022 10:09:46 +0200
-Subject: [PATCH] init: daemonize: defuse PID file resolve error
-
-When proxmox-file-restore invokes QEMU, the PID file is a (temporary)
-file that's already unlinked, so resolving the absolute path here
-failed.
-
-It should not be a critical error when the PID file unlink handler
-can't be registered, because the path can't be resolved for whatever
-reason. If the file is already gone from QEMU's perspective (i.e.
-errno is ENOENT), silently ignore the error. Otherwise, print a
-warning.
-
-Reported-by: Dominik Csapak <d.csapak@proxmox.com>
-Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- softmmu/vl.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 5115221efe..5f7f6ca981 100644
--- a/softmmu/vl.c
-+++ b/softmmu/vl.c
-@@ -2460,10 +2460,11 @@ static void qemu_maybe_daemonize(const char *pid_file)
- 
-         pid_file_realpath = g_malloc0(PATH_MAX);
-         if (!realpath(pid_file, pid_file_realpath)) {
-            error_report("cannot resolve PID file path: %s: %s",
-                         pid_file, strerror(errno));
-            unlink(pid_file);
-            exit(1);
-+            if (errno != ENOENT) {
-+                warn_report("not removing PID file on exit: cannot resolve PID "
-+                            "file path: %s: %s", pid_file, strerror(errno));
-+            }
-+            return;
-         }
- 
-         qemu_unlink_pidfile_notifier = (struct UnlinkPidfileNotifier) {
--- a/debian/patches/extra/0002-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
+++ b/debian/patches/extra/0002-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
@@ -22,10 +22,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 1 file changed, 2 insertions(+), 12 deletions(-)

 diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 9cbbb16121..d624866bb6 100644
+index 2d0c607177..97e51733af 100644
 --- a/hw/scsi/megasas.c
 +++ b/hw/scsi/megasas.c
-@@ -1780,7 +1780,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+@@ -1781,7 +1781,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
     uint8_t cdb[16];
     int len;
     struct SCSIDevice *sdev = NULL;
@@ -34,7 +34,7 @@ index 9cbbb16121..d624866bb6 100644
 
     lba_count = le32_to_cpu(cmd->frame->io.header.data_len);
     lba_start_lo = le32_to_cpu(cmd->frame->io.lba_lo);
-@@ -1789,7 +1789,6 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+@@ -1790,7 +1790,6 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
 
     target_id = cmd->frame->header.target_id;
     lun_id = cmd->frame->header.lun_id;
@@ -42,7 +42,7 @@ index 9cbbb16121..d624866bb6 100644
 
     if (target_id < MFI_MAX_LD && lun_id == 0) {
         sdev = scsi_device_find(&s->bus, 0, target_id, lun_id);
-@@ -1804,15 +1803,6 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+@@ -1805,15 +1804,6 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
         return MFI_STAT_DEVICE_NOT_FOUND;
     }
 
@@ -58,7 +58,7 @@ index 9cbbb16121..d624866bb6 100644
     cmd->iov_size = lba_count * sdev->blocksize;
     if (megasas_map_sgl(s, cmd, &cmd->frame->io.sgl)) {
         megasas_write_sense(cmd, SENSE_CODE(TARGET_FAILURE));
-@@ -1823,7 +1813,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
+@@ -1824,7 +1814,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
 
     megasas_encode_lba(cdb, lba_start, lba_count, is_write);
     cmd->req = scsi_req_new(sdev, cmd->index,
--- a/debian/patches/extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch
+++ b/debian/patches/extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch
@@ -55,10 +55,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 1 file changed, 6 insertions(+), 6 deletions(-)

 diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 39afdc0006..b67c1885a8 100644
+index e8cb2dac92..3b21acf651 100644
 --- a/hw/ide/core.c
 +++ b/hw/ide/core.c
-@@ -443,7 +443,7 @@ static void ide_trim_bh_cb(void *opaque)
+@@ -456,7 +456,7 @@ static void ide_trim_bh_cb(void *opaque)
     iocb->bh = NULL;
     qemu_aio_unref(iocb);
 
@@ -67,7 +67,7 @@ index 39afdc0006..b67c1885a8 100644
     blk_dec_in_flight(blk);
 }
 
-@@ -503,6 +503,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
+@@ -516,6 +516,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
 done:
     iocb->aiocb = NULL;
     if (iocb->bh) {
@@ -76,8 +76,8 @@ index 39afdc0006..b67c1885a8 100644
         replay_bh_schedule_event(iocb->bh);
     }
 }
-@@ -514,9 +516,6 @@ BlockAIOCB *ide_issue_trim(
-     IDEState *s = opaque;
+@@ -528,9 +530,6 @@ BlockAIOCB *ide_issue_trim(
+     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
     TrimAIOCB *iocb;
 
 -    /* Paired with a decrement in ide_trim_bh_cb() */
@@ -85,8 +85,8 @@ index 39afdc0006..b67c1885a8 100644
 -
     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
     iocb->s = s;
-     iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb);
-@@ -739,8 +738,9 @@ void ide_cancel_dma_sync(IDEState *s)
+     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
+@@ -754,8 +753,9 @@ void ide_cancel_dma_sync(IDEState *s)
      */
     if (s->bus->dma->aiocb) {
         trace_ide_cancel_dma_sync_remaining();
--- a/debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
+++ b/debian/patches/extra/0003-virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
@@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chenyi Qiang <chenyi.qiang@intel.com>
-Date: Fri, 16 Dec 2022 14:22:31 +0800
-Subject: [PATCH] virtio-mem: Fix the bitmap index of the section offset
-
-vmem->bitmap indexes the memory region of the virtio-mem backend at a
-granularity of block_size. To calculate the index of target section offset,
-the block_size should be divided instead of the bitmap_size.
-
-Fixes: 2044969f0b ("virtio-mem: Implement RamDiscardManager interface")
-Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
-Message-Id: <20221216062231.11181-1-chenyi.qiang@intel.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: David Hildenbrand <david@redhat.com>
-(cherry-picked from commit b11cf32e07a2f7ff0d171b89497381a04c9d07e0)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/virtio/virtio-mem.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
-index ed170def48..e19ee817fe 100644
--- a/hw/virtio/virtio-mem.c
-+++ b/hw/virtio/virtio-mem.c
-@@ -235,7 +235,7 @@ static int virtio_mem_for_each_plugged_section(const VirtIOMEM *vmem,
-     uint64_t offset, size;
-     int ret = 0;
- 
-    first_bit = s->offset_within_region / vmem->bitmap_size;
-+    first_bit = s->offset_within_region / vmem->block_size;
-     first_bit = find_next_bit(vmem->bitmap, vmem->bitmap_size, first_bit);
-     while (first_bit < vmem->bitmap_size) {
-         MemoryRegionSection tmp = *s;
-@@ -267,7 +267,7 @@ static int virtio_mem_for_each_unplugged_section(const VirtIOMEM *vmem,
-     uint64_t offset, size;
-     int ret = 0;
- 
-    first_bit = s->offset_within_region / vmem->bitmap_size;
-+    first_bit = s->offset_within_region / vmem->block_size;
-     first_bit = find_next_zero_bit(vmem->bitmap, vmem->bitmap_size, first_bit);
-     while (first_bit < vmem->bitmap_size) {
-         MemoryRegionSection tmp = *s;
--- a/debian/patches/extra/0004-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
+++ b/debian/patches/extra/0004-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Fri, 17 Nov 2023 11:18:06 +0100
+Subject: [PATCH] Revert "x86: acpi: workaround Windows not handling name
+ references in Package properly"
+
+This reverts commit 44d975ef340e2f21f236f9520c53e1b30d2213a4.
+
+As reported in the community forum [0] and reproduced locally this
+breaks VirtIO network adapters in (at least) the German ISO of Windows
+Server 2022. The fix itself was for
+
+> Issue is not fatal but as result acpi-index/"PCI Label ID" property
+> is either not shown in device details page or shows incorrect value.
+
+so revert and tolerate that as a stop-gap, rather than have the
+devices not working at all.
+
+[0]: https://forum.proxmox.com/threads/92094/post-605684
+
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/i386/acpi-build.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
+index 53f804ac16..9b1b9f0412 100644
+--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
+@@ -347,13 +347,9 @@ Aml *aml_pci_device_dsm(void)
+     {
+         Aml *params = aml_local(0);
+         Aml *pkg = aml_package(2);
+-        aml_append(pkg, aml_int(0));
+-        aml_append(pkg, aml_int(0));
+        aml_append(pkg, aml_name("BSEL"));
+        aml_append(pkg, aml_name("ASUN"));
+         aml_append(method, aml_store(pkg, params));
+-        aml_append(method,
+-            aml_store(aml_name("BSEL"), aml_index(params, aml_int(0))));
+-        aml_append(method,
+-            aml_store(aml_name("ASUN"), aml_index(params, aml_int(1))));
+         aml_append(method,
+             aml_return(aml_call5("PDSM", aml_arg(0), aml_arg(1),
+                                  aml_arg(2), aml_arg(3), params))
--- a/debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
+++ b/debian/patches/extra/0004-virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Chenyi Qiang <chenyi.qiang@intel.com>
-Date: Wed, 28 Dec 2022 17:03:12 +0800
-Subject: [PATCH] virtio-mem: Fix the iterator variable in a vmem->rdl_list
- loop
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It should be the variable rdl2 to revert the already-notified listeners.
-
-Fixes: 2044969f0b ("virtio-mem: Implement RamDiscardManager interface")
-Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
-Message-Id: <20221228090312.17276-1-chenyi.qiang@intel.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Signed-off-by: David Hildenbrand <david@redhat.com>
-(cherry-picked from commit 29f1b328e3b767cba2661920a8470738469b9e36)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/virtio/virtio-mem.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
-index e19ee817fe..56db586c89 100644
--- a/hw/virtio/virtio-mem.c
-+++ b/hw/virtio/virtio-mem.c
-@@ -341,7 +341,7 @@ static int virtio_mem_notify_plug(VirtIOMEM *vmem, uint64_t offset,
-     if (ret) {
-         /* Notify all already-notified listeners. */
-         QLIST_FOREACH(rdl2, &vmem->rdl_list, next) {
-            MemoryRegionSection tmp = *rdl->section;
-+            MemoryRegionSection tmp = *rdl2->section;
- 
-             if (rdl2 == rdl) {
-                 break;
--- a/debian/patches/extra/0005-block-copy-before-write-use-uint64_t-for-timeout-in-.patch
+++ b/debian/patches/extra/0005-block-copy-before-write-use-uint64_t-for-timeout-in-.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Mon, 29 Apr 2024 15:41:11 +0200
+Subject: [PATCH] block/copy-before-write: use uint64_t for timeout in
+ nanoseconds
+
+rather than the uint32_t for which the maximum is slightly more than 4
+seconds and larger values would overflow. The QAPI interface allows
+specifying the number of seconds, so only values 0 to 4 are safe right
+now, other values lead to a much lower timeout than a user expects.
+
+The block_copy() call where this is used already takes a uint64_t for
+the timeout, so no change required there.
+
+Fixes: 6db7fd1ca9 ("block/copy-before-write: implement cbw-timeout option")
+Reported-by: Friedrich Weber <f.weber@proxmox.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Tested-by: Friedrich Weber <f.weber@proxmox.com>
+---
+ block/copy-before-write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/copy-before-write.c b/block/copy-before-write.c
+index 8aba27a71d..026fa9840f 100644
+--- a/block/copy-before-write.c
+++ b/block/copy-before-write.c
+@@ -43,7 +43,7 @@ typedef struct BDRVCopyBeforeWriteState {
+     BlockCopyState *bcs;
+     BdrvChild *target;
+     OnCbwError on_cbw_error;
+-    uint32_t cbw_timeout_ns;
+    uint64_t cbw_timeout_ns;
+ 
+     /*
+      * @lock: protects access to @access_bitmap, @done_bitmap and
--- a/debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
+++ b/debian/patches/extra/0005-vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
@@ -1,141 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Fri, 16 Dec 2022 11:35:52 +0800
-Subject: [PATCH] vhost: fix vq dirty bitmap syncing when vIOMMU is enabled
-
-When vIOMMU is enabled, the vq->used_phys is actually the IOVA not
-GPA. So we need to translate it to GPA before the syncing otherwise we
-may hit the following crash since IOVA could be out of the scope of
-the GPA log size. This could be noted when using virtio-IOMMU with
-vhost using 1G memory.
-
-Fixes: c471ad0e9bd46 ("vhost_net: device IOTLB support")
-Cc: qemu-stable@nongnu.org
-Tested-by: Lei Yang <leiyang@redhat.com>
-Reported-by: Yalan Zhang <yalzhang@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20221216033552.77087-1-jasowang@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 345cc1cbcbce2bab00abc2b88338d7d89c702d6b)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/virtio/vhost.c | 84 ++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 64 insertions(+), 20 deletions(-)
-
-diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
-index 7fb008bc9e..fdcd1a8fdf 100644
--- a/hw/virtio/vhost.c
-+++ b/hw/virtio/vhost.c
-@@ -20,6 +20,7 @@
- #include "qemu/range.h"
- #include "qemu/error-report.h"
- #include "qemu/memfd.h"
-+#include "qemu/log.h"
- #include "standard-headers/linux/vhost_types.h"
- #include "hw/virtio/virtio-bus.h"
- #include "hw/virtio/virtio-access.h"
-@@ -106,6 +107,24 @@ static void vhost_dev_sync_region(struct vhost_dev *dev,
-     }
- }
- 
-+static bool vhost_dev_has_iommu(struct vhost_dev *dev)
-+{
-+    VirtIODevice *vdev = dev->vdev;
-+
-+    /*
-+     * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support
-+     * incremental memory mapping API via IOTLB API. For platform that
-+     * does not have IOMMU, there's no need to enable this feature
-+     * which may cause unnecessary IOTLB miss/update transactions.
-+     */
-+    if (vdev) {
-+        return virtio_bus_device_iommu_enabled(vdev) &&
-+            virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
-+    } else {
-+        return false;
-+    }
-+}
-+
- static int vhost_sync_dirty_bitmap(struct vhost_dev *dev,
-                                    MemoryRegionSection *section,
-                                    hwaddr first,
-@@ -137,8 +156,51 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev,
-             continue;
-         }
- 
-        vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys,
-                              range_get_last(vq->used_phys, vq->used_size));
-+        if (vhost_dev_has_iommu(dev)) {
-+            IOMMUTLBEntry iotlb;
-+            hwaddr used_phys = vq->used_phys, used_size = vq->used_size;
-+            hwaddr phys, s, offset;
-+
-+            while (used_size) {
-+                rcu_read_lock();
-+                iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
-+                                                      used_phys,
-+                                                      true,
-+                                                      MEMTXATTRS_UNSPECIFIED);
-+                rcu_read_unlock();
-+
-+                if (!iotlb.target_as) {
-+                    qemu_log_mask(LOG_GUEST_ERROR, "translation "
-+                                  "failure for used_iova %"PRIx64"\n",
-+                                  used_phys);
-+                    return -EINVAL;
-+                }
-+
-+                offset = used_phys & iotlb.addr_mask;
-+                phys = iotlb.translated_addr + offset;
-+
-+                /*
-+                 * Distance from start of used ring until last byte of
-+                 * IOMMU page.
-+                 */
-+                s = iotlb.addr_mask - offset;
-+                /*
-+                 * Size of used ring, or of the part of it until end
-+                 * of IOMMU page. To avoid zero result, do the adding
-+                 * outside of MIN().
-+                 */
-+                s = MIN(s, used_size - 1) + 1;
-+
-+                vhost_dev_sync_region(dev, section, start_addr, end_addr, phys,
-+                                      range_get_last(phys, s));
-+                used_size -= s;
-+                used_phys += s;
-+            }
-+        } else {
-+            vhost_dev_sync_region(dev, section, start_addr,
-+                                  end_addr, vq->used_phys,
-+                                  range_get_last(vq->used_phys, vq->used_size));
-+        }
-     }
-     return 0;
- }
-@@ -306,24 +368,6 @@ static inline void vhost_dev_log_resize(struct vhost_dev *dev, uint64_t size)
-     dev->log_size = size;
- }
- 
-static bool vhost_dev_has_iommu(struct vhost_dev *dev)
-{
-    VirtIODevice *vdev = dev->vdev;
-
-    /*
-     * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support
-     * incremental memory mapping API via IOTLB API. For platform that
-     * does not have IOMMU, there's no need to enable this feature
-     * which may cause unnecessary IOTLB miss/update transactions.
-     */
-    if (vdev) {
-        return virtio_bus_device_iommu_enabled(vdev) &&
-            virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
-    } else {
-        return false;
-    }
-}
-
- static void *vhost_memory_map(struct vhost_dev *dev, hwaddr addr,
-                               hwaddr *plen, bool is_write)
- {
--- a/debian/patches/extra/0006-block-copy-before-write-fix-permission.patch
+++ b/debian/patches/extra/0006-block-copy-before-write-fix-permission.patch
@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Date: Thu, 11 Apr 2024 11:29:22 +0200
+Subject: [PATCH] block/copy-before-write: fix permission
+
+In case when source node does not have any parents, the condition still
+works as required: backup job do create the parent by
+
+  block_job_create -> block_job_add_bdrv -> bdrv_root_attach_child
+
+Still, in this case checking @perm variable doesn't work, as backup job
+creates the root blk with empty permissions (as it rely on CBW filter
+to require correct permissions and don't want to create extra
+conflicts).
+
+So, we should not check @perm.
+
+The hack may be dropped entirely when transactional insertion of
+filter (when we don't try to recalculate permissions in intermediate
+state, when filter does conflict with original parent of the source
+node) merged (old big series
+"[PATCH v5 00/45] Transactional block-graph modifying API"[1] and it's
+current in-flight part is "[PATCH v8 0/7] blockdev-replace"[2])
+
+[1] https://patchew.org/QEMU/20220330212902.590099-1-vsementsov@openvz.org/
+[2] https://patchew.org/QEMU/20231017184444.932733-1-vsementsov@yandex-team.ru/
+
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ block/copy-before-write.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/block/copy-before-write.c b/block/copy-before-write.c
+index 026fa9840f..5a9456d426 100644
+--- a/block/copy-before-write.c
+++ b/block/copy-before-write.c
+@@ -364,9 +364,13 @@ cbw_child_perm(BlockDriverState *bs, BdrvChild *c, BdrvChildRole role,
+                            perm, shared, nperm, nshared);
+ 
+         if (!QLIST_EMPTY(&bs->parents)) {
+-            if (perm & BLK_PERM_WRITE) {
+-                *nperm = *nperm | BLK_PERM_CONSISTENT_READ;
+-            }
+            /*
+             * Note, that source child may be shared with backup job. Backup job
+             * does create own blk parent on copy-before-write node, so this
+             * works even if source node does not have any parents before backup
+             * start
+             */
+            *nperm = *nperm | BLK_PERM_CONSISTENT_READ;
+             *nshared &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
+         }
+     }
--- a/debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
+++ b/debian/patches/extra/0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch
@@ -1,42 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Mon, 9 Jan 2023 10:58:09 +0000
-Subject: [PATCH] virtio-rng-pci: fix migration compat for vectors
-
-Fixup the migration compatibility for existing machine types
-so that they do not enable msi-x.
-
-Symptom:
-
-(qemu) qemu: get_pci_config_device: Bad config data: i=0x34 read: 84 device: 98 cmask: ff wmask: 0 w1cmask:0
-qemu: Failed to load PCIDevice:config
-qemu: Failed to load virtio-rng:virtio
-qemu: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-rng'
-qemu: load of migration failed: Invalid argument
-
-Note: This fix will break migration from 7.2->7.2-fixed with this patch
-
-bz: https://bugzilla.redhat.com/show_bug.cgi?id=2155749
-Fixes: 9ea02e8f1 ("virtio-rng-pci: Allow setting nvectors, so we can use MSI-X")
-
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Acked-by: David Daney <david.daney@fungible.com>
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-(picked-up from https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg01319.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/core/machine.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 8d34caa31d..77a0a131d1 100644
--- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -42,6 +42,7 @@
- 
- GlobalProperty hw_compat_7_1[] = {
-     { "virtio-device", "queue_reset", "false" },
-+    { "virtio-rng-pci", "vectors", "0" },
- };
- const size_t hw_compat_7_1_len = G_N_ELEMENTS(hw_compat_7_1);
- 
--- a/debian/patches/extra/0007-block-copy-before-write-support-unligned-snapshot-di.patch
+++ b/debian/patches/extra/0007-block-copy-before-write-support-unligned-snapshot-di.patch
@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Date: Thu, 11 Apr 2024 11:29:23 +0200
+Subject: [PATCH] block/copy-before-write: support unligned snapshot-discard
+
+First thing that crashes on unligned access here is
+bdrv_reset_dirty_bitmap(). Correct way is to align-down the
+snapshot-discard request.
+
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ block/copy-before-write.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/block/copy-before-write.c b/block/copy-before-write.c
+index 5a9456d426..c0e70669a2 100644
+--- a/block/copy-before-write.c
+++ b/block/copy-before-write.c
+@@ -325,14 +325,24 @@ static int coroutine_fn GRAPH_RDLOCK
+ cbw_co_pdiscard_snapshot(BlockDriverState *bs, int64_t offset, int64_t bytes)
+ {
+     BDRVCopyBeforeWriteState *s = bs->opaque;
+    uint32_t cluster_size = block_copy_cluster_size(s->bcs);
+    int64_t aligned_offset = QEMU_ALIGN_UP(offset, cluster_size);
+    int64_t aligned_end = QEMU_ALIGN_DOWN(offset + bytes, cluster_size);
+    int64_t aligned_bytes;
+
+    if (aligned_end <= aligned_offset) {
+        return 0;
+    }
+    aligned_bytes = aligned_end - aligned_offset;
+ 
+     WITH_QEMU_LOCK_GUARD(&s->lock) {
+-        bdrv_reset_dirty_bitmap(s->access_bitmap, offset, bytes);
+        bdrv_reset_dirty_bitmap(s->access_bitmap, aligned_offset,
+                                aligned_bytes);
+     }
+ 
+-    block_copy_reset(s->bcs, offset, bytes);
+    block_copy_reset(s->bcs, aligned_offset, aligned_bytes);
+ 
+-    return bdrv_co_pdiscard(s->target, offset, bytes);
+    return bdrv_co_pdiscard(s->target, aligned_offset, aligned_bytes);
+ }
+ 
+ static void GRAPH_RDLOCK cbw_refresh_filename(BlockDriverState *bs)
--- a/debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
+++ b/debian/patches/extra/0007-block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Thu, 26 Jan 2023 15:13:58 -0500
-Subject: [PATCH] block: fix detect-zeroes= with BDRV_REQ_REGISTERED_BUF
-
-When a write request is converted into a write zeroes request by the
-detect-zeroes= feature, it is no longer associated with an I/O buffer.
-The BDRV_REQ_REGISTERED_BUF flag doesn't make sense without an I/O
-buffer and must be cleared because bdrv_co_do_pwrite_zeroes() fails with
-EINVAL when it's set.
-
-Fiona Ebner <f.ebner@proxmox.com> bisected and diagnosed this QEMU 7.2
-regression where writes containing zeroes to a blockdev with
-discard=unmap,detect-zeroes=unmap fail.
-
-Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1404
-Fixes: e8b6535533be ("block: add BDRV_REQ_REGISTERED_BUF request flag")
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
- block/io.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/block/io.c b/block/io.c
-index b9424024f9..bbaa0d1b2d 100644
--- a/block/io.c
-+++ b/block/io.c
-@@ -2087,6 +2087,9 @@ static int coroutine_fn bdrv_aligned_pwritev(BdrvChild *child,
-         if (bs->detect_zeroes == BLOCKDEV_DETECT_ZEROES_OPTIONS_UNMAP) {
-             flags |= BDRV_REQ_MAY_UNMAP;
-         }
-+
-+        /* Can't use optimization hint with bufferless zero write */
-+        flags &= ~BDRV_REQ_REGISTERED_BUF;
-     }
- 
-     if (ret < 0) {
--- a/debian/patches/extra/0008-block-copy-before-write-create-block_copy-bitmap-in-.patch
+++ b/debian/patches/extra/0008-block-copy-before-write-create-block_copy-bitmap-in-.patch
@@ -0,0 +1,373 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Date: Thu, 11 Apr 2024 11:29:24 +0200
+Subject: [PATCH] block/copy-before-write: create block_copy bitmap in filter
+ node
+
+Currently block_copy creates copy_bitmap in source node. But that is in
+bad relation with .independent_close=true of copy-before-write filter:
+source node may be detached and removed before .bdrv_close() handler
+called, which should call block_copy_state_free(), which in turn should
+remove copy_bitmap.
+
+That's all not ideal: it would be better if internal bitmap of
+block-copy object is not attached to any node. But that is not possible
+now.
+
+The simplest solution is just create copy_bitmap in filter node, where
+anyway two other bitmaps are created.
+
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ block/block-copy.c         |   3 +-
+ block/copy-before-write.c  |   2 +-
+ include/block/block-copy.h |   1 +
+ tests/qemu-iotests/257.out | 112 ++++++++++++++++++-------------------
+ 4 files changed, 60 insertions(+), 58 deletions(-)
+
+diff --git a/block/block-copy.c b/block/block-copy.c
+index 9ee3dd7ef5..8fca2c3698 100644
+--- a/block/block-copy.c
+++ b/block/block-copy.c
+@@ -351,6 +351,7 @@ static int64_t block_copy_calculate_cluster_size(BlockDriverState *target,
+ }
+ 
+ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
+                                     BlockDriverState *copy_bitmap_bs,
+                                      const BdrvDirtyBitmap *bitmap,
+                                      Error **errp)
+ {
+@@ -367,7 +368,7 @@ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
+         return NULL;
+     }
+ 
+-    copy_bitmap = bdrv_create_dirty_bitmap(source->bs, cluster_size, NULL,
+    copy_bitmap = bdrv_create_dirty_bitmap(copy_bitmap_bs, cluster_size, NULL,
+                                            errp);
+     if (!copy_bitmap) {
+         return NULL;
+diff --git a/block/copy-before-write.c b/block/copy-before-write.c
+index c0e70669a2..94db31512d 100644
+--- a/block/copy-before-write.c
+++ b/block/copy-before-write.c
+@@ -468,7 +468,7 @@ static int cbw_open(BlockDriverState *bs, QDict *options, int flags,
+             ((BDRV_REQ_FUA | BDRV_REQ_MAY_UNMAP | BDRV_REQ_NO_FALLBACK) &
+              bs->file->bs->supported_zero_flags);
+ 
+-    s->bcs = block_copy_state_new(bs->file, s->target, bitmap, errp);
+    s->bcs = block_copy_state_new(bs->file, s->target, bs, bitmap, errp);
+     if (!s->bcs) {
+         error_prepend(errp, "Cannot create block-copy-state: ");
+         return -EINVAL;
+diff --git a/include/block/block-copy.h b/include/block/block-copy.h
+index 0700953ab8..8b41643bfa 100644
+--- a/include/block/block-copy.h
+++ b/include/block/block-copy.h
+@@ -25,6 +25,7 @@ typedef struct BlockCopyState BlockCopyState;
+ typedef struct BlockCopyCallState BlockCopyCallState;
+ 
+ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
+                                     BlockDriverState *copy_bitmap_bs,
+                                      const BdrvDirtyBitmap *bitmap,
+                                      Error **errp);
+ 
+diff --git a/tests/qemu-iotests/257.out b/tests/qemu-iotests/257.out
+index aa76131ca9..c33dd7f3a9 100644
+--- a/tests/qemu-iotests/257.out
+++ b/tests/qemu-iotests/257.out
+@@ -120,16 +120,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -596,16 +596,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -865,16 +865,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -1341,16 +1341,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -1610,16 +1610,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -2086,16 +2086,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -2355,16 +2355,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -2831,16 +2831,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -3100,16 +3100,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -3576,16 +3576,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -3845,16 +3845,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -4321,16 +4321,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -4590,16 +4590,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
+@@ -5066,16 +5066,16 @@ write -P0x67 0x3fe0000 0x20000
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      }
+-    ],
+-    "drive0": [
+      },
+       {
+         "busy": false,
+         "count": 0,
+         "granularity": 65536,
+         "persistent": false,
+         "recording": false
+-      },
+      }
+    ],
+    "drive0": [
+       {
+         "busy": false,
+         "count": 458752,
--- a/debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch
+++ b/debian/patches/extra/0008-memory-prevent-dma-reentracy-issues.patch
@@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Sat, 4 Feb 2023 23:07:34 -0500
-Subject: [PATCH] memory: prevent dma-reentracy issues
-
-Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
-This flag is set/checked prior to calling a device's MemoryRegion
-handlers, and set when device code initiates DMA.  The purpose of this
-flag is to prevent two types of DMA-based reentrancy issues:
-
-1.) mmio -> dma -> mmio case
-2.) bh -> dma write -> mmio case
-
-These issues have led to problems such as stack-exhaustion and
-use-after-frees.
-
-Summary of the problem from Peter Maydell:
-https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
-
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Acked-by: Peter Xu <peterx@redhat.com>
-(picked-up from https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg01142.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- include/hw/qdev-core.h |  7 +++++++
- softmmu/memory.c       | 17 +++++++++++++++++
- softmmu/trace-events   |  1 +
- 3 files changed, 25 insertions(+)
-
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index 785dd5a56e..886f6bb79e 100644
--- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -162,6 +162,10 @@ struct NamedClockList {
-     QLIST_ENTRY(NamedClockList) node;
- };
- 
-+typedef struct {
-+    bool engaged_in_io;
-+} MemReentrancyGuard;
-+
- /**
-  * DeviceState:
-  * @realized: Indicates whether the device has been fully constructed.
-@@ -194,6 +198,9 @@ struct DeviceState {
-     int alias_required_for_version;
-     ResettableState reset;
-     GSList *unplug_blockers;
-+
-+    /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
-+    MemReentrancyGuard mem_reentrancy_guard;
- };
- 
- struct DeviceListener {
-diff --git a/softmmu/memory.c b/softmmu/memory.c
-index bc0be3f62c..7dcb3347aa 100644
--- a/softmmu/memory.c
-+++ b/softmmu/memory.c
-@@ -533,6 +533,7 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-     uint64_t access_mask;
-     unsigned access_size;
-     unsigned i;
-+    DeviceState *dev = NULL;
-     MemTxResult r = MEMTX_OK;
- 
-     if (!access_size_min) {
-@@ -542,6 +543,19 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-         access_size_max = 4;
-     }
- 
-+    /* Do not allow more than one simultanous access to a device's IO Regions */
-+    if (mr->owner &&
-+        !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
-+        dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
-+        if (dev) {
-+            if (dev->mem_reentrancy_guard.engaged_in_io) {
-+                trace_memory_region_reentrant_io(get_cpu_index(), mr, addr, size);
-+                return MEMTX_ERROR;
-+            }
-+            dev->mem_reentrancy_guard.engaged_in_io = true;
-+        }
-+    }
-+
-     /* FIXME: support unaligned access? */
-     access_size = MAX(MIN(size, access_size_max), access_size_min);
-     access_mask = MAKE_64BIT_MASK(0, access_size * 8);
-@@ -556,6 +570,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-                         access_mask, attrs);
-         }
-     }
-+    if (dev) {
-+        dev->mem_reentrancy_guard.engaged_in_io = false;
-+    }
-     return r;
- }
- 
-diff --git a/softmmu/trace-events b/softmmu/trace-events
-index 22606dc27b..62d04ea9a7 100644
--- a/softmmu/trace-events
-+++ b/softmmu/trace-events
-@@ -13,6 +13,7 @@ memory_region_ops_read(int cpu_index, void *mr, uint64_t addr, uint64_t value, u
- memory_region_ops_write(int cpu_index, void *mr, uint64_t addr, uint64_t value, unsigned size, const char *name) "cpu %d mr %p addr 0x%"PRIx64" value 0x%"PRIx64" size %u name '%s'"
- memory_region_subpage_read(int cpu_index, void *mr, uint64_t offset, uint64_t value, unsigned size) "cpu %d mr %p offset 0x%"PRIx64" value 0x%"PRIx64" size %u"
- memory_region_subpage_write(int cpu_index, void *mr, uint64_t offset, uint64_t value, unsigned size) "cpu %d mr %p offset 0x%"PRIx64" value 0x%"PRIx64" size %u"
-+memory_region_reentrant_io(int cpu_index, void *mr, uint64_t offset, unsigned size) "cpu %d mr %p offset 0x%"PRIx64" size %u"
- memory_region_ram_device_read(int cpu_index, void *mr, uint64_t addr, uint64_t value, unsigned size) "cpu %d mr %p addr 0x%"PRIx64" value 0x%"PRIx64" size %u"
- memory_region_ram_device_write(int cpu_index, void *mr, uint64_t addr, uint64_t value, unsigned size) "cpu %d mr %p addr 0x%"PRIx64" value 0x%"PRIx64" size %u"
- memory_region_sync_dirty(const char *mr, const char *listener, int global) "mr '%s' listener '%s' synced (global=%d)"
--- a/debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
+++ b/debian/patches/extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
@@ -1,32 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 10 Jan 2023 17:36:33 +0100
-Subject: [PATCH] block/iscsi: fix double-free on BUSY or similar statuses
-
-Commit 8c460269aa77 ("iscsi: base all handling of check condition on
-scsi_sense_to_errno", 2019-07-15) removed a "goto out" so that the
-same coroutine is re-entered twice; once from iscsi_co_generic_cb,
-once from the timer callback iscsi_retry_timer_expired.  This can
-cause a crash.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1378
-Reported-by: Grzegorz Zdanowski <https://gitlab.com/kiler129>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 5080152e2ef6cde7aa692e29880c62bd54acb750)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- block/iscsi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 3ed4a50c0d..89cd032c3a 100644
--- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -268,6 +268,7 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
-                 timer_mod(&iTask->retry_timer,
-                           qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + retry_time);
-                 iTask->do_retry = 1;
-+                return;
-             } else if (status == SCSI_STATUS_CHECK_CONDITION) {
-                 int error = iscsi_translate_sense(&task->sense);
-                 if (error == EAGAIN) {
--- a/debian/patches/extra/0009-qapi-blockdev-backup-add-discard-source-parameter.patch
+++ b/debian/patches/extra/0009-qapi-blockdev-backup-add-discard-source-parameter.patch
@@ -0,0 +1,277 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Date: Thu, 11 Apr 2024 11:29:25 +0200
+Subject: [PATCH] qapi: blockdev-backup: add discard-source parameter
+
+Add a parameter that enables discard-after-copy. That is mostly useful
+in "push backup with fleecing" scheme, when source is snapshot-access
+format driver node, based on copy-before-write filter snapshot-access
+API:
+
+[guest]      [snapshot-access] ~~ blockdev-backup ~~> [backup target]
+   |            |
+   | root       | file
+   v            v
+[copy-before-write]
+   |             |
+   | file        | target
+   v             v
+[active disk]   [temp.img]
+
+In this case discard-after-copy does two things:
+
+ - discard data in temp.img to save disk space
+ - avoid further copy-before-write operation in discarded area
+
+Note that we have to declare WRITE permission on source in
+copy-before-write filter, for discard to work. Still we can't take it
+unconditionally, as it will break normal backup from RO source. So, we
+have to add a parameter and pass it thorough bdrv_open flags.
+
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ block/backup.c                         |  5 +++--
+ block/block-copy.c                     |  9 +++++++++
+ block/copy-before-write.c              | 15 +++++++++++++--
+ block/copy-before-write.h              |  1 +
+ block/replication.c                    |  4 ++--
+ blockdev.c                             |  2 +-
+ include/block/block-common.h           |  2 ++
+ include/block/block-copy.h             |  1 +
+ include/block/block_int-global-state.h |  2 +-
+ qapi/block-core.json                   |  4 ++++
+ 10 files changed, 37 insertions(+), 8 deletions(-)
+
+diff --git a/block/backup.c b/block/backup.c
+index ec29d6b810..3dd2e229d2 100644
+--- a/block/backup.c
+++ b/block/backup.c
+@@ -356,7 +356,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+                   BlockDriverState *target, int64_t speed,
+                   MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
+                   BitmapSyncMode bitmap_mode,
+-                  bool compress,
+                  bool compress, bool discard_source,
+                   const char *filter_node_name,
+                   BackupPerf *perf,
+                   BlockdevOnError on_source_error,
+@@ -457,7 +457,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+         goto error;
+     }
+ 
+-    cbw = bdrv_cbw_append(bs, target, filter_node_name, &bcs, errp);
+    cbw = bdrv_cbw_append(bs, target, filter_node_name, discard_source,
+                          &bcs, errp);
+     if (!cbw) {
+         goto error;
+     }
+diff --git a/block/block-copy.c b/block/block-copy.c
+index 8fca2c3698..7e3b378528 100644
+--- a/block/block-copy.c
+++ b/block/block-copy.c
+@@ -137,6 +137,7 @@ typedef struct BlockCopyState {
+     CoMutex lock;
+     int64_t in_flight_bytes;
+     BlockCopyMethod method;
+    bool discard_source;
+     BlockReqList reqs;
+     QLIST_HEAD(, BlockCopyCallState) calls;
+     /*
+@@ -353,6 +354,7 @@ static int64_t block_copy_calculate_cluster_size(BlockDriverState *target,
+ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
+                                      BlockDriverState *copy_bitmap_bs,
+                                      const BdrvDirtyBitmap *bitmap,
+                                     bool discard_source,
+                                      Error **errp)
+ {
+     ERRP_GUARD();
+@@ -418,6 +420,7 @@ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
+                                     cluster_size),
+     };
+ 
+    s->discard_source = discard_source;
+     block_copy_set_copy_opts(s, false, false);
+ 
+     ratelimit_init(&s->rate_limit);
+@@ -589,6 +592,12 @@ static coroutine_fn int block_copy_task_entry(AioTask *task)
+     co_put_to_shres(s->mem, t->req.bytes);
+     block_copy_task_end(t, ret);
+ 
+    if (s->discard_source && ret == 0) {
+        int64_t nbytes =
+            MIN(t->req.offset + t->req.bytes, s->len) - t->req.offset;
+        bdrv_co_pdiscard(s->source, t->req.offset, nbytes);
+    }
+
+     return ret;
+ }
+ 
+diff --git a/block/copy-before-write.c b/block/copy-before-write.c
+index 94db31512d..853e01a1eb 100644
+--- a/block/copy-before-write.c
+++ b/block/copy-before-write.c
+@@ -44,6 +44,7 @@ typedef struct BDRVCopyBeforeWriteState {
+     BdrvChild *target;
+     OnCbwError on_cbw_error;
+     uint64_t cbw_timeout_ns;
+    bool discard_source;
+ 
+     /*
+      * @lock: protects access to @access_bitmap, @done_bitmap and
+@@ -357,6 +358,8 @@ cbw_child_perm(BlockDriverState *bs, BdrvChild *c, BdrvChildRole role,
+                uint64_t perm, uint64_t shared,
+                uint64_t *nperm, uint64_t *nshared)
+ {
+    BDRVCopyBeforeWriteState *s = bs->opaque;
+
+     if (!(role & BDRV_CHILD_FILTERED)) {
+         /*
+          * Target child
+@@ -381,6 +384,10 @@ cbw_child_perm(BlockDriverState *bs, BdrvChild *c, BdrvChildRole role,
+              * start
+              */
+             *nperm = *nperm | BLK_PERM_CONSISTENT_READ;
+            if (s->discard_source) {
+                *nperm = *nperm | BLK_PERM_WRITE;
+            }
+
+             *nshared &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
+         }
+     }
+@@ -468,7 +475,9 @@ static int cbw_open(BlockDriverState *bs, QDict *options, int flags,
+             ((BDRV_REQ_FUA | BDRV_REQ_MAY_UNMAP | BDRV_REQ_NO_FALLBACK) &
+              bs->file->bs->supported_zero_flags);
+ 
+-    s->bcs = block_copy_state_new(bs->file, s->target, bs, bitmap, errp);
+    s->discard_source = flags & BDRV_O_CBW_DISCARD_SOURCE;
+    s->bcs = block_copy_state_new(bs->file, s->target, bs, bitmap,
+                                  flags & BDRV_O_CBW_DISCARD_SOURCE, errp);
+     if (!s->bcs) {
+         error_prepend(errp, "Cannot create block-copy-state: ");
+         return -EINVAL;
+@@ -535,12 +544,14 @@ static BlockDriver bdrv_cbw_filter = {
+ BlockDriverState *bdrv_cbw_append(BlockDriverState *source,
+                                   BlockDriverState *target,
+                                   const char *filter_node_name,
+                                  bool discard_source,
+                                   BlockCopyState **bcs,
+                                   Error **errp)
+ {
+     BDRVCopyBeforeWriteState *state;
+     BlockDriverState *top;
+     QDict *opts;
+    int flags = BDRV_O_RDWR | (discard_source ? BDRV_O_CBW_DISCARD_SOURCE : 0);
+ 
+     assert(source->total_sectors == target->total_sectors);
+     GLOBAL_STATE_CODE();
+@@ -553,7 +564,7 @@ BlockDriverState *bdrv_cbw_append(BlockDriverState *source,
+     qdict_put_str(opts, "file", bdrv_get_node_name(source));
+     qdict_put_str(opts, "target", bdrv_get_node_name(target));
+ 
+-    top = bdrv_insert_node(source, opts, BDRV_O_RDWR, errp);
+    top = bdrv_insert_node(source, opts, flags, errp);
+     if (!top) {
+         return NULL;
+     }
+diff --git a/block/copy-before-write.h b/block/copy-before-write.h
+index 6e72bb25e9..01af0cd3c4 100644
+--- a/block/copy-before-write.h
+++ b/block/copy-before-write.h
+@@ -39,6 +39,7 @@
+ BlockDriverState *bdrv_cbw_append(BlockDriverState *source,
+                                   BlockDriverState *target,
+                                   const char *filter_node_name,
+                                  bool discard_source,
+                                   BlockCopyState **bcs,
+                                   Error **errp);
+ void bdrv_cbw_drop(BlockDriverState *bs);
+diff --git a/block/replication.c b/block/replication.c
+index ca6bd0a720..0415a5e8b7 100644
+--- a/block/replication.c
+++ b/block/replication.c
+@@ -582,8 +582,8 @@ static void replication_start(ReplicationState *rs, ReplicationMode mode,
+ 
+         s->backup_job = backup_job_create(
+                                 NULL, s->secondary_disk->bs, s->hidden_disk->bs,
+-                                0, MIRROR_SYNC_MODE_NONE, NULL, 0, false, NULL,
+-                                &perf,
+                                0, MIRROR_SYNC_MODE_NONE, NULL, 0, false, false,
+                                NULL, &perf,
+                                 BLOCKDEV_ON_ERROR_REPORT,
+                                 BLOCKDEV_ON_ERROR_REPORT, JOB_INTERNAL,
+                                 backup_job_completed, bs, NULL, &local_err);
+diff --git a/blockdev.c b/blockdev.c
+index 057601dcf0..4c33c3f5f0 100644
+--- a/blockdev.c
+++ b/blockdev.c
+@@ -2726,7 +2726,7 @@ static BlockJob *do_backup_common(BackupCommon *backup,
+ 
+     job = backup_job_create(backup->job_id, bs, target_bs, backup->speed,
+                             backup->sync, bmap, backup->bitmap_mode,
+-                            backup->compress,
+                            backup->compress, backup->discard_source,
+                             backup->filter_node_name,
+                             &perf,
+                             backup->on_source_error,
+diff --git a/include/block/block-common.h b/include/block/block-common.h
+index a846023a09..338fe5ff7a 100644
+--- a/include/block/block-common.h
+++ b/include/block/block-common.h
+@@ -243,6 +243,8 @@ typedef enum {
+                                       read-write fails */
+ #define BDRV_O_IO_URING    0x40000 /* use io_uring instead of the thread pool */
+ 
+#define BDRV_O_CBW_DISCARD_SOURCE 0x80000 /* for copy-before-write filter */
+
+ #define BDRV_O_CACHE_MASK  (BDRV_O_NOCACHE | BDRV_O_NO_FLUSH)
+ 
+ 
+diff --git a/include/block/block-copy.h b/include/block/block-copy.h
+index 8b41643bfa..bdc703bacd 100644
+--- a/include/block/block-copy.h
+++ b/include/block/block-copy.h
+@@ -27,6 +27,7 @@ typedef struct BlockCopyCallState BlockCopyCallState;
+ BlockCopyState *block_copy_state_new(BdrvChild *source, BdrvChild *target,
+                                      BlockDriverState *copy_bitmap_bs,
+                                      const BdrvDirtyBitmap *bitmap,
+                                     bool discard_source,
+                                      Error **errp);
+ 
+ /* Function should be called prior any actual copy request */
+diff --git a/include/block/block_int-global-state.h b/include/block/block_int-global-state.h
+index d2201e27f4..eb2d92a226 100644
+--- a/include/block/block_int-global-state.h
+++ b/include/block/block_int-global-state.h
+@@ -193,7 +193,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+                             MirrorSyncMode sync_mode,
+                             BdrvDirtyBitmap *sync_bitmap,
+                             BitmapSyncMode bitmap_mode,
+-                            bool compress,
+                            bool compress, bool discard_source,
+                             const char *filter_node_name,
+                             BackupPerf *perf,
+                             BlockdevOnError on_source_error,
+diff --git a/qapi/block-core.json b/qapi/block-core.json
+index 4b18e01b85..b179d65520 100644
+--- a/qapi/block-core.json
+++ b/qapi/block-core.json
+@@ -1610,6 +1610,9 @@
+ #     node specified by @drive.  If this option is not given, a node
+ #     name is autogenerated.  (Since: 4.2)
+ #
+# @discard-source: Discard blocks on source which are already copied
+#     to the target.  (Since 9.0)
+#
+ # @x-perf: Performance options.  (Since 6.0)
+ #
+ # Features:
+@@ -1631,6 +1634,7 @@
+             '*on-target-error': 'BlockdevOnError',
+             '*auto-finalize': 'bool', '*auto-dismiss': 'bool',
+             '*filter-node-name': 'str',
+            '*discard-source': 'bool',
+             '*x-perf': { 'type': 'BackupPerf',
+                          'features': [ 'unstable' ] } } }
+ 
--- a/debian/patches/extra/0010-hw-virtio-Fix-the-de-initialization-of-vhost-user-de.patch
+++ b/debian/patches/extra/0010-hw-virtio-Fix-the-de-initialization-of-vhost-user-de.patch
@@ -0,0 +1,92 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 18 Jun 2024 14:19:58 +0200
+Subject: [PATCH] hw/virtio: Fix the de-initialization of vhost-user devices
+
+The unrealize functions of the various vhost-user devices are
+calling the corresponding vhost_*_set_status() functions with a
+status of 0 to shut down the device correctly.
+
+Now these vhost_*_set_status() functions all follow this scheme:
+
+    bool should_start = virtio_device_should_start(vdev, status);
+
+    if (vhost_dev_is_started(&vvc->vhost_dev) == should_start) {
+        return;
+    }
+
+    if (should_start) {
+        /* ... do the initialization stuff ... */
+    } else {
+        /* ... do the cleanup stuff ... */
+    }
+
+The problem here is virtio_device_should_start(vdev, 0) currently
+always returns "true" since it internally only looks at vdev->started
+instead of looking at the "status" parameter. Thus once the device
+got started once, virtio_device_should_start() always returns true
+and thus the vhost_*_set_status() functions return early, without
+ever doing any clean-up when being called with status == 0. This
+causes e.g. problems when trying to hot-plug and hot-unplug a vhost
+user devices multiple times since the de-initialization step is
+completely skipped during the unplug operation.
+
+This bug has been introduced in commit 9f6bcfd99f ("hw/virtio: move
+vm_running check to virtio_device_started") which replaced
+
+ should_start = status & VIRTIO_CONFIG_S_DRIVER_OK;
+
+with
+
+ should_start = virtio_device_started(vdev, status);
+
+which later got replaced by virtio_device_should_start(). This blocked
+the possibility to set should_start to false in case the status flag
+VIRTIO_CONFIG_S_DRIVER_OK was not set.
+
+Fix it by adjusting the virtio_device_should_start() function to
+only consider the status flag instead of vdev->started. Since this
+function is only used in the various vhost_*_set_status() functions
+for exactly the same purpose, it should be fine to fix it in this
+central place there without any risk to change the behavior of other
+code.
+
+Fixes: 9f6bcfd99f ("hw/virtio: move vm_running check to virtio_device_started")
+Buglink: https://issues.redhat.com/browse/RHEL-40708
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20240618121958.88673-1-thuth@redhat.com>
+Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit d72479b11797c28893e1e3fc565497a9cae5ca16)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ include/hw/virtio/virtio.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index 7d5ffdc145..2eafad17b8 100644
+--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
+@@ -470,9 +470,9 @@ static inline bool virtio_device_started(VirtIODevice *vdev, uint8_t status)
+  * @vdev - the VirtIO device
+  * @status - the devices status bits
+  *
+- * This is similar to virtio_device_started() but also encapsulates a
+- * check on the VM status which would prevent a device starting
+- * anyway.
+ * This is similar to virtio_device_started() but ignores vdev->started
+ * and also encapsulates a check on the VM status which would prevent a
+ * device from starting anyway.
+  */
+ static inline bool virtio_device_should_start(VirtIODevice *vdev, uint8_t status)
+ {
+@@ -480,7 +480,7 @@ static inline bool virtio_device_should_start(VirtIODevice *vdev, uint8_t status
+         return false;
+     }
+ 
+-    return virtio_device_started(vdev, status);
+    return status & VIRTIO_CONFIG_S_DRIVER_OK;
+ }
+ 
+ static inline void virtio_set_started(VirtIODevice *vdev, bool started)
--- a/debian/patches/extra/0011-target-arm-Use-float_status-copy-in-sme_fmopa_s.patch
+++ b/debian/patches/extra/0011-target-arm-Use-float_status-copy-in-sme_fmopa_s.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniyal Khan <danikhan632@gmail.com>
+Date: Wed, 17 Jul 2024 16:01:47 +1000
+Subject: [PATCH] target/arm: Use float_status copy in sme_fmopa_s
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We made a copy above because the fp exception flags
+are not propagated back to the FPST register, but
+then failed to use the copy.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 558e956c719 ("target/arm: Implement FMOPA, FMOPS (non-widening)")
+Signed-off-by: Daniyal Khan <danikhan632@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20240717060149.204788-2-richard.henderson@linaro.org
+[rth: Split from a larger patch]
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 31d93fedf41c24b0badb38cd9317590d1ef74e37)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/sme_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index e2e0575039..5a6dd76489 100644
+--- a/target/arm/tcg/sme_helper.c
+++ b/target/arm/tcg/sme_helper.c
+@@ -916,7 +916,7 @@ void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
+                         if (pb & 1) {
+                             uint32_t *a = vza_row + H1_4(col);
+                             uint32_t *m = vzm + H1_4(col);
+-                            *a = float32_muladd(n, *m, *a, 0, vst);
+                            *a = float32_muladd(n, *m, *a, 0, &fpst);
+                         }
+                         col += 4;
+                         pb >>= 4;
--- a/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
+++ b/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
@@ -1,67 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Klaus Jensen <k.jensen@samsung.com>
-Date: Wed, 8 Mar 2023 19:57:12 +0300
-Subject: [PATCH] hw/nvme: fix missing endian conversions for doorbell buffers
-
-The eventidx and doorbell value are not handling endianness correctly.
-Fix this.
-
-Fixes: 3f7fe8de3d49 ("hw/nvme: Implement shadow doorbell buffer support")
-Cc: qemu-stable@nongnu.org
-Reported-by: Guenter Roeck <linux@roeck-us.net>
-Reviewed-by: Keith Busch <kbusch@kernel.org>
-Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
-(cherry picked from commit 2fda0726e5149e032acfa5fe442db56cd6433c4c)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-Conflicts: hw/nvme/ctrl.c
-(picked up from qemu-stable mailing list)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/nvme/ctrl.c | 22 ++++++++++++++++------
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
-index e54276dc1d..98d8e34109 100644
--- a/hw/nvme/ctrl.c
-+++ b/hw/nvme/ctrl.c
-@@ -1333,8 +1333,12 @@ static inline void nvme_blk_write(BlockBackend *blk, int64_t offset,
- 
- static void nvme_update_cq_head(NvmeCQueue *cq)
- {
-    pci_dma_read(&cq->ctrl->parent_obj, cq->db_addr, &cq->head,
-            sizeof(cq->head));
-+    uint32_t v;
-+
-+    pci_dma_read(&cq->ctrl->parent_obj, cq->db_addr, &v, sizeof(v));
-+
-+    cq->head = le32_to_cpu(v);
-+
-     trace_pci_nvme_shadow_doorbell_cq(cq->cqid, cq->head);
- }
- 
-@@ -6141,15 +6145,21 @@ static uint16_t nvme_admin_cmd(NvmeCtrl *n, NvmeRequest *req)
- 
- static void nvme_update_sq_eventidx(const NvmeSQueue *sq)
- {
-    pci_dma_write(&sq->ctrl->parent_obj, sq->ei_addr, &sq->tail,
-                  sizeof(sq->tail));
-+    uint32_t v = cpu_to_le32(sq->tail);
-+
-+    pci_dma_write(&sq->ctrl->parent_obj, sq->ei_addr, &v, sizeof(v));
-+
-     trace_pci_nvme_eventidx_sq(sq->sqid, sq->tail);
- }
- 
- static void nvme_update_sq_tail(NvmeSQueue *sq)
- {
-    pci_dma_read(&sq->ctrl->parent_obj, sq->db_addr, &sq->tail,
-                 sizeof(sq->tail));
-+    uint32_t v;
-+
-+    pci_dma_read(&sq->ctrl->parent_obj, sq->db_addr, &v, sizeof(v));
-+
-+    sq->tail = le32_to_cpu(v);
-+
-     trace_pci_nvme_shadow_doorbell_sq(sq->sqid, sq->tail);
- }
- 
--- a/debian/patches/extra/0012-target-arm-Use-FPST_F16-for-SME-FMOPA-widening.patch
+++ b/debian/patches/extra/0012-target-arm-Use-FPST_F16-for-SME-FMOPA-widening.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Wed, 17 Jul 2024 16:01:48 +1000
+Subject: [PATCH] target/arm: Use FPST_F16 for SME FMOPA (widening)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This operation has float16 inputs and thus must use
+the FZ16 control not the FZ control.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 3916841ac75 ("target/arm: Implement FMOPA, FMOPS (widening)")
+Reported-by: Daniyal Khan <danikhan632@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20240717060149.204788-3-richard.henderson@linaro.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2374
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 207d30b5fdb5b45a36f26eefcf52fe2c1714dd4f)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/translate-sme.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+index 46c7fce8b4..185a8a917b 100644
+--- a/target/arm/tcg/translate-sme.c
+++ b/target/arm/tcg/translate-sme.c
+@@ -304,6 +304,7 @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
+ }
+ 
+ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+                            ARMFPStatusFlavour e_fpst,
+                             gen_helper_gvec_5_ptr *fn)
+ {
+     int svl = streaming_vec_reg_size(s);
+@@ -319,15 +320,18 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+     zm = vec_full_reg_ptr(s, a->zm);
+     pn = pred_full_reg_ptr(s, a->pn);
+     pm = pred_full_reg_ptr(s, a->pm);
+-    fpst = fpstatus_ptr(FPST_FPCR);
+    fpst = fpstatus_ptr(e_fpst);
+ 
+     fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
+     return true;
+ }
+ 
+-TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
+-TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
+-TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
+TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a,
+           MO_32, FPST_FPCR_F16, gen_helper_sme_fmopa_h)
+TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a,
+           MO_32, FPST_FPCR, gen_helper_sme_fmopa_s)
+TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a,
+           MO_64, FPST_FPCR, gen_helper_sme_fmopa_d)
+ 
+ /* TODO: FEAT_EBF16 */
+ TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
--- a/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
+++ b/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch
@@ -1,50 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Julia Suvorova <jusual@redhat.com>
-Date: Thu, 23 Feb 2023 13:57:47 +0100
-Subject: [PATCH] hw/smbios: fix field corruption in type 4 table
-
-Since table type 4 of SMBIOS version 2.6 is shorter than 3.0, the
-strings which follow immediately after the struct fields have been
-overwritten by unconditional filling of later fields such as core_count2.
-Make these fields dependent on the SMBIOS version.
-
-Fixes: 05e27d74c7 ("hw/smbios: add core_count2 to smbios table type 4")
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2169904
-
-Signed-off-by: Julia Suvorova <jusual@redhat.com>
-Message-Id: <20230223125747.254914-1-jusual@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Ani Sinha <ani@anisinha.ca>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 60d09b8dc7dd4256d664ad680795cb1327805b2b)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/smbios/smbios.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
-index b4243de735..66a020999b 100644
--- a/hw/smbios/smbios.c
-+++ b/hw/smbios/smbios.c
-@@ -749,14 +749,16 @@ static void smbios_build_type_4_table(MachineState *ms, unsigned instance)
-     t->core_count = (ms->smp.cores > 255) ? 0xFF : ms->smp.cores;
-     t->core_enabled = t->core_count;
- 
-    t->core_count2 = t->core_enabled2 = cpu_to_le16(ms->smp.cores);
-
-     t->thread_count = (ms->smp.threads > 255) ? 0xFF : ms->smp.threads;
-    t->thread_count2 = cpu_to_le16(ms->smp.threads);
- 
-     t->processor_characteristics = cpu_to_le16(0x02); /* Unknown */
-     t->processor_family2 = cpu_to_le16(0x01); /* Other */
- 
-+    if (tbl_len == SMBIOS_TYPE_4_LEN_V30) {
-+        t->core_count2 = t->core_enabled2 = cpu_to_le16(ms->smp.cores);
-+        t->thread_count2 = cpu_to_le16(ms->smp.threads);
-+    }
-+
-     SMBIOS_BUILD_TABLE_POST;
-     smbios_type4_count++;
- }
--- a/debian/patches/extra/0013-scsi-fix-regression-and-honor-bootindex-again-for-le.patch
+++ b/debian/patches/extra/0013-scsi-fix-regression-and-honor-bootindex-again-for-le.patch
@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Wed, 10 Jul 2024 17:25:29 +0200
+Subject: [PATCH] scsi: fix regression and honor bootindex again for legacy
+ drives
+
+Commit 3089637461 ("scsi: Don't ignore most usb-storage properties")
+removed the call to object_property_set_int() and thus the 'set'
+method for the bootindex property was also not called anymore. Here
+that method is device_set_bootindex() (as configured by
+scsi_dev_instance_init() -> device_add_bootindex_property()) which as
+a side effect registers the device via add_boot_device_path().
+
+As reported by a downstream user [0], the bootindex property did not
+have the desired effect anymore for legacy drives. Fix the regression
+by explicitly calling the add_boot_device_path() function after
+checking that the bootindex is not yet used (to avoid
+add_boot_device_path() calling exit()).
+
+[0]: https://forum.proxmox.com/threads/149772/post-679433
+
+Cc: qemu-stable@nongnu.org
+Fixes: 3089637461 ("scsi: Don't ignore most usb-storage properties")
+Suggested-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Link: https://lore.kernel.org/r/20240710152529.1737407-1-f.ebner@proxmox.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 57a8a80d1a5b28797b21d30bfc60601945820e51)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/scsi-bus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
+index 9e40b0c920..53eff5dd3d 100644
+--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
+@@ -384,6 +384,7 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
+     DeviceState *dev;
+     SCSIDevice *s;
+     DriveInfo *dinfo;
+    Error *local_err = NULL;
+ 
+     if (blk_is_sg(blk)) {
+         driver = "scsi-generic";
+@@ -403,6 +404,14 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
+     s = SCSI_DEVICE(dev);
+     s->conf = *conf;
+ 
+    check_boot_index(conf->bootindex, &local_err);
+    if (local_err) {
+        object_unparent(OBJECT(dev));
+        error_propagate(errp, local_err);
+        return NULL;
+    }
+    add_boot_device_path(conf->bootindex, dev, NULL);
+
+     qdev_prop_set_uint32(dev, "scsi-id", unit);
+     if (object_property_find(OBJECT(dev), "removable")) {
+         qdev_prop_set_bit(dev, "removable", removable);
--- a/debian/patches/extra/0014-hw-scsi-lsi53c895a-bump-instruction-limit-in-scripts.patch
+++ b/debian/patches/extra/0014-hw-scsi-lsi53c895a-bump-instruction-limit-in-scripts.patch
@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Mon, 15 Jul 2024 15:14:03 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: bump instruction limit in scripts
+ processing to fix regression
+
+Commit 9876359990 ("hw/scsi/lsi53c895a: add timer to scripts
+processing") reduced the maximum allowed instruction count by
+a factor of 100 all the way down to 100.
+
+This causes the "Check Point R81.20 Gaia" appliance [0] to fail to
+boot after fully finishing the installation via the appliance's web
+interface (there is already one reboot before that).
+
+With a limit of 150, the appliance still fails to boot, while with a
+limit of 200, it works. Bump to 500 to fix the regression and be on
+the safe side.
+
+Originally reported in the Proxmox community forum[1].
+
+[0]: https://support.checkpoint.com/results/download/124397
+[1]: https://forum.proxmox.com/threads/149772/post-683459
+
+Cc: qemu-stable@nongnu.org
+Fixes: 9876359990 ("hw/scsi/lsi53c895a: add timer to scripts processing")
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Acked-by: Sven Schnelle <svens@stackframe.org>
+Link: https://lore.kernel.org/r/20240715131403.223239-1-f.ebner@proxmox.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit a4975023fb13cf229bd59c9ceec1b8cbdc5b9a20)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/lsi53c895a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index eb9828dd5e..f1935e5328 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -188,7 +188,7 @@ static const char *names[] = {
+ #define LSI_TAG_VALID     (1 << 16)
+ 
+ /* Maximum instructions to process. */
+-#define LSI_MAX_INSN    100
+#define LSI_MAX_INSN    500
+ 
+ typedef struct lsi_request {
+     SCSIRequest *req;
--- a/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
+++ b/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch
@@ -1,35 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Tue, 7 Feb 2023 17:49:44 +0000
-Subject: [PATCH] virtio-rng-pci: fix transitional migration compat for vectors
-
-In bad9c5a516 ("virtio-rng-pci: fix migration compat for vectors") I
-fixed the virtio-rng-pci migration compatibility, but it was discovered
-that we also need to fix the other aliases of the device for the
-transitional cases.
-
-Fixes: 9ea02e8f1 ('virtio-rng-pci: Allow setting nvectors, so we can use MSI-X')
-bz: https://bugzilla.redhat.com/show_bug.cgi?id=2162569
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-Id: <20230207174944.138255-1-dgilbert@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 62bdb8871512076841f4464f7e26efdc7783f78d)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/core/machine.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index cd84579591..4297315984 100644
--- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -43,6 +43,8 @@
- GlobalProperty hw_compat_7_1[] = {
-     { "virtio-device", "queue_reset", "false" },
-     { "virtio-rng-pci", "vectors", "0" },
-+    { "virtio-rng-pci-transitional", "vectors", "0" },
-+    { "virtio-rng-pci-non-transitional", "vectors", "0" },
- };
- const size_t hw_compat_7_1_len = G_N_ELEMENTS(hw_compat_7_1);
- 
--- a/debian/patches/extra/0015-block-copy-Fix-missing-graph-lock.patch
+++ b/debian/patches/extra/0015-block-copy-Fix-missing-graph-lock.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 27 Jun 2024 20:12:44 +0200
+Subject: [PATCH] block-copy: Fix missing graph lock
+
+The graph lock needs to be held when calling bdrv_co_pdiscard(). Fix
+block_copy_task_entry() to take it for the call.
+
+WITH_GRAPH_RDLOCK_GUARD() was implemented in a weak way because of
+limitations in clang's Thread Safety Analysis at the time, so that it
+only asserts that the lock is held (which allows calling functions that
+require the lock), but we never deal with the unlocking (so even after
+the scope of the guard, the compiler assumes that the lock is still
+held). This is why the compiler didn't catch this locking error.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+(picked from https://lore.kernel.org/qemu-devel/20240627181245.281403-2-kwolf@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ block/block-copy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/block/block-copy.c b/block/block-copy.c
+index 7e3b378528..cc618e4561 100644
+--- a/block/block-copy.c
+++ b/block/block-copy.c
+@@ -595,7 +595,9 @@ static coroutine_fn int block_copy_task_entry(AioTask *task)
+     if (s->discard_source && ret == 0) {
+         int64_t nbytes =
+             MIN(t->req.offset + t->req.bytes, s->len) - t->req.offset;
+-        bdrv_co_pdiscard(s->source, t->req.offset, nbytes);
+        WITH_GRAPH_RDLOCK_GUARD() {
+            bdrv_co_pdiscard(s->source, t->req.offset, nbytes);
+        }
+     }
+ 
+     return ret;
--- a/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
+++ b/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch
@@ -1,80 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Akihiko Odaki <akihiko.odaki@daynix.com>
-Date: Tue, 31 Jan 2023 12:00:37 +0900
-Subject: [PATCH] hw/timer/hpet: Fix expiration time overflow
-
-The expiration time provided for timer_mod() can overflow if a
-ridiculously large value is set to the comparator register. The
-resulting value can represent a past time after rounded, forcing the
-timer to fire immediately. If the timer is configured as periodic, it
-will rearm the timer again, and form an endless loop.
-
-Check if the expiration value will overflow, and if it will, stop the
-timer instead of rearming the timer with the overflowed time.
-
-This bug was found by Alexander Bulekov when fuzzing igb, a new
-network device emulation:
-https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
-
-The fixed test case is:
-fuzz/crash_2d7036941dcda1ad4380bb8a9174ed0c949bcefd
-
-Fixes: 16b29ae180 ("Add HPET emulation to qemu (Beth Kon)")
-Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Message-Id: <20230131030037.18856-1-akihiko.odaki@daynix.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 37d2bcbc2a4e9c2e9061bec72a32c7e49b9f81ec)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/timer/hpet.c | 19 +++++++++++++------
- 1 file changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
-index 9520471be2..5f88ffdef8 100644
--- a/hw/timer/hpet.c
-+++ b/hw/timer/hpet.c
-@@ -352,6 +352,16 @@ static const VMStateDescription vmstate_hpet = {
-     }
- };
- 
-+static void hpet_arm(HPETTimer *t, uint64_t ticks)
-+{
-+    if (ticks < ns_to_ticks(INT64_MAX / 2)) {
-+        timer_mod(t->qemu_timer,
-+                  qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ticks_to_ns(ticks));
-+    } else {
-+        timer_del(t->qemu_timer);
-+    }
-+}
-+
- /*
-  * timer expiration callback
-  */
-@@ -374,13 +384,11 @@ static void hpet_timer(void *opaque)
-             }
-         }
-         diff = hpet_calculate_diff(t, cur_tick);
-        timer_mod(t->qemu_timer,
-                       qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_to_ns(diff));
-+        hpet_arm(t, diff);
-     } else if (t->config & HPET_TN_32BIT && !timer_is_periodic(t)) {
-         if (t->wrap_flag) {
-             diff = hpet_calculate_diff(t, cur_tick);
-            timer_mod(t->qemu_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
-                           (int64_t)ticks_to_ns(diff));
-+            hpet_arm(t, diff);
-             t->wrap_flag = 0;
-         }
-     }
-@@ -407,8 +415,7 @@ static void hpet_set_timer(HPETTimer *t)
-             t->wrap_flag = 1;
-         }
-     }
-    timer_mod(t->qemu_timer,
-                   qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_to_ns(diff));
-+    hpet_arm(t, diff);
- }
- 
- static void hpet_del_timer(HPETTimer *t)
--- a/debian/patches/extra/0016-Revert-qemu-char-do-not-operate-on-sources-from-fina.patch
+++ b/debian/patches/extra/0016-Revert-qemu-char-do-not-operate-on-sources-from-fina.patch
@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sergey Dyasli <sergey.dyasli@nutanix.com>
+Date: Fri, 12 Jul 2024 09:26:59 +0000
+Subject: [PATCH] Revert "qemu-char: do not operate on sources from finalize
+ callbacks"
+
+This reverts commit 2b316774f60291f57ca9ecb6a9f0712c532cae34.
+
+After 038b4217884c ("Revert "chardev: use a child source for qio input
+source"") we've been observing the "iwp->src == NULL" assertion
+triggering periodically during the initial capabilities querying by
+libvirtd. One of possible backtraces:
+
+Thread 1 (Thread 0x7f16cd4f0700 (LWP 43858)):
+0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
+1  0x00007f16c6c21e65 in __GI_abort () at abort.c:79
+2  0x00007f16c6c21d39 in __assert_fail_base  at assert.c:92
+3  0x00007f16c6c46e86 in __GI___assert_fail (assertion=assertion@entry=0x562e9bcdaadd "iwp->src == NULL", file=file@entry=0x562e9bcdaac8 "../chardev/char-io.c", line=line@entry=99, function=function@entry=0x562e9bcdab10 <__PRETTY_FUNCTION__.20549> "io_watch_poll_finalize") at assert.c:101
+4  0x0000562e9ba20c2c in io_watch_poll_finalize (source=<optimized out>) at ../chardev/char-io.c:99
+5  io_watch_poll_finalize (source=<optimized out>) at ../chardev/char-io.c:88
+6  0x00007f16c904aae0 in g_source_unref_internal () from /lib64/libglib-2.0.so.0
+7  0x00007f16c904baf9 in g_source_destroy_internal () from /lib64/libglib-2.0.so.0
+8  0x0000562e9ba20db0 in io_remove_watch_poll (source=0x562e9d6720b0) at ../chardev/char-io.c:147
+9  remove_fd_in_watch (chr=chr@entry=0x562e9d5f3800) at ../chardev/char-io.c:153
+10 0x0000562e9ba23ffb in update_ioc_handlers (s=0x562e9d5f3800) at ../chardev/char-socket.c:592
+11 0x0000562e9ba2072f in qemu_chr_fe_set_handlers_full at ../chardev/char-fe.c:279
+12 0x0000562e9ba207a9 in qemu_chr_fe_set_handlers at ../chardev/char-fe.c:304
+13 0x0000562e9ba2ca75 in monitor_qmp_setup_handlers_bh (opaque=0x562e9d4c2c60) at ../monitor/qmp.c:509
+14 0x0000562e9bb6222e in aio_bh_poll (ctx=ctx@entry=0x562e9d4c2f20) at ../util/async.c:216
+15 0x0000562e9bb4de0a in aio_poll (ctx=0x562e9d4c2f20, blocking=blocking@entry=true) at ../util/aio-posix.c:722
+16 0x0000562e9b99dfaa in iothread_run (opaque=0x562e9d4c26f0) at ../iothread.c:63
+17 0x0000562e9bb505a4 in qemu_thread_start (args=0x562e9d4c7ea0) at ../util/qemu-thread-posix.c:543
+18 0x00007f16c70081ca in start_thread (arg=<optimized out>) at pthread_create.c:479
+19 0x00007f16c6c398d3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
+
+io_remove_watch_poll(), which makes sure that iwp->src is NULL, calls
+g_source_destroy() which finds that iwp->src is not NULL in the finalize
+callback. This can only happen if another thread has managed to trigger
+io_watch_poll_prepare() callback in the meantime.
+
+Move iwp->src destruction back to the finalize callback to prevent the
+described race, and also remove the stale comment. The deadlock glib bug
+was fixed back in 2010 by b35820285668 ("gmain: move finalization of
+GSource outside of context lock").
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sergey Dyasli <sergey.dyasli@nutanix.com>
+Link: https://lore.kernel.org/r/20240712092659.216206-1-sergey.dyasli@nutanix.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit e0bf95443ee9326d44031373420cf9f3513ee255)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ chardev/char-io.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/chardev/char-io.c b/chardev/char-io.c
+index dab77b112e..3be17b51ca 100644
+--- a/chardev/char-io.c
+++ b/chardev/char-io.c
+@@ -87,16 +87,12 @@ static gboolean io_watch_poll_dispatch(GSource *source, GSourceFunc callback,
+ 
+ static void io_watch_poll_finalize(GSource *source)
+ {
+-    /*
+-     * Due to a glib bug, removing the last reference to a source
+-     * inside a finalize callback causes recursive locking (and a
+-     * deadlock).  This is not a problem inside other callbacks,
+-     * including dispatch callbacks, so we call io_remove_watch_poll
+-     * to remove this source.  At this point, iwp->src must
+-     * be NULL, or we would leak it.
+-     */
+     IOWatchPoll *iwp = io_watch_poll_from_source(source);
+-    assert(iwp->src == NULL);
+    if (iwp->src) {
+        g_source_destroy(iwp->src);
+        g_source_unref(iwp->src);
+        iwp->src = NULL;
+    }
+ }
+ 
+ static GSourceFuncs io_watch_poll_funcs = {
+@@ -139,11 +135,6 @@ static void io_remove_watch_poll(GSource *source)
+     IOWatchPoll *iwp;
+ 
+     iwp = io_watch_poll_from_source(source);
+-    if (iwp->src) {
+-        g_source_destroy(iwp->src);
+-        g_source_unref(iwp->src);
+-        iwp->src = NULL;
+-    }
+     g_source_destroy(&iwp->parent);
+ }
+ 
--- a/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
+++ b/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch
@@ -1,71 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Eugenio=20P=C3=A9rez?= <eperezma@redhat.com>
-Date: Thu, 9 Feb 2023 18:00:04 +0100
-Subject: [PATCH] vdpa: stop all svq on device deletion
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Not stopping them leave the device in a bad state when virtio-net
-fronted device is unplugged with device_del monitor command.
-
-This is not triggable in regular poweroff or qemu forces shutdown
-because cleanup is called right after vhost_vdpa_dev_start(false).  But
-devices hot unplug does not call vdpa device cleanups.  This lead to all
-the vhost_vdpa devices without stop the SVQ but the last.
-
-Fix it and clean the code, making it symmetric with
-vhost_vdpa_svqs_start.
-
-Fixes: dff4426fa656 ("vhost: Add Shadow VirtQueue kick forwarding capabilities")
-Reported-by: Lei Yang <leiyang@redhat.com>
-Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
-Message-Id: <20230209170004.899472-1-eperezma@redhat.com>
-Tested-by: Laurent Vivier <lvivier@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-(cherry-picked from commit 2e1a9de96b487cf818a22d681cad8d3f5d18dcca)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/virtio/vhost-vdpa.c | 17 ++---------------
- 1 file changed, 2 insertions(+), 15 deletions(-)
-
-diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
-index 7468e44b87..03c78d25d8 100644
--- a/hw/virtio/vhost-vdpa.c
-+++ b/hw/virtio/vhost-vdpa.c
-@@ -707,26 +707,11 @@ static int vhost_vdpa_get_device_id(struct vhost_dev *dev,
-     return ret;
- }
- 
-static void vhost_vdpa_reset_svq(struct vhost_vdpa *v)
-{
-    if (!v->shadow_vqs_enabled) {
-        return;
-    }
-
-    for (unsigned i = 0; i < v->shadow_vqs->len; ++i) {
-        VhostShadowVirtqueue *svq = g_ptr_array_index(v->shadow_vqs, i);
-        vhost_svq_stop(svq);
-    }
-}
-
- static int vhost_vdpa_reset_device(struct vhost_dev *dev)
- {
-    struct vhost_vdpa *v = dev->opaque;
-     int ret;
-     uint8_t status = 0;
- 
-    vhost_vdpa_reset_svq(v);
-
-     ret = vhost_vdpa_call(dev, VHOST_VDPA_SET_STATUS, &status);
-     trace_vhost_vdpa_reset_device(dev, status);
-     return ret;
-@@ -1088,6 +1073,8 @@ static void vhost_vdpa_svqs_stop(struct vhost_dev *dev)
- 
-     for (unsigned i = 0; i < v->shadow_vqs->len; ++i) {
-         VhostShadowVirtqueue *svq = g_ptr_array_index(v->shadow_vqs, i);
-+
-+        vhost_svq_stop(svq);
-         vhost_vdpa_svq_unmap_rings(dev, svq);
-     }
- }
--- a/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
+++ b/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
@@ -1,132 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Carlos=20L=C3=B3pez?= <clopez@suse.de>
-Date: Mon, 13 Feb 2023 09:57:47 +0100
-Subject: [PATCH] vhost: avoid a potential use of an uninitialized variable in
- vhost_svq_poll()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device
-providing invalid descriptors, len is left uninitialized and returned
-to the caller, potentally leaking stack data or causing undefined
-behavior.
-
-Fix this by initializing len to 0.
-
-Found with GCC 13 and -fanalyzer (abridged):
-
-../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’:
-../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
-  538 |     return len;
-      |            ^~~
-  ‘vhost_svq_poll’: events 1-4
-    |
-    |  522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
-    |      |        ^~~~~~~~~~~~~~
-    |      |        |
-    |      |        (1) entry to ‘vhost_svq_poll’
-    |......
-    |  525 |     uint32_t len;
-    |      |              ~~~
-    |      |              |
-    |      |              (2) region created on stack here
-    |      |              (3) capacity: 4 bytes
-    |......
-    |  528 |         if (vhost_svq_more_used(svq)) {
-    |      |             ~
-    |      |             |
-    |      |             (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’
-
-    (...)
-
-    |  528 |         if (vhost_svq_more_used(svq)) {
-    |      |            ^~~~~~~~~~~~~~~~~~~~~~~~~
-    |      |            ||
-    |      |            |(8) ...to here
-    |      |            (7) following ‘true’ branch...
-    |......
-    |  537 |     vhost_svq_get_buf(svq, &len);
-    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    |      |     |
-    |      |     (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’
-    |
-    +--> ‘vhost_svq_get_buf’: events 10-11
-           |
-           |  416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
-           |      |                          ^~~~~~~~~~~~~~~~~
-           |      |                          |
-           |      |                          (10) entry to ‘vhost_svq_get_buf’
-           |......
-           |  423 |     if (!vhost_svq_more_used(svq)) {
-           |      |          ~
-           |      |          |
-           |      |          (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’
-           |
-
-           (...)
-
-           |
-         ‘vhost_svq_get_buf’: event 14
-           |
-           |  423 |     if (!vhost_svq_more_used(svq)) {
-           |      |        ^
-           |      |        |
-           |      |        (14) following ‘false’ branch...
-           |
-         ‘vhost_svq_get_buf’: event 15
-           |
-           |cc1:
-           | (15): ...to here
-           |
-    <------+
-    |
-  ‘vhost_svq_poll’: events 16-17
-    |
-    |  537 |     vhost_svq_get_buf(svq, &len);
-    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    |      |     |
-    |      |     (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’
-    |  538 |     return len;
-    |      |            ~~~
-    |      |            |
-    |      |            (17) use of uninitialized value ‘len’ here
-
-Note by  Laurent Vivier <lvivier@redhat.com>:
-
-    The return value is only used to detect an error:
-
-    vhost_svq_poll
-        vhost_vdpa_net_cvq_add
-            vhost_vdpa_net_load_cmd
-                vhost_vdpa_net_load_mac
-                  -> a negative return is only used to detect error
-                vhost_vdpa_net_load_mq
-                  -> a negative return is only used to detect error
-            vhost_vdpa_net_handle_ctrl_avail
-              -> a negative return is only used to detect error
-
-Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush")
-Signed-off-by: Carlos López <clopez@suse.de>
-Message-Id: <20230213085747.19956-1-clopez@suse.de>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit e4dd39c699b7d63a06f686ec06ded8adbee989c1)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/virtio/vhost-shadow-virtqueue.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
-index 5bd14cad96..a723073747 100644
--- a/hw/virtio/vhost-shadow-virtqueue.c
-+++ b/hw/virtio/vhost-shadow-virtqueue.c
-@@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq,
- size_t vhost_svq_poll(VhostShadowVirtqueue *svq)
- {
-     int64_t start_us = g_get_monotonic_time();
-    uint32_t len;
-+    uint32_t len = 0;
- 
-     do {
-         if (vhost_svq_more_used(svq)) {
--- a/debian/patches/extra/0017-virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch
+++ b/debian/patches/extra/0017-virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch
@@ -0,0 +1,77 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Cindy Lu <lulu@redhat.com>
+Date: Tue, 6 Aug 2024 17:37:12 +0800
+Subject: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd
+
+The crash was reported in MAC OS and NixOS, here is the link for this bug
+https://gitlab.com/qemu-project/qemu/-/issues/2334
+https://gitlab.com/qemu-project/qemu/-/issues/2321
+
+In this bug, they are using the virtio_input device. The guest notifier was
+not supported for this device, The function virtio_pci_set_guest_notifiers()
+was not called, and the vector_irqfd was not initialized.
+
+So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier()
+
+The function virtio_pci_get_notifier() can be used in various devices.
+It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation,
+the vector_irqfd being NULL is acceptable. We can allow the device continue to boot
+
+If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK
+is set, it means that the function set_guest_notifiers was not called before the
+driver started. This indicates that the device is not using the notifier.
+At this point, we will let the check fail.
+
+This fix is verified in vyatta,MacOS,NixOS,fedora system.
+
+The bt tree for this bug is:
+Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0x7c817be006c0 (LWP 1269146)]
+kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
+817         if (irqfd->users == 0) {
+(gdb) thread apply all bt
+...
+Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):
+0  kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
+1  kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893
+2  0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497
+3  0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573
+4  0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528
+5  0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713
+6  0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743
+7  flatview_write () at ../qemu-9.0.0/system/physmem.c:2774
+8  0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894
+9  0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904
+10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917
+11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50
+12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541
+13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6
+14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6
+
+Fixes: 2ce6cff94d ("virtio-pci: fix use of a released vector")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Cindy Lu <lulu@redhat.com>
+Message-Id: <20240806093715.65105-1-lulu@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit a8e63ff289d137197ad7a701a587cc432872d798)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/virtio/virtio-pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
+index e04218a9fb..389bab003f 100644
+--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
+@@ -860,6 +860,9 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no,
+     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+     VirtQueue *vq;
+ 
+    if (!proxy->vector_irqfd && vdev->status & VIRTIO_CONFIG_S_DRIVER_OK)
+        return -1;
+
+     if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
+         *n = virtio_config_get_guest_notifier(vdev);
+         *vector = vdev->config_vector;
--- a/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
+++ b/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
@@ -1,70 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Yajun Wu <yajunw@nvidia.com>
-Date: Tue, 14 Feb 2023 10:14:30 +0800
-Subject: [PATCH] chardev/char-socket: set s->listener = NULL in
- char_socket_finalize
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-After live migration with virtio block device, qemu crash at:
-
-	#0  0x000055914f46f795 in object_dynamic_cast_assert (obj=0x559151b7b090, typename=0x55914f80fbc4 "qio-channel", file=0x55914f80fb90 "/images/testvfe/sw/qemu.gerrit/include/io/channel.h", line=30, func=0x55914f80fcb8 <__func__.17257> "QIO_CHANNEL") at ../qom/object.c:872
-	#1  0x000055914f480d68 in QIO_CHANNEL (obj=0x559151b7b090) at /images/testvfe/sw/qemu.gerrit/include/io/channel.h:29
-	#2  0x000055914f4812f8 in qio_net_listener_set_client_func_full (listener=0x559151b7a720, func=0x55914f580b97 <tcp_chr_accept>, data=0x5591519f4ea0, notify=0x0, context=0x0) at ../io/net-listener.c:166
-	#3  0x000055914f580059 in tcp_chr_update_read_handler (chr=0x5591519f4ea0) at ../chardev/char-socket.c:637
-	#4  0x000055914f583dca in qemu_chr_be_update_read_handlers (s=0x5591519f4ea0, context=0x0) at ../chardev/char.c:226
-	#5  0x000055914f57b7c9 in qemu_chr_fe_set_handlers_full (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false, sync_state=true) at ../chardev/char-fe.c:279
-	#6  0x000055914f57b86d in qemu_chr_fe_set_handlers (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false) at ../chardev/char-fe.c:304
-	#7  0x000055914f378caf in vhost_user_async_close (d=0x559152bf21a0, chardev=0x559152bf23a0, vhost=0x559152bf2420, cb=0x55914f2fb8c1 <vhost_user_blk_disconnect>) at ../hw/virtio/vhost-user.c:2725
-	#8  0x000055914f2fba40 in vhost_user_blk_event (opaque=0x559152bf21a0, event=CHR_EVENT_CLOSED) at ../hw/block/vhost-user-blk.c:395
-	#9  0x000055914f58388c in chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:61
-	#10 0x000055914f583905 in qemu_chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:81
-	#11 0x000055914f581275 in char_socket_finalize (obj=0x5591519f4ea0) at ../chardev/char-socket.c:1083
-	#12 0x000055914f46f073 in object_deinit (obj=0x5591519f4ea0, type=0x5591519055c0) at ../qom/object.c:680
-	#13 0x000055914f46f0e5 in object_finalize (data=0x5591519f4ea0) at ../qom/object.c:694
-	#14 0x000055914f46ff06 in object_unref (objptr=0x5591519f4ea0) at ../qom/object.c:1202
-	#15 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b76c50, name=0x559151b7b250 "char3", opaque=0x5591519f4ea0) at ../qom/object.c:1747
-	#16 0x000055914f46ee86 in object_property_del_all (obj=0x559151b76c50) at ../qom/object.c:632
-	#17 0x000055914f46f0d2 in object_finalize (data=0x559151b76c50) at ../qom/object.c:693
-	#18 0x000055914f46ff06 in object_unref (objptr=0x559151b76c50) at ../qom/object.c:1202
-	#19 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b6b560, name=0x559151b76630 "chardevs", opaque=0x559151b76c50) at ../qom/object.c:1747
-	#20 0x000055914f46ef67 in object_property_del_child (obj=0x559151b6b560, child=0x559151b76c50) at ../qom/object.c:654
-	#21 0x000055914f46f042 in object_unparent (obj=0x559151b76c50) at ../qom/object.c:673
-	#22 0x000055914f58632a in qemu_chr_cleanup () at ../chardev/char.c:1189
-	#23 0x000055914f16c66c in qemu_cleanup () at ../softmmu/runstate.c:830
-	#24 0x000055914eee7b9e in qemu_default_main () at ../softmmu/main.c:38
-	#25 0x000055914eee7bcc in main (argc=86, argv=0x7ffc97cb8d88) at ../softmmu/main.c:48
-
-In char_socket_finalize after s->listener freed, event callback function
-vhost_user_blk_event will be called to handle CHR_EVENT_CLOSED.
-vhost_user_blk_event is calling qio_net_listener_set_client_func_full which
-is still using s->listener.
-
-Setting s->listener = NULL after object_unref(OBJECT(s->listener)) can
-solve this issue.
-
-Signed-off-by: Yajun Wu <yajunw@nvidia.com>
-Acked-by: Jiri Pirko <jiri@nvidia.com>
-Message-Id: <20230214021430.3638579-1-yajunw@nvidia.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit b8a7f51f59e28d5a8e0c07ed3919cc9695560ed2)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- chardev/char-socket.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/chardev/char-socket.c b/chardev/char-socket.c
-index 879564aa8a..b00efb1482 100644
--- a/chardev/char-socket.c
-+++ b/chardev/char-socket.c
-@@ -1065,6 +1065,7 @@ static void char_socket_finalize(Object *obj)
-         qio_net_listener_set_client_func_full(s->listener, NULL, NULL,
-                                               NULL, chr->gcontext);
-         object_unref(OBJECT(s->listener));
-+        s->listener = NULL;
-     }
-     if (s->tls_creds) {
-         object_unref(OBJECT(s->tls_creds));
--- a/debian/patches/extra/0018-virtio-net-Ensure-queue-index-fits-with-RSS.patch
+++ b/debian/patches/extra/0018-virtio-net-Ensure-queue-index-fits-with-RSS.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Date: Mon, 1 Jul 2024 20:58:04 +0900
+Subject: [PATCH] virtio-net: Ensure queue index fits with RSS
+
+Ensure the queue index points to a valid queue when software RSS
+enabled. The new calculation matches with the behavior of Linux's TAP
+device with the RSS eBPF program.
+
+Fixes: 4474e37a5b3a ("virtio-net: implement RX RSS processing")
+Reported-by: Zhibin Hu <huzhibin5@huawei.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit f1595ceb9aad36a6c1da95bcb77ab9509b38822d)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/net/virtio-net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 3644bfd91b..f48588638d 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -1949,7 +1949,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+     if (!no_rss && n->rss_data.enabled && n->rss_data.enabled_software_rss) {
+         int index = virtio_net_process_rss(nc, buf, size);
+         if (index >= 0) {
+-            NetClientState *nc2 = qemu_get_subqueue(n->nic, index);
+            NetClientState *nc2 =
+                qemu_get_subqueue(n->nic, index % n->curr_queue_pairs);
+             return virtio_net_receive_rcu(nc2, buf, size, true);
+         }
+     }
--- a/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
+++ b/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch
@@ -1,41 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Thu, 23 Feb 2023 14:59:20 +0800
-Subject: [PATCH] intel-iommu: fail MAP notifier without caching mode
-
-Without caching mode, MAP notifier won't work correctly since guest
-won't send IOTLB update event when it establishes new mappings in the
-I/O page tables. Let's fail the IOMMU notifiers early instead of
-misbehaving silently.
-
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Tested-by: Viktor Prutyanov <viktor@daynix.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20230223065924.42503-2-jasowang@redhat.com>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit b8d78277c091f26fdd64f239bc8bb7e55d74cecf)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/i386/intel_iommu.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
-index a08ee85edf..9143376677 100644
--- a/hw/i386/intel_iommu.c
-+++ b/hw/i386/intel_iommu.c
-@@ -3186,6 +3186,13 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
-                          "Snoop Control with vhost or VFIO is not supported");
-         return -ENOTSUP;
-     }
-+    if (!s->caching_mode && (new & IOMMU_NOTIFIER_MAP)) {
-+        error_setg_errno(errp, ENOTSUP,
-+                         "device %02x.%02x.%x requires caching mode",
-+                         pci_bus_num(vtd_as->bus), PCI_SLOT(vtd_as->devfn),
-+                         PCI_FUNC(vtd_as->devfn));
-+        return -ENOTSUP;
-+    }
- 
-     /* Update per-address-space notifier flags */
-     vtd_as->notifier_flags = new;
--- a/debian/patches/extra/0019-virtio-net-Fix-network-stall-at-the-host-side-waitin.patch
+++ b/debian/patches/extra/0019-virtio-net-Fix-network-stall-at-the-host-side-waitin.patch
@@ -0,0 +1,338 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: thomas <east.moutain.yang@gmail.com>
+Date: Fri, 12 Jul 2024 11:10:53 +0800
+Subject: [PATCH] virtio-net: Fix network stall at the host side waiting for
+ kick
+
+Patch 06b12970174 ("virtio-net: fix network stall under load")
+added double-check to test whether the available buffer size
+can satisfy the request or not, in case the guest has added
+some buffers to the avail ring simultaneously after the first
+check. It will be lucky if the available buffer size becomes
+okay after the double-check, then the host can send the packet
+to the guest. If the buffer size still can't satisfy the request,
+even if the guest has added some buffers, viritio-net would
+stall at the host side forever.
+
+The patch enables notification and checks whether the guest has
+added some buffers since last check of available buffers when
+the available buffers are insufficient. If no buffer is added,
+return false, else recheck the available buffers in the loop.
+If the available buffers are sufficient, disable notification
+and return true.
+
+Changes:
+1. Change the return type of virtqueue_get_avail_bytes() from void
+   to int, it returns an opaque that represents the shadow_avail_idx
+   of the virtqueue on success, else -1 on error.
+2. Add a new API: virtio_queue_enable_notification_and_check(),
+   it takes an opaque as input arg which is returned from
+   virtqueue_get_avail_bytes(). It enables notification firstly,
+   then checks whether the guest has added some buffers since
+   last check of available buffers or not by virtio_queue_poll(),
+   return ture if yes.
+
+The patch also reverts patch "06b12970174".
+
+The case below can reproduce the stall.
+
+                                       Guest 0
+                                     +--------+
+                                     | iperf  |
+                    ---------------> | server |
+         Host       |                +--------+
+       +--------+   |                    ...
+       | iperf  |----
+       | client |----                  Guest n
+       +--------+   |                +--------+
+                    |                | iperf  |
+                    ---------------> | server |
+                                     +--------+
+
+Boot many guests from qemu with virtio network:
+ qemu ... -netdev tap,id=net_x \
+    -device virtio-net-pci-non-transitional,\
+    iommu_platform=on,mac=xx:xx:xx:xx:xx:xx,netdev=net_x
+
+Each guest acts as iperf server with commands below:
+ iperf3 -s -D -i 10 -p 8001
+ iperf3 -s -D -i 10 -p 8002
+
+The host as iperf client:
+ iperf3 -c guest_IP -p 8001 -i 30 -w 256k -P 20 -t 40000
+ iperf3 -c guest_IP -p 8002 -i 30 -w 256k -P 20 -t 40000
+
+After some time, the host loses connection to the guest,
+the guest can send packet to the host, but can't receive
+packet from the host.
+
+It's more likely to happen if SWIOTLB is enabled in the guest,
+allocating and freeing bounce buffer takes some CPU ticks,
+copying from/to bounce buffer takes more CPU ticks, compared
+with that there is no bounce buffer in the guest.
+Once the rate of producing packets from the host approximates
+the rate of receiveing packets in the guest, the guest would
+loop in NAPI.
+
+         receive packets    ---
+               |             |
+               v             |
+           free buf      virtnet_poll
+               |             |
+               v             |
+     add buf to avail ring  ---
+               |
+               |  need kick the host?
+               |  NAPI continues
+               v
+         receive packets    ---
+               |             |
+               v             |
+           free buf      virtnet_poll
+               |             |
+               v             |
+     add buf to avail ring  ---
+               |
+               v
+              ...           ...
+
+On the other hand, the host fetches free buf from avail
+ring, if the buf in the avail ring is not enough, the
+host notifies the guest the event by writing the avail
+idx read from avail ring to the event idx of used ring,
+then the host goes to sleep, waiting for the kick signal
+from the guest.
+
+Once the guest finds the host is waiting for kick singal
+(in virtqueue_kick_prepare_split()), it kicks the host.
+
+The host may stall forever at the sequences below:
+
+         Host                        Guest
+     ------------                 -----------
+ fetch buf, send packet           receive packet ---
+         ...                          ...         |
+ fetch buf, send packet             add buf       |
+         ...                        add buf   virtnet_poll
+    buf not enough      avail idx-> add buf       |
+    read avail idx                  add buf       |
+                                    add buf      ---
+                                  receive packet ---
+    write event idx                   ...         |
+    wait for kick                   add buf   virtnet_poll
+                                      ...         |
+                                                 ---
+                                 no more packet, exit NAPI
+
+In the first loop of NAPI above, indicated in the range of
+virtnet_poll above, the host is sending packets while the
+guest is receiving packets and adding buffers.
+ step 1: The buf is not enough, for example, a big packet
+         needs 5 buf, but the available buf count is 3.
+         The host read current avail idx.
+ step 2: The guest adds some buf, then checks whether the
+         host is waiting for kick signal, not at this time.
+         The used ring is not empty, the guest continues
+         the second loop of NAPI.
+ step 3: The host writes the avail idx read from avail
+         ring to used ring as event idx via
+         virtio_queue_set_notification(q->rx_vq, 1).
+ step 4: At the end of the second loop of NAPI, recheck
+         whether kick is needed, as the event idx in the
+         used ring written by the host is beyound the
+         range of kick condition, the guest will not
+         send kick signal to the host.
+
+Fixes: 06b12970174 ("virtio-net: fix network stall under load")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Wencheng Yang <east.moutain.yang@gmail.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit f937309fbdbb48c354220a3e7110c202ae4aa7fa)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/net/virtio-net.c        | 28 ++++++++++-------
+ hw/virtio/virtio.c         | 64 +++++++++++++++++++++++++++++++++++---
+ include/hw/virtio/virtio.h | 21 +++++++++++--
+ 3 files changed, 94 insertions(+), 19 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index f48588638d..d4b979d343 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -1680,24 +1680,28 @@ static bool virtio_net_can_receive(NetClientState *nc)
+ 
+ static int virtio_net_has_buffers(VirtIONetQueue *q, int bufsize)
+ {
+    int opaque;
+    unsigned int in_bytes;
+     VirtIONet *n = q->n;
+-    if (virtio_queue_empty(q->rx_vq) ||
+-        (n->mergeable_rx_bufs &&
+-         !virtqueue_avail_bytes(q->rx_vq, bufsize, 0))) {
+-        virtio_queue_set_notification(q->rx_vq, 1);
+-
+-        /* To avoid a race condition where the guest has made some buffers
+-         * available after the above check but before notification was
+-         * enabled, check for available buffers again.
+-         */
+-        if (virtio_queue_empty(q->rx_vq) ||
+-            (n->mergeable_rx_bufs &&
+-             !virtqueue_avail_bytes(q->rx_vq, bufsize, 0))) {
+
+    while (virtio_queue_empty(q->rx_vq) || n->mergeable_rx_bufs) {
+        opaque = virtqueue_get_avail_bytes(q->rx_vq, &in_bytes, NULL,
+                                           bufsize, 0);
+        /* Buffer is enough, disable notifiaction */
+        if (bufsize <= in_bytes) {
+            break;
+        }
+
+        if (virtio_queue_enable_notification_and_check(q->rx_vq, opaque)) {
+            /* Guest has added some buffers, try again */
+            continue;
+        } else {
+             return 0;
+         }
+     }
+ 
+     virtio_queue_set_notification(q->rx_vq, 0);
+
+     return 1;
+ }
+ 
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index fd2dfe3a6b..08fba6b2d8 100644
+--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
+@@ -743,6 +743,60 @@ int virtio_queue_empty(VirtQueue *vq)
+     }
+ }
+ 
+static bool virtio_queue_split_poll(VirtQueue *vq, unsigned shadow_idx)
+{
+    if (unlikely(!vq->vring.avail)) {
+        return false;
+    }
+
+    return (uint16_t)shadow_idx != vring_avail_idx(vq);
+}
+
+static bool virtio_queue_packed_poll(VirtQueue *vq, unsigned shadow_idx)
+{
+    VRingPackedDesc desc;
+    VRingMemoryRegionCaches *caches;
+
+    if (unlikely(!vq->vring.desc)) {
+        return false;
+    }
+
+    caches = vring_get_region_caches(vq);
+    if (!caches) {
+        return false;
+    }
+
+    vring_packed_desc_read(vq->vdev, &desc, &caches->desc,
+                           shadow_idx, true);
+
+    return is_desc_avail(desc.flags, vq->shadow_avail_wrap_counter);
+}
+
+static bool virtio_queue_poll(VirtQueue *vq, unsigned shadow_idx)
+{
+    if (virtio_device_disabled(vq->vdev)) {
+        return false;
+    }
+
+    if (virtio_vdev_has_feature(vq->vdev, VIRTIO_F_RING_PACKED)) {
+        return virtio_queue_packed_poll(vq, shadow_idx);
+    } else {
+        return virtio_queue_split_poll(vq, shadow_idx);
+    }
+}
+
+bool virtio_queue_enable_notification_and_check(VirtQueue *vq,
+                                                int opaque)
+{
+    virtio_queue_set_notification(vq, 1);
+
+    if (opaque >= 0) {
+        return virtio_queue_poll(vq, (unsigned)opaque);
+    } else {
+        return false;
+    }
+}
+
+ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
+                                unsigned int len)
+ {
+@@ -1330,9 +1384,9 @@ err:
+     goto done;
+ }
+ 
+-void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+-                               unsigned int *out_bytes,
+-                               unsigned max_in_bytes, unsigned max_out_bytes)
+int virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+                              unsigned int *out_bytes, unsigned max_in_bytes,
+                              unsigned max_out_bytes)
+ {
+     uint16_t desc_size;
+     VRingMemoryRegionCaches *caches;
+@@ -1365,7 +1419,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+                                         caches);
+     }
+ 
+-    return;
+    return (int)vq->shadow_avail_idx;
+ err:
+     if (in_bytes) {
+         *in_bytes = 0;
+@@ -1373,6 +1427,8 @@ err:
+     if (out_bytes) {
+         *out_bytes = 0;
+     }
+
+    return -1;
+ }
+ 
+ int virtqueue_avail_bytes(VirtQueue *vq, unsigned int in_bytes,
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index 2eafad17b8..8b4da92889 100644
+--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
+@@ -271,9 +271,13 @@ void qemu_put_virtqueue_element(VirtIODevice *vdev, QEMUFile *f,
+                                 VirtQueueElement *elem);
+ int virtqueue_avail_bytes(VirtQueue *vq, unsigned int in_bytes,
+                           unsigned int out_bytes);
+-void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+-                               unsigned int *out_bytes,
+-                               unsigned max_in_bytes, unsigned max_out_bytes);
+/**
+ * Return <0 on error or an opaque >=0 to pass to
+ * virtio_queue_enable_notification_and_check on success.
+ */
+int virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+                              unsigned int *out_bytes, unsigned max_in_bytes,
+                              unsigned max_out_bytes);
+ 
+ void virtio_notify_irqfd(VirtIODevice *vdev, VirtQueue *vq);
+ void virtio_notify(VirtIODevice *vdev, VirtQueue *vq);
+@@ -307,6 +311,17 @@ int virtio_queue_ready(VirtQueue *vq);
+ 
+ int virtio_queue_empty(VirtQueue *vq);
+ 
+/**
+ * Enable notification and check whether guest has added some
+ * buffers since last call to virtqueue_get_avail_bytes.
+ *
+ * @opaque: value returned from virtqueue_get_avail_bytes
+ */
+bool virtio_queue_enable_notification_and_check(VirtQueue *vq,
+                                                int opaque);
+
+void virtio_queue_set_shadow_avail_idx(VirtQueue *vq, uint16_t idx);
+
+ /* Host binding interface.  */
+ 
+ uint32_t virtio_config_readb(VirtIODevice *vdev, uint32_t addr);
--- a/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
+++ b/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
@@ -1,50 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jason Wang <jasowang@redhat.com>
-Date: Thu, 23 Feb 2023 14:59:21 +0800
-Subject: [PATCH] intel-iommu: fail DEVIOTLB_UNMAP without dt mode
-
-Without dt mode, device IOTLB notifier won't work since guest won't
-send device IOTLB invalidation descriptor in this case. Let's fail
-early instead of misbehaving silently.
-
-Reviewed-by: Laurent Vivier <lvivier@redhat.com>
-Tested-by: Laurent Vivier <lvivier@redhat.com>
-Tested-by: Viktor Prutyanov <viktor@daynix.com>
-Buglink: https://bugzilla.redhat.com/2156876
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20230223065924.42503-3-jasowang@redhat.com>
-Reviewed-by: Peter Xu <peterx@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit 09adb0e021207b60a0c51a68939b4539d98d3ef3)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/i386/intel_iommu.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
-index 9143376677..d025ef2873 100644
--- a/hw/i386/intel_iommu.c
-+++ b/hw/i386/intel_iommu.c
-@@ -3179,6 +3179,7 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
- {
-     VTDAddressSpace *vtd_as = container_of(iommu, VTDAddressSpace, iommu);
-     IntelIOMMUState *s = vtd_as->iommu_state;
-+    X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
- 
-     /* TODO: add support for VFIO and vhost users */
-     if (s->snoop_control) {
-@@ -3193,6 +3194,13 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu,
-                          PCI_FUNC(vtd_as->devfn));
-         return -ENOTSUP;
-     }
-+    if (!x86_iommu->dt_supported && (new & IOMMU_NOTIFIER_DEVIOTLB_UNMAP)) {
-+        error_setg_errno(errp, ENOTSUP,
-+                         "device %02x.%02x.%x requires device IOTLB mode",
-+                         pci_bus_num(vtd_as->bus), PCI_SLOT(vtd_as->devfn),
-+                         PCI_FUNC(vtd_as->devfn));
-+        return -ENOTSUP;
-+    }
- 
-     /* Update per-address-space notifier flags */
-     vtd_as->notifier_flags = new;
--- a/debian/patches/extra/0020-net-Reinstate-net-nic-model-help-output-as-documente.patch
+++ b/debian/patches/extra/0020-net-Reinstate-net-nic-model-help-output-as-documente.patch
@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Tue, 9 Jul 2024 13:34:44 +0100
+Subject: [PATCH] net: Reinstate '-net nic, model=help' output as documented in
+ man page
+
+While refactoring the NIC initialization code, I broke '-net nic,model=help'
+which no longer outputs a list of available NIC models.
+
+Fixes: 2cdeca04adab ("net: report list of available models according to platform")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 64f75f57f9d2c8c12ac6d9355fa5d3a2af5879ca)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/net.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/net/net.c b/net/net.c
+index a2f0c828bb..e6ca2529bb 100644
+--- a/net/net.c
+++ b/net/net.c
+@@ -1150,6 +1150,21 @@ NICInfo *qemu_find_nic_info(const char *typename, bool match_default,
+     return NULL;
+ }
+ 
+static bool is_nic_model_help_option(const char *model)
+{
+    if (model && is_help_option(model)) {
+        /*
+         * Trigger the help output by instantiating the hash table which
+         * will gather tha available models as they get registered.
+         */
+        if (!nic_model_help) {
+            nic_model_help = g_hash_table_new_full(g_str_hash, g_str_equal,
+                                                   g_free, NULL);
+        }
+        return true;
+    }
+    return false;
+}
+ 
+ /* "I have created a device. Please configure it if you can" */
+ bool qemu_configure_nic_device(DeviceState *dev, bool match_default,
+@@ -1733,6 +1748,12 @@ void net_check_clients(void)
+ 
+ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
+ {
+    const char *model = qemu_opt_get_del(opts, "model");
+
+    if (is_nic_model_help_option(model)) {
+        return 0;
+    }
+
+     return net_client_init(opts, false, errp);
+ }
+ 
+@@ -1789,9 +1810,7 @@ static int net_param_nic(void *dummy, QemuOpts *opts, Error **errp)
+     memset(ni, 0, sizeof(*ni));
+     ni->model = qemu_opt_get_del(opts, "model");
+ 
+-    if (!nic_model_help && !g_strcmp0(ni->model, "help")) {
+-        nic_model_help = g_hash_table_new_full(g_str_hash, g_str_equal,
+-                                               g_free, NULL);
+    if (is_nic_model_help_option(ni->model)) {
+         return 0;
+     }
+ 
--- a/debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
+++ b/debian/patches/extra/0021-memory-Allow-disabling-re-entrancy-checking-per-MR.patch
@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 13 Mar 2023 04:24:16 -0400
-Subject: [PATCH] memory: Allow disabling re-entrancy checking per-MR
-
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
- include/exec/memory.h | 3 +++
- softmmu/memory.c      | 2 +-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index 91f8a2395a..d7268d9f39 100644
--- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -765,6 +765,9 @@ struct MemoryRegion {
-     unsigned ioeventfd_nb;
-     MemoryRegionIoeventfd *ioeventfds;
-     RamDiscardManager *rdm; /* Only for RAM */
-+
-+    /* For devices designed to perform re-entrant IO into their own IO MRs */
-+    bool disable_reentrancy_guard;
- };
- 
- struct IOMMUMemoryRegion {
-diff --git a/softmmu/memory.c b/softmmu/memory.c
-index 7dcb3347aa..2b46714191 100644
--- a/softmmu/memory.c
-+++ b/softmmu/memory.c
-@@ -544,7 +544,7 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-     }
- 
-     /* Do not allow more than one simultanous access to a device's IO Regions */
-    if (mr->owner &&
-+    if (mr->owner && !mr->disable_reentrancy_guard &&
-         !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
-         dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
-         if (dev) {
--- a/debian/patches/extra/0021-net-Fix-net-nic-model-for-non-help-arguments.patch
+++ b/debian/patches/extra/0021-net-Fix-net-nic-model-for-non-help-arguments.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Tue, 6 Aug 2024 18:21:37 +0100
+Subject: [PATCH] net: Fix '-net nic,model=' for non-help arguments
+
+Oops, don't *delete* the model option when checking for 'help'.
+
+Fixes: 64f75f57f9d2 ("net: Reinstate '-net nic, model=help' output as documented in man page")
+Reported-by: Hans <sungdgdhtryrt@gmail.com>
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit fa62cb989a9146c82f8f172715042852f5d36200)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/net.c b/net/net.c
+index e6ca2529bb..897bb936cf 100644
+--- a/net/net.c
+++ b/net/net.c
+@@ -1748,7 +1748,7 @@ void net_check_clients(void)
+ 
+ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
+ {
+-    const char *model = qemu_opt_get_del(opts, "model");
+    const char *model = qemu_opt_get(opts, "model");
+ 
+     if (is_nic_model_help_option(model)) {
+         return 0;
--- a/debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
+++ b/debian/patches/extra/0022-lsi53c895a-disable-reentrancy-detection-for-script-R.patch
@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 13 Mar 2023 04:24:17 -0400
-Subject: [PATCH] lsi53c895a: disable reentrancy detection for script RAM
-
-As the code is designed to use the memory APIs to access the script ram,
-disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
-
-In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
-
-Reported-by: Fiona Ebner <f.ebner@proxmox.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
- hw/scsi/lsi53c895a.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 50979640c3..894b9311ac 100644
--- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -2302,6 +2302,12 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
-     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
-                           "lsi-io", 256);
- 
-+    /*
-+     * Since we use the address-space API to interact with ram_io, disable the
-+     * re-entrancy guard.
-+     */
-+    s->ram_io.disable_reentrancy_guard = true;
-+
-     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
-     qdev_init_gpio_out(d, &s->ext_irq, 1);
- 
--- a/debian/patches/extra/0022-target-arm-Don-t-assert-for-128-bit-tile-accesses-wh.patch
+++ b/debian/patches/extra/0022-target-arm-Don-t-assert-for-128-bit-tile-accesses-wh.patch
@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:54 +0100
+Subject: [PATCH] target/arm: Don't assert for 128-bit tile accesses when SVL
+ is 128
+
+For an instruction which accesses a 128-bit element tile when
+the SVL is also 128 (for example MOV z0.Q, p0/M, ZA0H.Q[w0,0]),
+we will assert in get_tile_rowcol():
+
+qemu-system-aarch64: ../../tcg/tcg-op.c:926: tcg_gen_deposit_z_i32: Assertion `len > 0' failed.
+
+This happens because we calculate
+    len = ctz32(streaming_vec_reg_size(s)) - esz;$
+but if the SVL and the element size are the same len is 0, and
+the deposit operation asserts.
+
+In this case the ZA storage contains exactly one 128 bit
+element ZA tile, and the horizontal or vertical slice is just
+that tile. This means that regardless of the index value in
+the Ws register, we always access that tile. (In pseudocode terms,
+we calculate (index + offset) MOD 1, which is 0.)
+
+Special case the len == 0 case to avoid hitting the assertion
+in tcg_gen_deposit_z_i32().
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-2-peter.maydell@linaro.org
+(cherry picked from commit 56f1c0db928aae0b83fd91c89ddb226b137e2b21)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/translate-sme.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+index 185a8a917b..a50a419af2 100644
+--- a/target/arm/tcg/translate-sme.c
+++ b/target/arm/tcg/translate-sme.c
+@@ -49,7 +49,15 @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
+     /* Prepare a power-of-two modulo via extraction of @len bits. */
+     len = ctz32(streaming_vec_reg_size(s)) - esz;
+ 
+-    if (vertical) {
+    if (!len) {
+        /*
+         * SVL is 128 and the element size is 128. There is exactly
+         * one 128x128 tile in the ZA storage, and so we calculate
+         * (Rs + imm) MOD 1, which is always 0. We need to special case
+         * this because TCG doesn't allow deposit ops with len 0.
+         */
+        tcg_gen_movi_i32(tmp, 0);
+    } else if (vertical) {
+         /*
+          * Compute the byte offset of the index within the tile:
+          *     (index % (svl / size)) * size
--- a/debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
+++ b/debian/patches/extra/0023-acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
@@ -1,166 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Thu, 5 Jan 2023 17:18:04 +0100
-Subject: [PATCH] acpi: cpuhp: fix guest-visible maximum access size to the
- legacy reg block
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The modern ACPI CPU hotplug interface was introduced in the following
-series (aa1dd39ca307..679dd1a957df), released in v2.7.0:
-
-  1  abd49bc2ed2f docs: update ACPI CPU hotplug spec with new protocol
-  2  16bcab97eb9f pc: piix4/ich9: add 'cpu-hotplug-legacy' property
-  3  5e1b5d93887b acpi: cpuhp: add CPU devices AML with _STA method
-  4  ac35f13ba8f8 pc: acpi: introduce AcpiDeviceIfClass.madt_cpu hook
-  5  d2238cb6781d acpi: cpuhp: implement hot-add parts of CPU hotplug
-                  interface
-  6  8872c25a26cc acpi: cpuhp: implement hot-remove parts of CPU hotplug
-                  interface
-  7  76623d00ae57 acpi: cpuhp: add cpu._OST handling
-  8  679dd1a957df pc: use new CPU hotplug interface since 2.7 machine type
-
-Before patch#1, "docs/specs/acpi_cpu_hotplug.txt" only specified 1-byte
-accesses for the hotplug register block.  Patch#1 preserved the same
-restriction for the legacy register block, but:
-
- it specified DWORD accesses for some of the modern registers,
-
- in particular, the switch from the legacy block to the modern block
-  would require a DWORD write to the *legacy* block.
-
-The latter functionality was then implemented in cpu_status_write()
-[hw/acpi/cpu_hotplug.c], in patch#8.
-
-Unfortunately, all DWORD accesses depended on a dormant bug: the one
-introduced in earlier commit a014ed07bd5a ("memory: accept mismatching
-sizes in memory_region_access_valid", 2013-05-29); first released in
-v1.6.0.  Due to commit a014ed07bd5a, the DWORD accesses to the *legacy*
-CPU hotplug register block would work in spite of the above series *not*
-relaxing "valid.max_access_size = 1" in "hw/acpi/cpu_hotplug.c":
-
-> static const MemoryRegionOps AcpiCpuHotplug_ops = {
->     .read = cpu_status_read,
->     .write = cpu_status_write,
->     .endianness = DEVICE_LITTLE_ENDIAN,
->     .valid = {
->         .min_access_size = 1,
->         .max_access_size = 1,
->     },
-> };
-
-Later, in commits e6d0c3ce6895 ("acpi: cpuhp: introduce 'Command data 2'
-field", 2020-01-22) and ae340aa3d256 ("acpi: cpuhp: spec: add typical
-usecases", 2020-01-22), first released in v5.0.0, the modern CPU hotplug
-interface (including the documentation) was extended with another DWORD
-*read* access, namely to the "Command data 2" register, which would be
-important for the guest to confirm whether it managed to switch the
-register block from legacy to modern.
-
-This functionality too silently depended on the bug from commit
-a014ed07bd5a.
-
-In commit 5d971f9e6725 ('memory: Revert "memory: accept mismatching sizes
-in memory_region_access_valid"', 2020-06-26), first released in v5.1.0,
-the bug from commit a014ed07bd5a was fixed (the commit was reverted).
-That swiftly exposed the bug in "AcpiCpuHotplug_ops", still present from
-the v2.7.0 series quoted at the top -- namely the fact that
-"valid.max_access_size = 1" didn't match what the guest was supposed to
-do, according to the spec ("docs/specs/acpi_cpu_hotplug.txt").
-
-The symptom is that the "modern interface negotiation protocol"
-described in commit ae340aa3d256:
-
-> +      Use following steps to detect and enable modern CPU hotplug interface:
-> +        1. Store 0x0 to the 'CPU selector' register,
-> +           attempting to switch to modern mode
-> +        2. Store 0x0 to the 'CPU selector' register,
-> +           to ensure valid selector value
-> +        3. Store 0x0 to the 'Command field' register,
-> +        4. Read the 'Command data 2' register.
-> +           If read value is 0x0, the modern interface is enabled.
-> +           Otherwise legacy or no CPU hotplug interface available
-
-falls apart for the guest: steps 1 and 2 are lost, because they are DWORD
-writes; so no switching happens.  Step 3 (a single-byte write) is not
-lost, but it has no effect; see the condition in cpu_status_write() in
-patch#8.  And step 4 *misleads* the guest into thinking that the switch
-worked: the DWORD read is lost again -- it returns zero to the guest
-without ever reaching the device model, so the guest never learns the
-switch didn't work.
-
-This means that guest behavior centered on the "Command data 2" register
-worked *only* in the v5.0.0 release; it got effectively regressed in
-v5.1.0.
-
-To make things *even more* complicated, the breakage was (and remains, as
-of today) visible with TCG acceleration only.  Commit 5d971f9e6725 makes
-no difference with KVM acceleration -- the DWORD accesses still work,
-despite "valid.max_access_size = 1".
-
-As commit 5d971f9e6725 suggests, fix the problem by raising
-"valid.max_access_size" to 4 -- the spec now clearly instructs the guest
-to perform DWORD accesses to the legacy register block too, for enabling
-(and verifying!) the modern block.  In order to keep compatibility for the
-device model implementation though, set "impl.max_access_size = 1", so
-that wide accesses be split before they reach the legacy read/write
-handlers, like they always have been on KVM, and like they were on TCG
-before 5d971f9e6725 (v5.1.0).
-
-Tested with:
-
- OVMF IA32 + qemu-system-i386, CPU hotplug/hot-unplug with SMM,
-  intermixed with ACPI S3 suspend/resume, using KVM accel
-  (regression-test);
-
- OVMF IA32X64 + qemu-system-x86_64, CPU hotplug/hot-unplug with SMM,
-  intermixed with ACPI S3 suspend/resume, using KVM accel
-  (regression-test);
-
- OVMF IA32 + qemu-system-i386, SMM enabled, using TCG accel; verified the
-  register block switch and the present/possible CPU counting through the
-  modern hotplug interface, during OVMF boot (bugfix test);
-
- I do not have any testcase (guest payload) for regression-testing CPU
-  hotplug through the *legacy* CPU hotplug register block.
-
-Cc: "Michael S. Tsirkin" <mst@redhat.com>
-Cc: Ani Sinha <ani@anisinha.ca>
-Cc: Ard Biesheuvel <ardb@kernel.org>
-Cc: Igor Mammedov <imammedo@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
-Cc: qemu-stable@nongnu.org
-Ref: "IO port write width clamping differs between TCG and KVM"
-Link: http://mid.mail-archive.com/aaedee84-d3ed-a4f9-21e7-d221a28d1683@redhat.com
-Link: https://lists.gnu.org/archive/html/qemu-devel/2023-01/msg00199.html
-Reported-by: Ard Biesheuvel <ardb@kernel.org>
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Tested-by: Ard Biesheuvel <ardb@kernel.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Tested-by: Igor Mammedov <imammedo@redhat.com>
-Message-Id: <20230105161804.82486-1-lersek@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry-picked from commit dab30fbef3896bb652a09d46c37d3f55657cbcbb)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- hw/acpi/cpu_hotplug.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/acpi/cpu_hotplug.c b/hw/acpi/cpu_hotplug.c
-index 53654f8638..ff14c3f410 100644
--- a/hw/acpi/cpu_hotplug.c
-+++ b/hw/acpi/cpu_hotplug.c
-@@ -52,6 +52,9 @@ static const MemoryRegionOps AcpiCpuHotplug_ops = {
-     .endianness = DEVICE_LITTLE_ENDIAN,
-     .valid = {
-         .min_access_size = 1,
-+        .max_access_size = 4,
-+    },
-+    .impl = {
-         .max_access_size = 1,
-     },
- };
--- a/debian/patches/extra/0023-target-arm-Fix-UMOPA-UMOPS-of-16-bit-values.patch
+++ b/debian/patches/extra/0023-target-arm-Fix-UMOPA-UMOPS-of-16-bit-values.patch
@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:55 +0100
+Subject: [PATCH] target/arm: Fix UMOPA/UMOPS of 16-bit values
+
+The UMOPA/UMOPS instructions are supposed to multiply unsigned 8 or
+16 bit elements and accumulate the products into a 64-bit element.
+In the Arm ARM pseudocode, this is done with the usual
+infinite-precision signed arithmetic.  However our implementation
+doesn't quite get it right, because in the DEF_IMOP_64() macro we do:
+  sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);
+
+where NTYPE and MTYPE are uint16_t or int16_t.  In the uint16_t case,
+the C usual arithmetic conversions mean the values are converted to
+"int" type and the multiply is done as a 32-bit multiply.  This means
+that if the inputs are, for example, 0xffff and 0xffff then the
+result is 0xFFFE0001 as an int, which is then promoted to uint64_t
+for the accumulation into sum; this promotion incorrectly sign
+extends the multiply.
+
+Avoid the incorrect sign extension by casting to int64_t before
+the multiply, so we do the multiply as 64-bit signed arithmetic,
+which is a type large enough that the multiply can never
+overflow into the sign bit.
+
+(The equivalent 8-bit operations in DEF_IMOP_32() are fine, because
+the 8-bit multiplies can never overflow into the sign bit of a
+32-bit integer.)
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2372
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-3-peter.maydell@linaro.org
+(cherry picked from commit ea3f5a90f036734522e9af3bffd77e69e9f47355)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/sme_helper.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index 5a6dd76489..f9001f5213 100644
+--- a/target/arm/tcg/sme_helper.c
+++ b/target/arm/tcg/sme_helper.c
+@@ -1146,10 +1146,10 @@ static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
+     uint64_t sum = 0;                                                       \
+     /* Apply P to N as a mask, making the inactive elements 0. */           \
+     n &= expand_pred_h(p);                                                  \
+-    sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                               \
+-    sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                             \
+-    sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                             \
+-    sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                             \
+    sum += (int64_t)(NTYPE)(n >> 0) * (MTYPE)(m >> 0);                      \
+    sum += (int64_t)(NTYPE)(n >> 16) * (MTYPE)(m >> 16);                    \
+    sum += (int64_t)(NTYPE)(n >> 32) * (MTYPE)(m >> 32);                    \
+    sum += (int64_t)(NTYPE)(n >> 48) * (MTYPE)(m >> 48);                    \
+     return neg ? a - sum : a + sum;                                         \
+ }
+ 
--- a/debian/patches/extra/0024-target-arm-Avoid-shifts-by-1-in-tszimm_shr-and-tszim.patch
+++ b/debian/patches/extra/0024-target-arm-Avoid-shifts-by-1-in-tszimm_shr-and-tszim.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:56 +0100
+Subject: [PATCH] target/arm: Avoid shifts by -1 in tszimm_shr() and
+ tszimm_shl()
+
+The function tszimm_esz() returns a shift amount, or possibly -1 in
+certain cases that correspond to unallocated encodings in the
+instruction set.  We catch these later in the trans_ functions
+(generally with an "a-esz < 0" check), but before we do the
+decodetree-generated code will also call tszimm_shr() or tszimm_sl(),
+which will use the tszimm_esz() return value as a shift count without
+checking that it is not negative, which is undefined behaviour.
+
+Avoid the UB by checking the return value in tszimm_shr() and
+tszimm_shl().
+
+Cc: qemu-stable@nongnu.org
+Resolves: Coverity CID 1547617, 1547694
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-4-peter.maydell@linaro.org
+(cherry picked from commit 76916dfa89e8900639c1055c07a295c06628a0bc)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/translate-sve.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
+index ada05aa530..466a19c25a 100644
+--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
+@@ -50,13 +50,27 @@ static int tszimm_esz(DisasContext *s, int x)
+ 
+ static int tszimm_shr(DisasContext *s, int x)
+ {
+-    return (16 << tszimm_esz(s, x)) - x;
+    /*
+     * We won't use the tszimm_shr() value if tszimm_esz() returns -1 (the
+     * trans function will check for esz < 0), so we can return any
+     * value we like from here in that case as long as we avoid UB.
+     */
+    int esz = tszimm_esz(s, x);
+    if (esz < 0) {
+        return esz;
+    }
+    return (16 << esz) - x;
+ }
+ 
+ /* See e.g. LSL (immediate, predicated).  */
+ static int tszimm_shl(DisasContext *s, int x)
+ {
+-    return x - (8 << tszimm_esz(s, x));
+    /* As with tszimm_shr(), value will be unused if esz < 0 */
+    int esz = tszimm_esz(s, x);
+    if (esz < 0) {
+        return esz;
+    }
+    return x - (8 << esz);
+ }
+ 
+ /* The SH bit is in bit 8.  Extract the low 8 and shift.  */
--- a/debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
+++ b/debian/patches/extra/0024-tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
@@ -1,286 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 13:05:41 -1000
-Subject: [PATCH] tests/tcg/i386: Introduce and use reg_t consistently
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Define reg_t based on the actual register width.
-Define the inlines using that type.  This will allow
-input registers to 32-bit insns to be set to 64-bit
-values on x86-64, which allows testing various edge cases.
-
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-Id: <20230114230542.3116013-2-richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 5d62d6649cd367b5b4a3676e7514d2f9ca86cb03)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- tests/tcg/i386/test-i386-bmi2.c | 182 ++++++++++++++++----------------
- 1 file changed, 93 insertions(+), 89 deletions(-)
-
-diff --git a/tests/tcg/i386/test-i386-bmi2.c b/tests/tcg/i386/test-i386-bmi2.c
-index 5fadf47510..3c3ef85513 100644
--- a/tests/tcg/i386/test-i386-bmi2.c
-+++ b/tests/tcg/i386/test-i386-bmi2.c
-@@ -3,34 +3,40 @@
- #include <stdint.h>
- #include <stdio.h>
- 
-+#ifdef __x86_64
-+typedef uint64_t reg_t;
-+#else
-+typedef uint32_t reg_t;
-+#endif
-+
- #define insn1q(name, arg0)                                                           \
-static inline uint64_t name##q(uint64_t arg0)                                        \
-+static inline reg_t name##q(reg_t arg0)                                              \
- {                                                                                    \
-    uint64_t result64;                                                               \
-+    reg_t result64;                                                                  \
-     asm volatile (#name "q   %1, %0" : "=r"(result64) : "rm"(arg0));                 \
-     return result64;                                                                 \
- }
- 
- #define insn1l(name, arg0)                                                           \
-static inline uint32_t name##l(uint32_t arg0)                                        \
-+static inline reg_t name##l(reg_t arg0)                                              \
- {                                                                                    \
-    uint32_t result32;                                                               \
-+    reg_t result32;                                                                  \
-     asm volatile (#name "l   %k1, %k0" : "=r"(result32) : "rm"(arg0));               \
-     return result32;                                                                 \
- }
- 
- #define insn2q(name, arg0, c0, arg1, c1)                                             \
-static inline uint64_t name##q(uint64_t arg0, uint64_t arg1)                         \
-+static inline reg_t name##q(reg_t arg0, reg_t arg1)                                  \
- {                                                                                    \
-    uint64_t result64;                                                               \
-+    reg_t result64;                                                                  \
-     asm volatile (#name "q   %2, %1, %0" : "=r"(result64) : c0(arg0), c1(arg1));     \
-     return result64;                                                                 \
- }
- 
- #define insn2l(name, arg0, c0, arg1, c1)                                             \
-static inline uint32_t name##l(uint32_t arg0, uint32_t arg1)                         \
-+static inline reg_t name##l(reg_t arg0, reg_t arg1)                                  \
- {                                                                                    \
-    uint32_t result32;                                                               \
-+    reg_t result32;                                                                  \
-     asm volatile (#name "l   %k2, %k1, %k0" : "=r"(result32) : c0(arg0), c1(arg1));  \
-     return result32;                                                                 \
- }
-@@ -65,130 +71,128 @@ insn1l(blsr, src)
- int main(int argc, char *argv[]) {
-     uint64_t ehlo = 0x202020204f4c4845ull;
-     uint64_t mask = 0xa080800302020001ull;
-    uint32_t result32;
-+    reg_t result;
- 
- #ifdef __x86_64
-    uint64_t result64;
-
-     /* 64 bits */
-    result64 = andnq(mask, ehlo);
-    assert(result64 == 0x002020204d4c4844);
-+    result = andnq(mask, ehlo);
-+    assert(result == 0x002020204d4c4844);
- 
-    result64 = pextq(ehlo, mask);
-    assert(result64 == 133);
-+    result = pextq(ehlo, mask);
-+    assert(result == 133);
- 
-    result64 = pdepq(result64, mask);
-    assert(result64 == (ehlo & mask));
-+    result = pdepq(result, mask);
-+    assert(result == (ehlo & mask));
- 
-    result64 = pextq(-1ull, mask);
-    assert(result64 == 511); /* mask has 9 bits set */
-+    result = pextq(-1ull, mask);
-+    assert(result == 511); /* mask has 9 bits set */
- 
-    result64 = pdepq(-1ull, mask);
-    assert(result64 == mask);
-+    result = pdepq(-1ull, mask);
-+    assert(result == mask);
- 
-    result64 = bextrq(mask, 0x3f00);
-    assert(result64 == (mask & ~INT64_MIN));
-+    result = bextrq(mask, 0x3f00);
-+    assert(result == (mask & ~INT64_MIN));
- 
-    result64 = bextrq(mask, 0x1038);
-    assert(result64 == 0xa0);
-+    result = bextrq(mask, 0x1038);
-+    assert(result == 0xa0);
- 
-    result64 = bextrq(mask, 0x10f8);
-    assert(result64 == 0);
-+    result = bextrq(mask, 0x10f8);
-+    assert(result == 0);
- 
-    result64 = blsiq(0x30);
-    assert(result64 == 0x10);
-+    result = blsiq(0x30);
-+    assert(result == 0x10);
- 
-    result64 = blsiq(0x30ull << 32);
-    assert(result64 == 0x10ull << 32);
-+    result = blsiq(0x30ull << 32);
-+    assert(result == 0x10ull << 32);
- 
-    result64 = blsmskq(0x30);
-    assert(result64 == 0x1f);
-+    result = blsmskq(0x30);
-+    assert(result == 0x1f);
- 
-    result64 = blsrq(0x30);
-    assert(result64 == 0x20);
-+    result = blsrq(0x30);
-+    assert(result == 0x20);
- 
-    result64 = blsrq(0x30ull << 32);
-    assert(result64 == 0x20ull << 32);
-+    result = blsrq(0x30ull << 32);
-+    assert(result == 0x20ull << 32);
- 
-    result64 = bzhiq(mask, 0x3f);
-    assert(result64 == (mask & ~INT64_MIN));
-+    result = bzhiq(mask, 0x3f);
-+    assert(result == (mask & ~INT64_MIN));
- 
-    result64 = bzhiq(mask, 0x1f);
-    assert(result64 == (mask & ~(-1 << 30)));
-+    result = bzhiq(mask, 0x1f);
-+    assert(result == (mask & ~(-1 << 30)));
- 
-    result64 = rorxq(0x2132435465768798, 8);
-    assert(result64 == 0x9821324354657687);
-+    result = rorxq(0x2132435465768798, 8);
-+    assert(result == 0x9821324354657687);
- 
-    result64 = sarxq(0xffeeddccbbaa9988, 8);
-    assert(result64 == 0xffffeeddccbbaa99);
-+    result = sarxq(0xffeeddccbbaa9988, 8);
-+    assert(result == 0xffffeeddccbbaa99);
- 
-    result64 = sarxq(0x77eeddccbbaa9988, 8 | 64);
-    assert(result64 == 0x0077eeddccbbaa99);
-+    result = sarxq(0x77eeddccbbaa9988, 8 | 64);
-+    assert(result == 0x0077eeddccbbaa99);
- 
-    result64 = shrxq(0xffeeddccbbaa9988, 8);
-    assert(result64 == 0x00ffeeddccbbaa99);
-+    result = shrxq(0xffeeddccbbaa9988, 8);
-+    assert(result == 0x00ffeeddccbbaa99);
- 
-    result64 = shrxq(0x77eeddccbbaa9988, 8 | 192);
-    assert(result64 == 0x0077eeddccbbaa99);
-+    result = shrxq(0x77eeddccbbaa9988, 8 | 192);
-+    assert(result == 0x0077eeddccbbaa99);
- 
-    result64 = shlxq(0xffeeddccbbaa9988, 8);
-    assert(result64 == 0xeeddccbbaa998800);
-+    result = shlxq(0xffeeddccbbaa9988, 8);
-+    assert(result == 0xeeddccbbaa998800);
- #endif
- 
-     /* 32 bits */
-    result32 = andnl(mask, ehlo);
-    assert(result32 == 0x04d4c4844);
-+    result = andnl(mask, ehlo);
-+    assert(result == 0x04d4c4844);
- 
-    result32 = pextl((uint32_t) ehlo, mask);
-    assert(result32 == 5);
-+    result = pextl((uint32_t) ehlo, mask);
-+    assert(result == 5);
- 
-    result32 = pdepl(result32, mask);
-    assert(result32 == (uint32_t)(ehlo & mask));
-+    result = pdepl(result, mask);
-+    assert(result == (uint32_t)(ehlo & mask));
- 
-    result32 = pextl(-1u, mask);
-    assert(result32 == 7); /* mask has 3 bits set */
-+    result = pextl(-1u, mask);
-+    assert(result == 7); /* mask has 3 bits set */
- 
-    result32 = pdepl(-1u, mask);
-    assert(result32 == (uint32_t)mask);
-+    result = pdepl(-1u, mask);
-+    assert(result == (uint32_t)mask);
- 
-    result32 = bextrl(mask, 0x1f00);
-    assert(result32 == (mask & ~INT32_MIN));
-+    result = bextrl(mask, 0x1f00);
-+    assert(result == (mask & ~INT32_MIN));
- 
-    result32 = bextrl(ehlo, 0x1018);
-    assert(result32 == 0x4f);
-+    result = bextrl(ehlo, 0x1018);
-+    assert(result == 0x4f);
- 
-    result32 = bextrl(mask, 0x1038);
-    assert(result32 == 0);
-+    result = bextrl(mask, 0x1038);
-+    assert(result == 0);
- 
-    result32 = blsil(0xffff);
-    assert(result32 == 1);
-+    result = blsil(0xffff);
-+    assert(result == 1);
- 
-    result32 = blsmskl(0x300);
-    assert(result32 == 0x1ff);
-+    result = blsmskl(0x300);
-+    assert(result == 0x1ff);
- 
-    result32 = blsrl(0xffc);
-    assert(result32 == 0xff8);
-+    result = blsrl(0xffc);
-+    assert(result == 0xff8);
- 
-    result32 = bzhil(mask, 0xf);
-    assert(result32 == 1);
-+    result = bzhil(mask, 0xf);
-+    assert(result == 1);
- 
-    result32 = rorxl(0x65768798, 8);
-    assert(result32 == 0x98657687);
-+    result = rorxl(0x65768798, 8);
-+    assert(result == 0x98657687);
- 
-    result32 = sarxl(0xffeeddcc, 8);
-    assert(result32 == 0xffffeedd);
-+    result = sarxl(0xffeeddcc, 8);
-+    assert(result == 0xffffeedd);
- 
-    result32 = sarxl(0x77eeddcc, 8 | 32);
-    assert(result32 == 0x0077eedd);
-+    result = sarxl(0x77eeddcc, 8 | 32);
-+    assert(result == 0x0077eedd);
- 
-    result32 = shrxl(0xffeeddcc, 8);
-    assert(result32 == 0x00ffeedd);
-+    result = shrxl(0xffeeddcc, 8);
-+    assert(result == 0x00ffeedd);
- 
-    result32 = shrxl(0x77eeddcc, 8 | 128);
-    assert(result32 == 0x0077eedd);
-+    result = shrxl(0x77eeddcc, 8 | 128);
-+    assert(result == 0x0077eedd);
- 
-    result32 = shlxl(0xffeeddcc, 8);
-    assert(result32 == 0xeeddcc00);
-+    result = shlxl(0xffeeddcc, 8);
-+    assert(result == 0xeeddcc00);
- 
-     return 0;
- }
--- a/debian/patches/extra/0025-target-arm-Ignore-SMCR_EL2.LEN-and-SVCR_EL2.LEN-if-E.patch
+++ b/debian/patches/extra/0025-target-arm-Ignore-SMCR_EL2.LEN-and-SVCR_EL2.LEN-if-E.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:57 +0100
+Subject: [PATCH] target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is
+ not enabled
+
+When determining the current vector length, the SMCR_EL2.LEN and
+SVCR_EL2.LEN settings should only be considered if EL2 is enabled
+(compare the pseudocode CurrentSVL and CurrentNSVL which call
+EL2Enabled()).
+
+We were checking against ARM_FEATURE_EL2 rather than calling
+arm_is_el2_enabled(), which meant that we would look at
+SMCR_EL2/SVCR_EL2 when in Secure EL1 or Secure EL0 even if Secure EL2
+was not enabled.
+
+Use the correct check in sve_vqm1_for_el_sm().
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-5-peter.maydell@linaro.org
+(cherry picked from commit f573ac059ed060234fcef4299fae9e500d357c33)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index a620481d7c..42044ae14b 100644
+--- a/target/arm/helper.c
+++ b/target/arm/helper.c
+@@ -7191,7 +7191,7 @@ uint32_t sve_vqm1_for_el_sm(CPUARMState *env, int el, bool sm)
+     if (el <= 1 && !el_is_in_host(env, el)) {
+         len = MIN(len, 0xf & (uint32_t)cr[1]);
+     }
+-    if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+    if (el <= 2 && arm_is_el2_enabled(env)) {
+         len = MIN(len, 0xf & (uint32_t)cr[2]);
+     }
+     if (arm_feature(env, ARM_FEATURE_EL3)) {
--- a/debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch
+++ b/debian/patches/extra/0025-target-i386-Fix-BEXTR-instruction.patch
@@ -1,97 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 13:05:42 -1000
-Subject: [PATCH] target/i386: Fix BEXTR instruction
-
-There were two problems here: not limiting the input to operand bits,
-and not correctly handling large extraction length.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1372
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20230114230542.3116013-3-richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit b14c0098975264ed03144f145bca0179a6763a07)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- target/i386/tcg/emit.c.inc      | 22 +++++++++++-----------
- tests/tcg/i386/test-i386-bmi2.c | 12 ++++++++++++
- 2 files changed, 23 insertions(+), 11 deletions(-)
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 7037ff91c6..99f6ba6e19 100644
--- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1078,30 +1078,30 @@ static void gen_ANDN(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- static void gen_BEXTR(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
-    TCGv bound, zero;
-+    TCGv bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-+    TCGv zero = tcg_constant_tl(0);
-+    TCGv mone = tcg_constant_tl(-1);
- 
-     /*
-      * Extract START, and shift the operand.
-      * Shifts larger than operand size get zeros.
-      */
-     tcg_gen_ext8u_tl(s->A0, s->T1);
-+    if (TARGET_LONG_BITS == 64 && ot == MO_32) {
-+        tcg_gen_ext32u_tl(s->T0, s->T0);
-+    }
-     tcg_gen_shr_tl(s->T0, s->T0, s->A0);
- 
-    bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-    zero = tcg_constant_tl(0);
-     tcg_gen_movcond_tl(TCG_COND_LEU, s->T0, s->A0, bound, s->T0, zero);
- 
-     /*
-     * Extract the LEN into a mask.  Lengths larger than
-     * operand size get all ones.
-+     * Extract the LEN into an inverse mask.  Lengths larger than
-+     * operand size get all zeros, length 0 gets all ones.
-      */
-     tcg_gen_extract_tl(s->A0, s->T1, 8, 8);
-    tcg_gen_movcond_tl(TCG_COND_LEU, s->A0, s->A0, bound, s->A0, bound);
-
-    tcg_gen_movi_tl(s->T1, 1);
-    tcg_gen_shl_tl(s->T1, s->T1, s->A0);
-    tcg_gen_subi_tl(s->T1, s->T1, 1);
-    tcg_gen_and_tl(s->T0, s->T0, s->T1);
-+    tcg_gen_shl_tl(s->T1, mone, s->A0);
-+    tcg_gen_movcond_tl(TCG_COND_LEU, s->T1, s->A0, bound, s->T1, zero);
-+    tcg_gen_andc_tl(s->T0, s->T0, s->T1);
- 
-     gen_op_update1_cc(s);
-     set_cc_op(s, CC_OP_LOGICB + ot);
-diff --git a/tests/tcg/i386/test-i386-bmi2.c b/tests/tcg/i386/test-i386-bmi2.c
-index 3c3ef85513..982d4abda4 100644
--- a/tests/tcg/i386/test-i386-bmi2.c
-+++ b/tests/tcg/i386/test-i386-bmi2.c
-@@ -99,6 +99,9 @@ int main(int argc, char *argv[]) {
-     result = bextrq(mask, 0x10f8);
-     assert(result == 0);
- 
-+    result = bextrq(0xfedcba9876543210ull, 0x7f00);
-+    assert(result == 0xfedcba9876543210ull);
-+
-     result = blsiq(0x30);
-     assert(result == 0x10);
- 
-@@ -164,6 +167,15 @@ int main(int argc, char *argv[]) {
-     result = bextrl(mask, 0x1038);
-     assert(result == 0);
- 
-+    result = bextrl((reg_t)0x8f635a775ad3b9b4ull, 0x3018);
-+    assert(result == 0x5a);
-+
-+    result = bextrl((reg_t)0xfedcba9876543210ull, 0x7f00);
-+    assert(result == 0x76543210u);
-+
-+    result = bextrl(-1, 0);
-+    assert(result == 0);
-+
-     result = blsil(0xffff);
-     assert(result == 1);
- 
--- a/debian/patches/extra/0026-target-arm-Handle-denormals-correctly-for-FMOPA-wide.patch
+++ b/debian/patches/extra/0026-target-arm-Handle-denormals-correctly-for-FMOPA-wide.patch
@@ -0,0 +1,164 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Thu, 1 Aug 2024 10:15:03 +0100
+Subject: [PATCH] target/arm: Handle denormals correctly for FMOPA (widening)
+
+The FMOPA (widening) SME instruction takes pairs of half-precision
+floating point values, widens them to single-precision, does a
+two-way dot product and accumulates the results into a
+single-precision destination.  We don't quite correctly handle the
+FPCR bits FZ and FZ16 which control flushing of denormal inputs and
+outputs.  This is because at the moment we pass a single float_status
+value to the helper function, which then uses that configuration for
+all the fp operations it does.  However, because the inputs to this
+operation are float16 and the outputs are float32 we need to use the
+fp_status_f16 for the float16 input widening but the normal fp_status
+for everything else.  Otherwise we will apply the flushing control
+FPCR.FZ16 to the 32-bit output rather than the FPCR.FZ control, and
+incorrectly flush a denormal output to zero when we should not (or
+vice-versa).
+
+(In commit 207d30b5fdb5b we tried to fix the FZ handling but
+didn't get it right, switching from "use FPCR.FZ for everything" to
+"use FPCR.FZ16 for everything".)
+
+Pass the CPU env to the sme_fmopa_h helper instead of an fp_status
+pointer, and have the helper pass an extra fp_status into the
+f16_dotadd() function so that we can use the right status for the
+right parts of this operation.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 207d30b5fdb5 ("target/arm: Use FPST_F16 for SME FMOPA (widening)")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2373
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+(cherry picked from commit 55f9f4ee018c5ccea81d8c8c586756d7711ae46f)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/helper-sme.h    |  2 +-
+ target/arm/tcg/sme_helper.c    | 39 +++++++++++++++++++++++-----------
+ target/arm/tcg/translate-sme.c | 25 ++++++++++++++++++++--
+ 3 files changed, 51 insertions(+), 15 deletions(-)
+
+diff --git a/target/arm/tcg/helper-sme.h b/target/arm/tcg/helper-sme.h
+index 27eef49a11..d22bf9d21b 100644
+--- a/target/arm/tcg/helper-sme.h
+++ b/target/arm/tcg/helper-sme.h
+@@ -121,7 +121,7 @@ DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+ 
+ DEF_HELPER_FLAGS_7(sme_fmopa_h, TCG_CALL_NO_RWG,
+-                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+                   void, ptr, ptr, ptr, ptr, ptr, env, i32)
+ DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index f9001f5213..3906bb51c0 100644
+--- a/target/arm/tcg/sme_helper.c
+++ b/target/arm/tcg/sme_helper.c
+@@ -976,12 +976,23 @@ static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
+ }
+ 
+ static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
+-                          float_status *s_std, float_status *s_odd)
+                          float_status *s_f16, float_status *s_std,
+                          float_status *s_odd)
+ {
+-    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_std);
+-    float64 e1c = float16_to_float64(e1 >> 16, true, s_std);
+-    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_std);
+-    float64 e2c = float16_to_float64(e2 >> 16, true, s_std);
+    /*
+     * We need three different float_status for different parts of this
+     * operation:
+     *  - the input conversion of the float16 values must use the
+     *    f16-specific float_status, so that the FPCR.FZ16 control is applied
+     *  - operations on float32 including the final accumulation must use
+     *    the normal float_status, so that FPCR.FZ is applied
+     *  - we have pre-set-up copy of s_std which is set to round-to-odd,
+     *    for the multiply (see below)
+     */
+    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_f16);
+    float64 e1c = float16_to_float64(e1 >> 16, true, s_f16);
+    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_f16);
+    float64 e2c = float16_to_float64(e2 >> 16, true, s_f16);
+     float64 t64;
+     float32 t32;
+ 
+@@ -1003,20 +1014,23 @@ static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
+ }
+ 
+ void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
+-                         void *vpm, void *vst, uint32_t desc)
+                         void *vpm, CPUARMState *env, uint32_t desc)
+ {
+     intptr_t row, col, oprsz = simd_maxsz(desc);
+     uint32_t neg = simd_data(desc) * 0x80008000u;
+     uint16_t *pn = vpn, *pm = vpm;
+-    float_status fpst_odd, fpst_std;
+    float_status fpst_odd, fpst_std, fpst_f16;
+ 
+     /*
+-     * Make a copy of float_status because this operation does not
+-     * update the cumulative fp exception status.  It also produces
+-     * default nans.  Make a second copy with round-to-odd -- see above.
+     * Make copies of fp_status and fp_status_f16, because this operation
+     * does not update the cumulative fp exception status.  It also
+     * produces default NaNs. We also need a second copy of fp_status with
+     * round-to-odd -- see above.
+      */
+-    fpst_std = *(float_status *)vst;
+    fpst_f16 = env->vfp.fp_status_f16;
+    fpst_std = env->vfp.fp_status;
+     set_default_nan_mode(true, &fpst_std);
+    set_default_nan_mode(true, &fpst_f16);
+     fpst_odd = fpst_std;
+     set_float_rounding_mode(float_round_to_odd, &fpst_odd);
+ 
+@@ -1036,7 +1050,8 @@ void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
+                         uint32_t m = *(uint32_t *)(vzm + H1_4(col));
+ 
+                         m = f16mop_adj_pair(m, pcol, 0);
+-                        *a = f16_dotadd(*a, n, m, &fpst_std, &fpst_odd);
+                        *a = f16_dotadd(*a, n, m,
+                                        &fpst_f16, &fpst_std, &fpst_odd);
+                     }
+                     col += 4;
+                     pcol >>= 4;
+diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+index a50a419af2..ae42ddef7b 100644
+--- a/target/arm/tcg/translate-sme.c
+++ b/target/arm/tcg/translate-sme.c
+@@ -334,8 +334,29 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+     return true;
+ }
+ 
+-TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a,
+-           MO_32, FPST_FPCR_F16, gen_helper_sme_fmopa_h)
+static bool do_outprod_env(DisasContext *s, arg_op *a, MemOp esz,
+                           gen_helper_gvec_5_ptr *fn)
+{
+    int svl = streaming_vec_reg_size(s);
+    uint32_t desc = simd_desc(svl, svl, a->sub);
+    TCGv_ptr za, zn, zm, pn, pm;
+
+    if (!sme_smza_enabled_check(s)) {
+        return true;
+    }
+
+    za = get_tile(s, esz, a->zad);
+    zn = vec_full_reg_ptr(s, a->zn);
+    zm = vec_full_reg_ptr(s, a->zm);
+    pn = pred_full_reg_ptr(s, a->pn);
+    pm = pred_full_reg_ptr(s, a->pm);
+
+    fn(za, zn, zm, pn, pm, tcg_env, tcg_constant_i32(desc));
+    return true;
+}
+
+TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_env, a,
+           MO_32, gen_helper_sme_fmopa_h)
+ TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a,
+            MO_32, FPST_FPCR, gen_helper_sme_fmopa_s)
+ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a,
--- a/debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
+++ b/debian/patches/extra/0026-target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 08:06:01 -1000
-Subject: [PATCH] target/i386: Fix C flag for BLSI, BLSMSK, BLSR
-
-We forgot to set cc_src, which is used for computing C.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1370
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20230114180601.2993644-1-richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 99282098dc74c2055bde5652bde6cf0067d0c370)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- target/i386/tcg/emit.c.inc | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 99f6ba6e19..4d7702c106 100644
--- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1111,6 +1111,7 @@ static void gen_BLSI(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
- 
-+    tcg_gen_mov_tl(cpu_cc_src, s->T0);
-     tcg_gen_neg_tl(s->T1, s->T0);
-     tcg_gen_and_tl(s->T0, s->T0, s->T1);
-     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
-@@ -1121,6 +1122,7 @@ static void gen_BLSMSK(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode
- {
-     MemOp ot = decode->op[0].ot;
- 
-+    tcg_gen_mov_tl(cpu_cc_src, s->T0);
-     tcg_gen_subi_tl(s->T1, s->T0, 1);
-     tcg_gen_xor_tl(s->T0, s->T0, s->T1);
-     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
-@@ -1131,6 +1133,7 @@ static void gen_BLSR(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
- 
-+    tcg_gen_mov_tl(cpu_cc_src, s->T0);
-     tcg_gen_subi_tl(s->T1, s->T0, 1);
-     tcg_gen_and_tl(s->T0, s->T0, s->T1);
-     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
--- a/debian/patches/extra/0027-intel_iommu-fix-FRCD-construction-macro.patch
+++ b/debian/patches/extra/0027-intel_iommu-fix-FRCD-construction-macro.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cl=C3=A9ment=20Mathieu--Drif?=
+ <clement.mathieu--drif@eviden.com>
+Date: Tue, 9 Jul 2024 14:26:08 +0000
+Subject: [PATCH] intel_iommu: fix FRCD construction macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The constant must be unsigned, otherwise the two's complement
+overrides the other fields when a PASID is present.
+
+Fixes: 1b2b12376c8a ("intel-iommu: PASID support")
+Signed-off-by: Clément Mathieu--Drif <clement.mathieu--drif@eviden.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
+Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
+Message-Id: <20240709142557.317271-2-clement.mathieu--drif@eviden.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit a3c8d7e38550c3d5a46e6fa94ffadfa625a4861d)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/i386/intel_iommu_internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
+index f8cf99bddf..cbc4030031 100644
+--- a/hw/i386/intel_iommu_internal.h
+++ b/hw/i386/intel_iommu_internal.h
+@@ -267,7 +267,7 @@
+ /* For the low 64-bit of 128-bit */
+ #define VTD_FRCD_FI(val)        ((val) & ~0xfffULL)
+ #define VTD_FRCD_PV(val)        (((val) & 0xffffULL) << 40)
+-#define VTD_FRCD_PP(val)        (((val) & 0x1) << 31)
+#define VTD_FRCD_PP(val)        (((val) & 0x1ULL) << 31)
+ #define VTD_FRCD_IR_IDX(val)    (((val) & 0xffffULL) << 48)
+ 
+ /* DMA Remapping Fault Conditions */
--- a/debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
+++ b/debian/patches/extra/0027-target-i386-fix-ADOX-followed-by-ADCX.patch
@@ -1,192 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 31 Jan 2023 09:48:03 +0100
-Subject: [PATCH] target/i386: fix ADOX followed by ADCX
-
-When ADCX is followed by ADOX or vice versa, the second instruction's
-carry comes from EFLAGS and the condition codes use the CC_OP_ADCOX
-operation.  Retrieving the carry from EFLAGS is handled by this bit
-of gen_ADCOX:
-
-        tcg_gen_extract_tl(carry_in, cpu_cc_src,
-            ctz32(cc_op == CC_OP_ADCX ? CC_C : CC_O), 1);
-
-Unfortunately, in this case cc_op has been overwritten by the previous
-"if" statement to CC_OP_ADCOX.  This works by chance when the first
-instruction is ADCX; however, if the first instruction is ADOX,
-ADCX will incorrectly take its carry from OF instead of CF.
-
-Fix by moving the computation of the new cc_op at the end of the function.
-The included exhaustive test case fails without this patch and passes
-afterwards.
-
-Because ADCX/ADOX need not be invoked through the VEX prefix, this
-regression bisects to commit 16fc5726a6e2 ("target/i386: reimplement
-0x0f 0x38, add AVX", 2022-10-18).  However, the mistake happened a
-little earlier, when BMI instructions were rewritten using the new
-decoder framework.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1471
-Reported-by: Paul Jolly <https://gitlab.com/myitcv>
-Fixes: 1d0b926150e5 ("target/i386: move scalar 0F 38 and 0F 3A instruction to new decoder", 2022-10-18)
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 60c7dd22e1383754d5f150bc9f7c2785c662a7b6)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- target/i386/tcg/emit.c.inc       | 20 +++++----
- tests/tcg/i386/Makefile.target   |  6 ++-
- tests/tcg/i386/test-i386-adcox.c | 75 ++++++++++++++++++++++++++++++++
- 3 files changed, 91 insertions(+), 10 deletions(-)
- create mode 100644 tests/tcg/i386/test-i386-adcox.c
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 4d7702c106..0d7c6e80ae 100644
--- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1015,6 +1015,7 @@ VSIB_AVX(VPGATHERQ, vpgatherq)
- 
- static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
- {
-+    int opposite_cc_op;
-     TCGv carry_in = NULL;
-     TCGv carry_out = (cc_op == CC_OP_ADCX ? cpu_cc_dst : cpu_cc_src2);
-     TCGv zero;
-@@ -1022,14 +1023,8 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
-     if (cc_op == s->cc_op || s->cc_op == CC_OP_ADCOX) {
-         /* Re-use the carry-out from a previous round.  */
-         carry_in = carry_out;
-        cc_op = s->cc_op;
-    } else if (s->cc_op == CC_OP_ADCX || s->cc_op == CC_OP_ADOX) {
-        /* Merge with the carry-out from the opposite instruction.  */
-        cc_op = CC_OP_ADCOX;
-    }
-
-    /* If we don't have a carry-in, get it out of EFLAGS.  */
-    if (!carry_in) {
-+    } else {
-+        /* We don't have a carry-in, get it out of EFLAGS.  */
-         if (s->cc_op != CC_OP_ADCX && s->cc_op != CC_OP_ADOX) {
-             gen_compute_eflags(s);
-         }
-@@ -1053,7 +1048,14 @@ static void gen_ADCOX(DisasContext *s, CPUX86State *env, MemOp ot, int cc_op)
-         tcg_gen_add2_tl(s->T0, carry_out, s->T0, carry_out, s->T1, zero);
-         break;
-     }
-    set_cc_op(s, cc_op);
-+
-+    opposite_cc_op = cc_op == CC_OP_ADCX ? CC_OP_ADOX : CC_OP_ADCX;
-+    if (s->cc_op == CC_OP_ADCOX || s->cc_op == opposite_cc_op) {
-+        /* Merge with the carry-out from the opposite instruction.  */
-+        set_cc_op(s, CC_OP_ADCOX);
-+    } else {
-+        set_cc_op(s, cc_op);
-+    }
- }
- 
- static void gen_ADCX(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
-diff --git a/tests/tcg/i386/Makefile.target b/tests/tcg/i386/Makefile.target
-index 81831cafbc..bafd8c2180 100644
--- a/tests/tcg/i386/Makefile.target
-+++ b/tests/tcg/i386/Makefile.target
-@@ -14,7 +14,7 @@ config-cc.mak: Makefile
- I386_SRCS=$(notdir $(wildcard $(I386_SRC)/*.c))
- ALL_X86_TESTS=$(I386_SRCS:.c=)
- SKIP_I386_TESTS=test-i386-ssse3 test-avx test-3dnow test-mmx
-X86_64_TESTS:=$(filter test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
-+X86_64_TESTS:=$(filter test-i386-adcox test-i386-bmi2 $(SKIP_I386_TESTS), $(ALL_X86_TESTS))
- 
- test-i386-sse-exceptions: CFLAGS += -msse4.1 -mfpmath=sse
- run-test-i386-sse-exceptions: QEMU_OPTS += -cpu max
-@@ -28,6 +28,10 @@ test-i386-bmi2: CFLAGS=-O2
- run-test-i386-bmi2: QEMU_OPTS += -cpu max
- run-plugin-test-i386-bmi2-%: QEMU_OPTS += -cpu max
- 
-+test-i386-adcox: CFLAGS=-O2
-+run-test-i386-adcox: QEMU_OPTS += -cpu max
-+run-plugin-test-i386-adcox-%: QEMU_OPTS += -cpu max
-+
- #
- # hello-i386 is a barebones app
- #
-diff --git a/tests/tcg/i386/test-i386-adcox.c b/tests/tcg/i386/test-i386-adcox.c
-new file mode 100644
-index 0000000000..16169efff8
--- /dev/null
-+++ b/tests/tcg/i386/test-i386-adcox.c
-@@ -0,0 +1,75 @@
-+/* See if various BMI2 instructions give expected results */
-+#include <assert.h>
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+#define CC_C 1
-+#define CC_O (1 << 11)
-+
-+#ifdef __x86_64__
-+#define REG uint64_t
-+#else
-+#define REG uint32_t
-+#endif
-+
-+void test_adox_adcx(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+    REG flags;
-+    REG out_adcx, out_adox;
-+
-+    asm("pushf; pop %0" : "=r"(flags));
-+    flags &= ~(CC_C | CC_O);
-+    flags |= (in_c ? CC_C : 0);
-+    flags |= (in_o ? CC_O : 0);
-+
-+    out_adcx = adcx_operand;
-+    out_adox = adox_operand;
-+    asm("push %0; popf;"
-+        "adox %3, %2;"
-+        "adcx %3, %1;"
-+        "pushf; pop %0"
-+        : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+        : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+    assert(out_adcx == in_c + adcx_operand - 1);
-+    assert(out_adox == in_o + adox_operand - 1);
-+    assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+    assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+void test_adcx_adox(uint32_t in_c, uint32_t in_o, REG adcx_operand, REG adox_operand)
-+{
-+    REG flags;
-+    REG out_adcx, out_adox;
-+
-+    asm("pushf; pop %0" : "=r"(flags));
-+    flags &= ~(CC_C | CC_O);
-+    flags |= (in_c ? CC_C : 0);
-+    flags |= (in_o ? CC_O : 0);
-+
-+    out_adcx = adcx_operand;
-+    out_adox = adox_operand;
-+    asm("push %0; popf;"
-+        "adcx %3, %1;"
-+        "adox %3, %2;"
-+        "pushf; pop %0"
-+        : "+r" (flags), "+r" (out_adcx), "+r" (out_adox)
-+        : "r" ((REG)-1), "0" (flags), "1" (out_adcx), "2" (out_adox));
-+
-+    assert(out_adcx == in_c + adcx_operand - 1);
-+    assert(out_adox == in_o + adox_operand - 1);
-+    assert(!!(flags & CC_C) == (in_c || adcx_operand));
-+    assert(!!(flags & CC_O) == (in_o || adox_operand));
-+}
-+
-+int main(int argc, char *argv[]) {
-+    /* try all combinations of input CF, input OF, CF from op1+op2,  OF from op2+op1 */
-+    int i;
-+    for (i = 0; i <= 15; i++) {
-+        printf("%d\n", i);
-+        test_adcx_adox(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+        test_adox_adcx(!!(i & 1), !!(i & 2), !!(i & 4), !!(i & 8));
-+    }
-+    return 0;
-+}
-+
--- a/debian/patches/extra/0028-target-i386-Do-not-apply-REX-to-MMX-operands.patch
+++ b/debian/patches/extra/0028-target-i386-Do-not-apply-REX-to-MMX-operands.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Mon, 12 Aug 2024 12:58:42 +1000
+Subject: [PATCH] target/i386: Do not apply REX to MMX operands
+
+Cc: qemu-stable@nongnu.org
+Fixes: b3e22b2318a ("target/i386: add core of new i386 decoder")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2495
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Link: https://lore.kernel.org/r/20240812025844.58956-2-richard.henderson@linaro.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 416f2b16c02c618c0f233372ebfe343f9ee667d4)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/decode-new.c.inc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
+index 4209d59ca8..09b8d2314a 100644
+--- a/target/i386/tcg/decode-new.c.inc
+++ b/target/i386/tcg/decode-new.c.inc
+@@ -1271,7 +1271,10 @@ static bool decode_op(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode,
+             op->unit = X86_OP_SSE;
+         }
+     get_reg:
+-        op->n = ((get_modrm(s, env) >> 3) & 7) | REX_R(s);
+        op->n = ((get_modrm(s, env) >> 3) & 7);
+        if (op->unit != X86_OP_MMX) {
+            op->n |= REX_R(s);
+        }
+         break;
+ 
+     case X86_TYPE_E:  /* ALU modrm operand */
--- a/debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch
+++ b/debian/patches/extra/0028-target-i386-Fix-BZHI-instruction.patch
@@ -1,64 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Sat, 14 Jan 2023 13:32:06 -1000
-Subject: [PATCH] target/i386: Fix BZHI instruction
-
-We did not correctly handle N >= operand size.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1374
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20230114233206.3118472-1-richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 9ad2ba6e8e7fc195d0dd0b76ab38bd2fceb1bdd4)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- target/i386/tcg/emit.c.inc      | 14 +++++++-------
- tests/tcg/i386/test-i386-bmi2.c |  3 +++
- 2 files changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc
-index 0d7c6e80ae..7296f3952c 100644
--- a/target/i386/tcg/emit.c.inc
-+++ b/target/i386/tcg/emit.c.inc
-@@ -1145,20 +1145,20 @@ static void gen_BLSR(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- static void gen_BZHI(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode)
- {
-     MemOp ot = decode->op[0].ot;
-    TCGv bound;
-+    TCGv bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-+    TCGv zero = tcg_constant_tl(0);
-+    TCGv mone = tcg_constant_tl(-1);
- 
-    tcg_gen_ext8u_tl(s->T1, cpu_regs[s->vex_v]);
-    bound = tcg_constant_tl(ot == MO_64 ? 63 : 31);
-+    tcg_gen_ext8u_tl(s->T1, s->T1);
- 
-     /*
-      * Note that since we're using BMILG (in order to get O
-      * cleared) we need to store the inverse into C.
-      */
-    tcg_gen_setcond_tl(TCG_COND_LT, cpu_cc_src, s->T1, bound);
-    tcg_gen_movcond_tl(TCG_COND_GT, s->T1, s->T1, bound, bound, s->T1);
-+    tcg_gen_setcond_tl(TCG_COND_LEU, cpu_cc_src, s->T1, bound);
- 
-    tcg_gen_movi_tl(s->A0, -1);
-    tcg_gen_shl_tl(s->A0, s->A0, s->T1);
-+    tcg_gen_shl_tl(s->A0, mone, s->T1);
-+    tcg_gen_movcond_tl(TCG_COND_LEU, s->A0, s->T1, bound, s->A0, zero);
-     tcg_gen_andc_tl(s->T0, s->T0, s->A0);
- 
-     gen_op_update1_cc(s);
-diff --git a/tests/tcg/i386/test-i386-bmi2.c b/tests/tcg/i386/test-i386-bmi2.c
-index 982d4abda4..0244df7987 100644
--- a/tests/tcg/i386/test-i386-bmi2.c
-+++ b/tests/tcg/i386/test-i386-bmi2.c
-@@ -123,6 +123,9 @@ int main(int argc, char *argv[]) {
-     result = bzhiq(mask, 0x1f);
-     assert(result == (mask & ~(-1 << 30)));
- 
-+    result = bzhiq(mask, 0x40);
-+    assert(result == mask);
-+
-     result = rorxq(0x2132435465768798, 8);
-     assert(result == 0x9821324354657687);
- 
--- a/debian/patches/extra/0029-module-Prevent-crash-by-resetting-local_err-in-modul.patch
+++ b/debian/patches/extra/0029-module-Prevent-crash-by-resetting-local_err-in-modul.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Date: Fri, 9 Aug 2024 14:13:40 +0200
+Subject: [PATCH] module: Prevent crash by resetting local_err in
+ module_load_qom_all()
+
+Set local_err to NULL after it has been freed in error_report_err(). This
+avoids triggering assert(*errp == NULL) failure in error_setv() when
+local_err is reused in the loop.
+
+Signed-off-by: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Reviewed-by: Claudio Fontana <cfontana@suse.de>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
+Link: https://lore.kernel.org/r/20240809121340.992049-2-alexander.ivanov@virtuozzo.com
+[Do the same by moving the declaration instead. - Paolo]
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 940d802b24e63650e0eacad3714e2ce171cba17c)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ util/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/module.c b/util/module.c
+index 32e263163c..3eb0f06df1 100644
+--- a/util/module.c
+++ b/util/module.c
+@@ -354,13 +354,13 @@ int module_load_qom(const char *type, Error **errp)
+ void module_load_qom_all(void)
+ {
+     const QemuModinfo *modinfo;
+-    Error *local_err = NULL;
+ 
+     if (module_loaded_qom_all) {
+         return;
+     }
+ 
+     for (modinfo = module_info; modinfo->name != NULL; modinfo++) {
+        Error *local_err = NULL;
+         if (!modinfo->objs) {
+             continue;
+         }
--- a/debian/patches/extra/0030-nbd-server-Plumb-in-new-args-to-nbd_client_add.patch
+++ b/debian/patches/extra/0030-nbd-server-Plumb-in-new-args-to-nbd_client_add.patch
@@ -0,0 +1,164 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 7 Aug 2024 08:50:01 -0500
+Subject: [PATCH] nbd/server: Plumb in new args to nbd_client_add()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upcoming patches to fix a CVE need to track an opaque pointer passed
+in by the owner of a client object, as well as request for a time
+limit on how fast negotiation must complete.  Prepare for that by
+changing the signature of nbd_client_new() and adding an accessor to
+get at the opaque pointer, although for now the two servers
+(qemu-nbd.c and blockdev-nbd.c) do not change behavior even though
+they pass in a new default timeout value.
+
+Suggested-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-11-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[eblake: s/LIMIT/MAX_SECS/ as suggested by Dan]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit fb1c2aaa981e0a2fa6362c9985f1296b74f055ac)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ blockdev-nbd.c      |  6 ++++--
+ include/block/nbd.h | 11 ++++++++++-
+ nbd/server.c        | 20 +++++++++++++++++---
+ qemu-nbd.c          |  4 +++-
+ 4 files changed, 34 insertions(+), 7 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 213012435f..267a1de903 100644
+--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
+@@ -64,8 +64,10 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+     nbd_update_server_watch(nbd_server);
+ 
+     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
+-    nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz,
+-                   nbd_blockdev_client_closed);
+    /* TODO - expose handshake timeout as QMP option */
+    nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
+                   nbd_server->tlscreds, nbd_server->tlsauthz,
+                   nbd_blockdev_client_closed, NULL);
+ }
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+diff --git a/include/block/nbd.h b/include/block/nbd.h
+index 4e7bd6342f..1d4d65922d 100644
+--- a/include/block/nbd.h
+++ b/include/block/nbd.h
+@@ -33,6 +33,12 @@ typedef struct NBDMetaContexts NBDMetaContexts;
+ 
+ extern const BlockExportDriver blk_exp_nbd;
+ 
+/*
+ * NBD_DEFAULT_HANDSHAKE_MAX_SECS: Number of seconds in which client must
+ * succeed at NBD_OPT_GO before being forcefully dropped as too slow.
+ */
+#define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
+
+ /* Handshake phase structs - this struct is passed on the wire */
+ 
+ typedef struct NBDOption {
+@@ -403,9 +409,12 @@ AioContext *nbd_export_aio_context(NBDExport *exp);
+ NBDExport *nbd_export_find(const char *name);
+ 
+ void nbd_client_new(QIOChannelSocket *sioc,
+                    uint32_t handshake_max_secs,
+                     QCryptoTLSCreds *tlscreds,
+                     const char *tlsauthz,
+-                    void (*close_fn)(NBDClient *, bool));
+                    void (*close_fn)(NBDClient *, bool),
+                    void *owner);
+void *nbd_client_owner(NBDClient *client);
+ void nbd_client_get(NBDClient *client);
+ void nbd_client_put(NBDClient *client);
+ 
+diff --git a/nbd/server.c b/nbd/server.c
+index 892797bb11..e50012499f 100644
+--- a/nbd/server.c
+++ b/nbd/server.c
+@@ -124,12 +124,14 @@ struct NBDMetaContexts {
+ struct NBDClient {
+     int refcount; /* atomic */
+     void (*close_fn)(NBDClient *client, bool negotiated);
+    void *owner;
+ 
+     QemuMutex lock;
+ 
+     NBDExport *exp;
+     QCryptoTLSCreds *tlscreds;
+     char *tlsauthz;
+    uint32_t handshake_max_secs;
+     QIOChannelSocket *sioc; /* The underlying data channel */
+     QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
+ 
+@@ -3191,6 +3193,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
+ 
+     qemu_co_mutex_init(&client->send_lock);
+ 
+    /* TODO - utilize client->handshake_max_secs */
+     if (nbd_negotiate(client, &local_err)) {
+         if (local_err) {
+             error_report_err(local_err);
+@@ -3205,14 +3208,17 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
+ }
+ 
+ /*
+- * Create a new client listener using the given channel @sioc.
+ * Create a new client listener using the given channel @sioc and @owner.
+  * Begin servicing it in a coroutine.  When the connection closes, call
+- * @close_fn with an indication of whether the client completed negotiation.
+ * @close_fn with an indication of whether the client completed negotiation
+ * within @handshake_max_secs seconds (0 for unbounded).
+  */
+ void nbd_client_new(QIOChannelSocket *sioc,
+                    uint32_t handshake_max_secs,
+                     QCryptoTLSCreds *tlscreds,
+                     const char *tlsauthz,
+-                    void (*close_fn)(NBDClient *, bool))
+                    void (*close_fn)(NBDClient *, bool),
+                    void *owner)
+ {
+     NBDClient *client;
+     Coroutine *co;
+@@ -3225,13 +3231,21 @@ void nbd_client_new(QIOChannelSocket *sioc,
+         object_ref(OBJECT(client->tlscreds));
+     }
+     client->tlsauthz = g_strdup(tlsauthz);
+    client->handshake_max_secs = handshake_max_secs;
+     client->sioc = sioc;
+     qio_channel_set_delay(QIO_CHANNEL(sioc), false);
+     object_ref(OBJECT(client->sioc));
+     client->ioc = QIO_CHANNEL(sioc);
+     object_ref(OBJECT(client->ioc));
+     client->close_fn = close_fn;
+    client->owner = owner;
+ 
+     co = qemu_coroutine_create(nbd_co_client_start, client);
+     qemu_coroutine_enter(co);
+ }
+
+void *
+nbd_client_owner(NBDClient *client)
+{
+    return client->owner;
+}
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index d7b3ccab21..48e2fa5858 100644
+--- a/qemu-nbd.c
+++ b/qemu-nbd.c
+@@ -390,7 +390,9 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+ 
+     nb_fds++;
+     nbd_update_server_watch();
+-    nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed);
+    /* TODO - expose handshake timeout as command line option */
+    nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
+                   tlscreds, tlsauthz, nbd_client_closed, NULL);
+ }
+ 
+ static void nbd_update_server_watch(void)
--- a/debian/patches/extra/0031-nbd-server-CVE-2024-7409-Cap-default-max-connections.patch
+++ b/debian/patches/extra/0031-nbd-server-CVE-2024-7409-Cap-default-max-connections.patch
@@ -0,0 +1,172 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 6 Aug 2024 13:53:00 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Cap default max-connections to 100
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Allowing an unlimited number of clients to any web service is a recipe
+for a rudimentary denial of service attack: the client merely needs to
+open lots of sockets without closing them, until qemu no longer has
+any more fds available to allocate.
+
+For qemu-nbd, we default to allowing only 1 connection unless more are
+explicitly asked for (-e or --shared); this was historically picked as
+a nice default (without an explicit -t, a non-persistent qemu-nbd goes
+away after a client disconnects, without needing any additional
+follow-up commands), and we are not going to change that interface now
+(besides, someday we want to point people towards qemu-storage-daemon
+instead of qemu-nbd).
+
+But for qemu proper, and the newer qemu-storage-daemon, the QMP
+nbd-server-start command has historically had a default of unlimited
+number of connections, in part because unlike qemu-nbd it is
+inherently persistent until nbd-server-stop.  Allowing multiple client
+sockets is particularly useful for clients that can take advantage of
+MULTI_CONN (creating parallel sockets to increase throughput),
+although known clients that do so (such as libnbd's nbdcopy) typically
+use only 8 or 16 connections (the benefits of scaling diminish once
+more sockets are competing for kernel attention).  Picking a number
+large enough for typical use cases, but not unlimited, makes it
+slightly harder for a malicious client to perform a denial of service
+merely by opening lots of connections withot progressing through the
+handshake.
+
+This change does not eliminate CVE-2024-7409 on its own, but reduces
+the chance for fd exhaustion or unlimited memory usage as an attack
+surface.  On the other hand, by itself, it makes it more obvious that
+with a finite limit, we have the problem of an unauthenticated client
+holding 100 fds opened as a way to block out a legitimate client from
+being able to connect; thus, later patches will further add timeouts
+to reject clients that are not making progress.
+
+This is an INTENTIONAL change in behavior, and will break any client
+of nbd-server-start that was not passing an explicit max-connections
+parameter, yet expects more than 100 simultaneous connections.  We are
+not aware of any such client (as stated above, most clients aware of
+MULTI_CONN get by just fine on 8 or 16 connections, and probably cope
+with later connections failing by relying on the earlier connections;
+libvirt has not yet been passing max-connections, but generally
+creates NBD servers with the intent for a single client for the sake
+of live storage migration; meanwhile, the KubeSAN project anticipates
+a large cluster sharing multiple clients [up to 8 per node, and up to
+100 nodes in a cluster], but it currently uses qemu-nbd with an
+explicit --shared=0 rather than qemu-storage-daemon with
+nbd-server-start).
+
+We considered using a deprecation period (declare that omitting
+max-parameters is deprecated, and make it mandatory in 3 releases -
+then we don't need to pick an arbitrary default); that has zero risk
+of breaking any apps that accidentally depended on more than 100
+connections, and where such breakage might not be noticed under unit
+testing but only under the larger loads of production usage.  But it
+does not close the denial-of-service hole until far into the future,
+and requires all apps to change to add the parameter even if 100 was
+good enough.  It also has a drawback that any app (like libvirt) that
+is accidentally relying on an unlimited default should seriously
+consider their own CVE now, at which point they are going to change to
+pass explicit max-connections sooner than waiting for 3 qemu releases.
+Finally, if our changed default breaks an app, that app can always
+pass in an explicit max-parameters with a larger value.
+
+It is also intentional that the HMP interface to nbd-server-start is
+not changed to expose max-connections (any client needing to fine-tune
+things should be using QMP).
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-12-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[ericb: Expand commit message to summarize Dan's argument for why we
+break corner-case back-compat behavior without a deprecation period]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit c8a76dbd90c2f48df89b75bef74917f90a59b623)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ block/monitor/block-hmp-cmds.c | 3 ++-
+ blockdev-nbd.c                 | 8 ++++++++
+ include/block/nbd.h            | 7 +++++++
+ qapi/block-export.json         | 4 ++--
+ 4 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
+index d954bec6f1..bdf2eb50b6 100644
+--- a/block/monitor/block-hmp-cmds.c
+++ b/block/monitor/block-hmp-cmds.c
+@@ -402,7 +402,8 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
+         goto exit;
+     }
+ 
+-    nbd_server_start(addr, NULL, NULL, 0, &local_err);
+    nbd_server_start(addr, NULL, NULL, NBD_DEFAULT_MAX_CONNECTIONS,
+                     &local_err);
+     qapi_free_SocketAddress(addr);
+     if (local_err != NULL) {
+         goto exit;
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 267a1de903..24ba5382db 100644
+--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
+@@ -170,6 +170,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
+ 
+ void nbd_server_start_options(NbdServerOptions *arg, Error **errp)
+ {
+    if (!arg->has_max_connections) {
+        arg->max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
+    }
+
+     nbd_server_start(arg->addr, arg->tls_creds, arg->tls_authz,
+                      arg->max_connections, errp);
+ }
+@@ -182,6 +186,10 @@ void qmp_nbd_server_start(SocketAddressLegacy *addr,
+ {
+     SocketAddress *addr_flat = socket_address_flatten(addr);
+ 
+    if (!has_max_connections) {
+        max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
+    }
+
+     nbd_server_start(addr_flat, tls_creds, tls_authz, max_connections, errp);
+     qapi_free_SocketAddress(addr_flat);
+ }
+diff --git a/include/block/nbd.h b/include/block/nbd.h
+index 1d4d65922d..d4f8b21aec 100644
+--- a/include/block/nbd.h
+++ b/include/block/nbd.h
+@@ -39,6 +39,13 @@ extern const BlockExportDriver blk_exp_nbd;
+  */
+ #define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
+ 
+/*
+ * NBD_DEFAULT_MAX_CONNECTIONS: Number of client sockets to allow at
+ * once; must be large enough to allow a MULTI_CONN-aware client like
+ * nbdcopy to create its typical number of 8-16 sockets.
+ */
+#define NBD_DEFAULT_MAX_CONNECTIONS 100
+
+ /* Handshake phase structs - this struct is passed on the wire */
+ 
+ typedef struct NBDOption {
+diff --git a/qapi/block-export.json b/qapi/block-export.json
+index 3919a2d5b9..f45e4fd481 100644
+--- a/qapi/block-export.json
+++ b/qapi/block-export.json
+@@ -28,7 +28,7 @@
+ # @max-connections: The maximum number of connections to allow at the
+ #     same time, 0 for unlimited.  Setting this to 1 also stops the
+ #     server from advertising multiple client support (since 5.2;
+-#     default: 0)
+#     default: 100)
+ #
+ # Since: 4.2
+ ##
+@@ -63,7 +63,7 @@
+ # @max-connections: The maximum number of connections to allow at the
+ #     same time, 0 for unlimited.  Setting this to 1 also stops the
+ #     server from advertising multiple client support (since 5.2;
+-#     default: 0).
+#     default: 100).
+ #
+ # Errors:
+ #     - if the server is already running
--- a/debian/patches/extra/0032-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
+++ b/debian/patches/extra/0032-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 8 Aug 2024 16:05:08 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Drop non-negotiating clients
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A client that opens a socket but does not negotiate is merely hogging
+qemu's resources (an open fd and a small amount of memory); and a
+malicious client that can access the port where NBD is listening can
+attempt a denial of service attack by intentionally opening and
+abandoning lots of unfinished connections.  The previous patch put a
+default bound on the number of such ongoing connections, but once that
+limit is hit, no more clients can connect (including legitimate ones).
+The solution is to insist that clients complete handshake within a
+reasonable time limit, defaulting to 10 seconds.  A client that has
+not successfully completed NBD_OPT_GO by then (including the case of
+where the client didn't know TLS credentials to even reach the point
+of NBD_OPT_GO) is wasting our time and does not deserve to stay
+connected.  Later patches will allow fine-tuning the limit away from
+the default value (including disabling it for doing integration
+testing of the handshake process itself).
+
+Note that this patch in isolation actually makes it more likely to see
+qemu SEGV after nbd-server-stop, as any client socket still connected
+when the server shuts down will now be closed after 10 seconds rather
+than at the client's whims.  That will be addressed in the next patch.
+
+For a demo of this patch in action:
+$ qemu-nbd -f raw -r -t -e 10 file &
+$ nbdsh --opt-mode -c '
+H = list()
+for i in range(20):
+  print(i)
+  H.insert(i, nbd.NBD())
+  H[i].set_opt_mode(True)
+  H[i].connect_uri("nbd://localhost")
+'
+$ kill $!
+
+where later connections get to start progressing once earlier ones are
+forcefully dropped for taking too long, rather than hanging.
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-13-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[eblake: rebase to changes earlier in series, reduce scope of timer]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ nbd/server.c     | 28 +++++++++++++++++++++++++++-
+ nbd/trace-events |  1 +
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index e50012499f..39285cc971 100644
+--- a/nbd/server.c
+++ b/nbd/server.c
+@@ -3186,22 +3186,48 @@ static void nbd_client_receive_next_request(NBDClient *client)
+     }
+ }
+ 
+static void nbd_handshake_timer_cb(void *opaque)
+{
+    QIOChannel *ioc = opaque;
+
+    trace_nbd_handshake_timer_cb();
+    qio_channel_shutdown(ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);
+}
+
+ static coroutine_fn void nbd_co_client_start(void *opaque)
+ {
+     NBDClient *client = opaque;
+     Error *local_err = NULL;
+    QEMUTimer *handshake_timer = NULL;
+ 
+     qemu_co_mutex_init(&client->send_lock);
+ 
+-    /* TODO - utilize client->handshake_max_secs */
+    /*
+     * Create a timer to bound the time spent in negotiation. If the
+     * timer expires, it is likely nbd_negotiate will fail because the
+     * socket was shutdown.
+     */
+    if (client->handshake_max_secs > 0) {
+        handshake_timer = aio_timer_new(qemu_get_aio_context(),
+                                        QEMU_CLOCK_REALTIME,
+                                        SCALE_NS,
+                                        nbd_handshake_timer_cb,
+                                        client->sioc);
+        timer_mod(handshake_timer,
+                  qemu_clock_get_ns(QEMU_CLOCK_REALTIME) +
+                  client->handshake_max_secs * NANOSECONDS_PER_SECOND);
+    }
+
+     if (nbd_negotiate(client, &local_err)) {
+         if (local_err) {
+             error_report_err(local_err);
+         }
+        timer_free(handshake_timer);
+         client_close(client, false);
+         return;
+     }
+ 
+    timer_free(handshake_timer);
+     WITH_QEMU_LOCK_GUARD(&client->lock) {
+         nbd_client_receive_next_request(client);
+     }
+diff --git a/nbd/trace-events b/nbd/trace-events
+index 00ae3216a1..cbd0a4ab7e 100644
+--- a/nbd/trace-events
+++ b/nbd/trace-events
+@@ -76,6 +76,7 @@ nbd_co_receive_request_payload_received(uint64_t cookie, uint64_t len) "Payload
+ nbd_co_receive_ext_payload_compliance(uint64_t from, uint64_t len) "client sent non-compliant write without payload flag: from=0x%" PRIx64 ", len=0x%" PRIx64
+ nbd_co_receive_align_compliance(const char *op, uint64_t from, uint64_t len, uint32_t align) "client sent non-compliant unaligned %s request: from=0x%" PRIx64 ", len=0x%" PRIx64 ", align=0x%" PRIx32
+ nbd_trip(void) "Reading request"
+nbd_handshake_timer_cb(void) "client took too long to negotiate"
+ 
+ # client-connection.c
+ nbd_connect_thread_sleep(uint64_t timeout) "timeout %" PRIu64
--- a/debian/patches/extra/0033-nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
+++ b/debian/patches/extra/0033-nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
@@ -0,0 +1,161 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 7 Aug 2024 12:23:13 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Close stray clients at server-stop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A malicious client can attempt to connect to an NBD server, and then
+intentionally delay progress in the handshake, including if it does
+not know the TLS secrets.  Although the previous two patches reduce
+this behavior by capping the default max-connections parameter and
+killing slow clients, they did not eliminate the possibility of a
+client waiting to close the socket until after the QMP nbd-server-stop
+command is executed, at which point qemu would SEGV when trying to
+dereference the NULL nbd_server global which is no longer present.
+This amounts to a denial of service attack.  Worse, if another NBD
+server is started before the malicious client disconnects, I cannot
+rule out additional adverse effects when the old client interferes
+with the connection count of the new server (although the most likely
+is a crash due to an assertion failure when checking
+nbd_server->connections > 0).
+
+For environments without this patch, the CVE can be mitigated by
+ensuring (such as via a firewall) that only trusted clients can
+connect to an NBD server.  Note that using frameworks like libvirt
+that ensure that TLS is used and that nbd-server-stop is not executed
+while any trusted clients are still connected will only help if there
+is also no possibility for an untrusted client to open a connection
+but then stall on the NBD handshake.
+
+Given the previous patches, it would be possible to guarantee that no
+clients remain connected by having nbd-server-stop sleep for longer
+than the default handshake deadline before finally freeing the global
+nbd_server object, but that could make QMP non-responsive for a long
+time.  So intead, this patch fixes the problem by tracking all client
+sockets opened while the server is running, and forcefully closing any
+such sockets remaining without a completed handshake at the time of
+nbd-server-stop, then waiting until the coroutines servicing those
+sockets notice the state change.  nbd-server-stop now has a second
+AIO_WAIT_WHILE_UNLOCKED (the first is indirectly through the
+blk_exp_close_all_type() that disconnects all clients that completed
+handshakes), but forced socket shutdown is enough to progress the
+coroutines and quickly tear down all clients before the server is
+freed, thus finally fixing the CVE.
+
+This patch relies heavily on the fact that nbd/server.c guarantees
+that it only calls nbd_blockdev_client_closed() from the main loop
+(see the assertion in nbd_client_put() and the hoops used in
+nbd_client_put_nonzero() to achieve that); if we did not have that
+guarantee, we would also need a mutex protecting our accesses of the
+list of connections to survive re-entrancy from independent iothreads.
+
+Although I did not actually try to test old builds, it looks like this
+problem has existed since at least commit 862172f45c (v2.12.0, 2017) -
+even back when that patch started using a QIONetListener to handle
+listening on multiple sockets, nbd_server_free() was already unaware
+that the nbd_blockdev_client_closed callback can be reached later by a
+client thread that has not completed handshakes (and therefore the
+client's socket never got added to the list closed in
+nbd_export_close_all), despite that patch intentionally tearing down
+the QIONetListener to prevent new clients.
+
+Reported-by: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Fixes: CVE-2024-7409
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-14-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 3e7ef738c8462c45043a1d39f702a0990406a3b3)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ blockdev-nbd.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 24ba5382db..f73409ae49 100644
+--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
+@@ -21,12 +21,18 @@
+ #include "io/channel-socket.h"
+ #include "io/net-listener.h"
+ 
+typedef struct NBDConn {
+    QIOChannelSocket *cioc;
+    QLIST_ENTRY(NBDConn) next;
+} NBDConn;
+
+ typedef struct NBDServerData {
+     QIONetListener *listener;
+     QCryptoTLSCreds *tlscreds;
+     char *tlsauthz;
+     uint32_t max_connections;
+     uint32_t connections;
+    QLIST_HEAD(, NBDConn) conns;
+ } NBDServerData;
+ 
+ static NBDServerData *nbd_server;
+@@ -51,6 +57,14 @@ int nbd_server_max_connections(void)
+ 
+ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
+ {
+    NBDConn *conn = nbd_client_owner(client);
+
+    assert(qemu_in_main_thread() && nbd_server);
+
+    object_unref(OBJECT(conn->cioc));
+    QLIST_REMOVE(conn, next);
+    g_free(conn);
+
+     nbd_client_put(client);
+     assert(nbd_server->connections > 0);
+     nbd_server->connections--;
+@@ -60,14 +74,20 @@ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
+ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+                        gpointer opaque)
+ {
+    NBDConn *conn = g_new0(NBDConn, 1);
+
+    assert(qemu_in_main_thread() && nbd_server);
+     nbd_server->connections++;
+    object_ref(OBJECT(cioc));
+    conn->cioc = cioc;
+    QLIST_INSERT_HEAD(&nbd_server->conns, conn, next);
+     nbd_update_server_watch(nbd_server);
+ 
+     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
+     /* TODO - expose handshake timeout as QMP option */
+     nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
+                    nbd_server->tlscreds, nbd_server->tlsauthz,
+-                   nbd_blockdev_client_closed, NULL);
+                   nbd_blockdev_client_closed, conn);
+ }
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+@@ -81,12 +101,25 @@ static void nbd_update_server_watch(NBDServerData *s)
+ 
+ static void nbd_server_free(NBDServerData *server)
+ {
+    NBDConn *conn, *tmp;
+
+     if (!server) {
+         return;
+     }
+ 
+    /*
+     * Forcefully close the listener socket, and any clients that have
+     * not yet disconnected on their own.
+     */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
+    QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
+        qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
+                             NULL);
+    }
+
+    AIO_WAIT_WHILE_UNLOCKED(NULL, server->connections > 0);
+
+     if (server->tlscreds) {
+         object_unref(OBJECT(server->tlscreds));
+     }
--- a/debian/patches/extra/0034-vnc-fix-crash-when-no-console-attached.patch
+++ b/debian/patches/extra/0034-vnc-fix-crash-when-no-console-attached.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Tue, 20 Aug 2024 17:11:12 +0400
+Subject: [PATCH] vnc: fix crash when no console attached
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since commit e99441a3793b5 ("ui/curses: Do not use console_select()")
+qemu_text_console_put_keysym() no longer checks for NULL console
+argument, which leads to a later crash:
+
+Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
+0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332
+332	        } else if (s->echo && (keysym == '\r' || keysym == '\n')) {
+(gdb) bt
+ #0  0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332
+ #1  0x00005555559e18e5 in qemu_text_console_put_keysym (s=<optimized out>, keysym=<optimized out>) at ../ui/console.c:303
+ #2  0x00005555559f2e88 in do_key_event (vs=vs@entry=0x5555579045c0, down=down@entry=1, keycode=keycode@entry=60, sym=sym@entry=65471) at ../ui/vnc.c:2034
+ #3  0x00005555559f845c in ext_key_event (vs=0x5555579045c0, down=1, sym=65471, keycode=<optimized out>) at ../ui/vnc.c:2070
+ #4  protocol_client_msg (vs=0x5555579045c0, data=<optimized out>, len=<optimized out>) at ../ui/vnc.c:2514
+ #5  0x00005555559f515c in vnc_client_read (vs=0x5555579045c0) at ../ui/vnc.c:1607
+
+Fixes: e99441a3793b5 ("ui/curses: Do not use console_select()")
+Fixes: https://issues.redhat.com/browse/RHEL-50529
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+(picked from https://lore.kernel.org/qemu-devel/20240820131112.1267954-1-marcandre.lureau@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ ui/vnc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index b3fd78022b..953ea38318 100644
+--- a/ui/vnc.c
+++ b/ui/vnc.c
+@@ -1935,7 +1935,7 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
+     }
+ 
+     qkbd_state_key_event(vs->vd->kbd, qcode, down);
+-    if (!qemu_console_is_graphic(vs->vd->dcl.con)) {
+    if (QEMU_IS_TEXT_CONSOLE(vs->vd->dcl.con)) {
+         QemuTextConsole *con = QEMU_TEXT_CONSOLE(vs->vd->dcl.con);
+         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
+         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
--- a/debian/patches/extra/0035-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
+++ b/debian/patches/extra/0035-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
@@ -0,0 +1,89 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 22 Aug 2024 09:35:29 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Avoid use-after-free when closing
+ server
+
+Commit 3e7ef738 plugged the use-after-free of the global nbd_server
+object, but overlooked a use-after-free of nbd_server->listener.
+Although this race is harder to hit, notice that our shutdown path
+first drops the reference count of nbd_server->listener, then triggers
+actions that can result in a pending client reaching the
+nbd_blockdev_client_closed() callback, which in turn calls
+qio_net_listener_set_client_func on a potentially stale object.
+
+If we know we don't want any more clients to connect, and have already
+told the listener socket to shut down, then we should not be trying to
+update the listener socket's associated function.
+
+Reproducer:
+
+> #!/usr/bin/python3
+>
+> import os
+> from threading import Thread
+>
+> def start_stop():
+>     while 1:
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
+"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
+>
+> def nbd_list():
+>     while 1:
+>         os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
+>
+> def test():
+>     sst = Thread(target=start_stop)
+>     sst.start()
+>     nlt = Thread(target=nbd_list)
+>     nlt.start()
+>
+>     sst.join()
+>     nlt.join()
+>
+> test()
+
+Fixes: CVE-2024-7409
+Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
+CC: qemu-stable@nongnu.org
+Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240822143617.800419-2-eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 3874f5f73c441c52f1c699c848d463b0eda01e4c)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ blockdev-nbd.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index f73409ae49..b36f41b7c5 100644
+--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
+@@ -92,10 +92,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+ {
+-    if (!s->max_connections || s->connections < s->max_connections) {
+-        qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
+-    } else {
+-        qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+    if (s->listener) {
+        if (!s->max_connections || s->connections < s->max_connections) {
+            qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
+                                             NULL);
+        } else {
+            qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+        }
+     }
+ }
+ 
+@@ -113,6 +116,7 @@ static void nbd_server_free(NBDServerData *server)
+      */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
+    server->listener = NULL;
+     QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
+         qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
+                              NULL);
--- a/debian/patches/extra/0036-softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch
+++ b/debian/patches/extra/0036-softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch
@@ -0,0 +1,134 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 28 Aug 2024 11:07:43 +0200
+Subject: [PATCH] softmmu/physmem: fix memory leak in dirty_memory_extend()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As reported by Peter, we might be leaking memory when removing the
+highest RAMBlock (in the weird ram_addr_t space), and adding a new one.
+
+We will fail to realize that we already allocated bitmaps for more
+dirty memory blocks, and effectively discard the pointers to them.
+
+Fix it by getting rid of last_ram_page() and by remembering the number
+of dirty memory blocks that have been allocated already.
+
+While at it, let's use "unsigned int" for the number of blocks, which
+should be sufficient until we reach ~32 exabytes.
+
+Looks like this leak was introduced as we switched from using a single
+bitmap_zero_extend() to allocating multiple bitmaps:
+bitmap_zero_extend() relies on g_renew() which should have taken care of
+this.
+
+Resolves: https://lkml.kernel.org/r/CAFEAcA-k7a+VObGAfCFNygQNfCKL=AfX6A4kScq=VSSK0peqPg@mail.gmail.com
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Fixes: 5b82b703b69a ("memory: RCU ram_list.dirty_memory[] for safe RAM hotplug")
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Tested-by: Peter Maydell <peter.maydell@linaro.org>
+Cc: qemu-stable@nongnu.org
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+(picked from https://lore.kernel.org/qemu-devel/20240828090743.128647-1-david@redhat.com/)
+[FE: backport - remove not-yet-existing variable in context of hunk touching ram_block_add()]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ include/exec/ramlist.h |  1 +
+ system/physmem.c       | 35 +++++++++--------------------------
+ 2 files changed, 10 insertions(+), 26 deletions(-)
+
+diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
+index 2ad2a81acc..d9cfe530be 100644
+--- a/include/exec/ramlist.h
+++ b/include/exec/ramlist.h
+@@ -50,6 +50,7 @@ typedef struct RAMList {
+     /* RCU-enabled, writes protected by the ramlist lock. */
+     QLIST_HEAD(, RAMBlock) blocks;
+     DirtyMemoryBlocks *dirty_memory[DIRTY_MEMORY_NUM];
+    unsigned int num_dirty_blocks;
+     uint32_t version;
+     QLIST_HEAD(, RAMBlockNotifier) ramblock_notifiers;
+ } RAMList;
+diff --git a/system/physmem.c b/system/physmem.c
+index a4fe3d2bf8..78f7db1121 100644
+--- a/system/physmem.c
+++ b/system/physmem.c
+@@ -1497,18 +1497,6 @@ static ram_addr_t find_ram_offset(ram_addr_t size)
+     return offset;
+ }
+ 
+-static unsigned long last_ram_page(void)
+-{
+-    RAMBlock *block;
+-    ram_addr_t last = 0;
+-
+-    RCU_READ_LOCK_GUARD();
+-    RAMBLOCK_FOREACH(block) {
+-        last = MAX(last, block->offset + block->max_length);
+-    }
+-    return last >> TARGET_PAGE_BITS;
+-}
+-
+ static void qemu_ram_setup_dump(void *addr, ram_addr_t size)
+ {
+     int ret;
+@@ -1762,13 +1750,11 @@ void qemu_ram_msync(RAMBlock *block, ram_addr_t start, ram_addr_t length)
+ }
+ 
+ /* Called with ram_list.mutex held */
+-static void dirty_memory_extend(ram_addr_t old_ram_size,
+-                                ram_addr_t new_ram_size)
+static void dirty_memory_extend(ram_addr_t new_ram_size)
+ {
+-    ram_addr_t old_num_blocks = DIV_ROUND_UP(old_ram_size,
+-                                             DIRTY_MEMORY_BLOCK_SIZE);
+-    ram_addr_t new_num_blocks = DIV_ROUND_UP(new_ram_size,
+-                                             DIRTY_MEMORY_BLOCK_SIZE);
+    unsigned int old_num_blocks = ram_list.num_dirty_blocks;
+    unsigned int new_num_blocks = DIV_ROUND_UP(new_ram_size,
+                                               DIRTY_MEMORY_BLOCK_SIZE);
+     int i;
+ 
+     /* Only need to extend if block count increased */
+@@ -1800,6 +1786,8 @@ static void dirty_memory_extend(ram_addr_t old_ram_size,
+             g_free_rcu(old_blocks, rcu);
+         }
+     }
+
+    ram_list.num_dirty_blocks = new_num_blocks;
+ }
+ 
+ static void ram_block_add(RAMBlock *new_block, Error **errp)
+@@ -1808,11 +1796,9 @@ static void ram_block_add(RAMBlock *new_block, Error **errp)
+     const bool shared = qemu_ram_is_shared(new_block);
+     RAMBlock *block;
+     RAMBlock *last_block = NULL;
+-    ram_addr_t old_ram_size, new_ram_size;
+    ram_addr_t ram_size;
+     Error *err = NULL;
+ 
+-    old_ram_size = last_ram_page();
+-
+     qemu_mutex_lock_ramlist();
+     new_block->offset = find_ram_offset(new_block->max_length);
+ 
+@@ -1840,11 +1826,8 @@ static void ram_block_add(RAMBlock *new_block, Error **errp)
+         }
+     }
+ 
+-    new_ram_size = MAX(old_ram_size,
+-              (new_block->offset + new_block->max_length) >> TARGET_PAGE_BITS);
+-    if (new_ram_size > old_ram_size) {
+-        dirty_memory_extend(old_ram_size, new_ram_size);
+-    }
+    ram_size = (new_block->offset + new_block->max_length) >> TARGET_PAGE_BITS;
+    dirty_memory_extend(ram_size);
+     /* Keep the list sorted from biggest to smallest block.  Unlike QTAILQ,
+      * QLIST (which has an RCU-friendly variant) does not have insertion at
+      * tail, so save the last element in last_block.
--- a/debian/patches/pve-qemu-9.0-vitastor.patch
+++ b/debian/patches/pve-qemu-9.0-vitastor.patch
--- a/debian/patches/pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch
+++ b/debian/patches/pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 2 insertions(+), 2 deletions(-)

 diff --git a/block/file-posix.c b/block/file-posix.c
-index b9647c5ffc..9a16d86344 100644
+index 35684f7e21..43bc0bd520 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
-@@ -552,7 +552,7 @@ static QemuOptsList raw_runtime_opts = {
+@@ -563,7 +563,7 @@ static QemuOptsList raw_runtime_opts = {
         {
             .name = "locking",
             .type = QEMU_OPT_STRING,
@@ -26,7 +26,7 @@ index b9647c5ffc..9a16d86344 100644
         },
         {
             .name = "pr-manager",
-@@ -652,7 +652,7 @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
+@@ -663,7 +663,7 @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
         s->use_lock = false;
         break;
     case ON_OFF_AUTO_AUTO:
--- a/debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
+++ b/debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 2 insertions(+), 2 deletions(-)

 diff --git a/include/net/net.h b/include/net/net.h
-index dc20b31e9f..5ae04a8693 100644
+index b1f9b35fcc..096c0d52e4 100644
 --- a/include/net/net.h
 +++ b/include/net/net.h
-@@ -236,8 +236,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
+@@ -317,8 +317,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
 int net_hub_id_for_client(NetClientState *nc, int *id);
 NetClientState *net_hub_port_find(int hub_id);
 
--- a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
+++ b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
@@ -10,10 +10,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 2 insertions(+), 2 deletions(-)

 diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index d4bc19577a..be7da64f38 100644
+index 6b05738079..d82869900a 100644
 --- a/target/i386/cpu.h
 +++ b/target/i386/cpu.h
-@@ -2174,9 +2174,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+@@ -2291,9 +2291,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
 #define CPU_RESOLVING_TYPE TYPE_X86_CPU
 
 #ifdef TARGET_X86_64
--- a/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
+++ b/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 9 insertions(+), 6 deletions(-)

 diff --git a/ui/spice-core.c b/ui/spice-core.c
-index c3ac20ad43..37774f1c0a 100644
+index 15be640286..ea20e6153c 100644
 --- a/ui/spice-core.c
 +++ b/ui/spice-core.c
-@@ -689,32 +689,35 @@ static void qemu_spice_init(void)
+@@ -690,32 +690,35 @@ static void qemu_spice_init(void)
 
     if (tls_port) {
         x509_dir = qemu_opt_get(opts, "x509-dir");
--- a/debian/patches/pve/0005-PVE-Config-glusterfs-no-default-logfile-if-daemonize.patch
+++ b/debian/patches/pve/0005-PVE-Config-glusterfs-no-default-logfile-if-daemonize.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 11 insertions(+), 4 deletions(-)

 diff --git a/block/gluster.c b/block/gluster.c
-index 7c90f7ba4b..2e03102f00 100644
+index cc74af06dc..3ba9bbfa5e 100644
 --- a/block/gluster.c
 +++ b/block/gluster.c
-@@ -42,7 +42,7 @@
+@@ -43,7 +43,7 @@
 #define GLUSTER_DEBUG_DEFAULT       4
 #define GLUSTER_DEBUG_MAX           9
 #define GLUSTER_OPT_LOGFILE         "logfile"
@@ -21,15 +21,15 @@ index 7c90f7ba4b..2e03102f00 100644
 /*
  * Several versions of GlusterFS (3.12? -> 6.0.1) fail when the transfer size
  * is greater or equal to 1024 MiB, so we are limiting the transfer size to 512
-@@ -424,6 +424,7 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
+@@ -425,6 +425,7 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
     int old_errno;
     SocketAddressList *server;
-     unsigned long long port;
+     uint64_t port;
 +    const char *logfile;
 
     glfs = glfs_find_preopened(gconf->volume);
     if (glfs) {
-@@ -466,9 +467,15 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
+@@ -467,9 +468,15 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
         }
     }
 
--- a/debian/patches/pve/0006-PVE-Config-rbd-block-rbd-disable-rbd_cache_writethro.patch
+++ b/debian/patches/pve/0006-PVE-Config-rbd-block-rbd-disable-rbd_cache_writethro.patch
@@ -18,10 +18,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 2 insertions(+)

 diff --git a/block/rbd.c b/block/rbd.c
-index f826410f40..64a8d7d48b 100644
+index 84bb2fa5d7..63f60d41be 100644
 --- a/block/rbd.c
 +++ b/block/rbd.c
-@@ -820,6 +820,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
+@@ -963,6 +963,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
         rados_conf_set(*cluster, "rbd_cache", "false");
     }
 
--- a/debian/patches/pve/0007-PVE-Up-glusterfs-allow-partial-reads.patch
+++ b/debian/patches/pve/0007-PVE-Up-glusterfs-allow-partial-reads.patch
@@ -16,10 +16,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 9 insertions(+), 1 deletion(-)

 diff --git a/block/gluster.c b/block/gluster.c
-index 2e03102f00..7886c5fe8c 100644
+index 3ba9bbfa5e..34936eb855 100644
 --- a/block/gluster.c
 +++ b/block/gluster.c
-@@ -57,6 +57,7 @@ typedef struct GlusterAIOCB {
+@@ -58,6 +58,7 @@ typedef struct GlusterAIOCB {
     int ret;
     Coroutine *coroutine;
     AioContext *aio_context;
@@ -27,7 +27,7 @@ index 2e03102f00..7886c5fe8c 100644
 } GlusterAIOCB;
 
 typedef struct BDRVGlusterState {
-@@ -752,8 +753,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret,
+@@ -753,8 +754,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret,
         acb->ret = 0; /* Success */
     } else if (ret < 0) {
         acb->ret = -errno; /* Read/Write failed */
@@ -39,7 +39,7 @@ index 2e03102f00..7886c5fe8c 100644
     }
 
     aio_co_schedule(acb->aio_context, acb->coroutine);
-@@ -1022,6 +1025,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs,
+@@ -1023,6 +1026,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs,
     acb.ret = 0;
     acb.coroutine = qemu_coroutine_self();
     acb.aio_context = bdrv_get_aio_context(bs);
--- a/debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch
+++ b/debian/patches/pve/0007-PVE-Up-qmp-add-get_link_status.patch
@@ -1,98 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Mon, 6 Apr 2020 12:16:37 +0200
-Subject: [PATCH] PVE: [Up] qmp: add get_link_status
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[FE: add get_link_status to command name exceptions]
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
- net/net.c        | 27 +++++++++++++++++++++++++++
- qapi/net.json    | 15 +++++++++++++++
- qapi/pragma.json |  2 ++
- 3 files changed, 44 insertions(+)
-
-diff --git a/net/net.c b/net/net.c
-index 840ad9dca5..28e97c5d85 100644
--- a/net/net.c
-+++ b/net/net.c
-@@ -1372,6 +1372,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
-     }
- }
- 
-+int64_t qmp_get_link_status(const char *name, Error **errp)
-+{
-+    NetClientState *ncs[MAX_QUEUE_NUM];
-+    NetClientState *nc;
-+    int queues;
-+    bool ret;
-+
-+    queues = qemu_find_net_clients_except(name, ncs,
-+                                          NET_CLIENT_DRIVER__MAX,
-+                                          MAX_QUEUE_NUM);
-+
-+    if (queues == 0) {
-+        error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND,
-+                  "Device '%s' not found", name);
-+        return (int64_t) -1;
-+    }
-+
-+    nc = ncs[0];
-+    ret = ncs[0]->link_down;
-+
-+    if (nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
-+      ret = ncs[0]->peer->link_down;
-+    }
-+
-+    return (int64_t) ret ? 0 : 1;
-+}
-+
- void colo_notify_filters_event(int event, Error **errp)
- {
-     NetClientState *nc;
-diff --git a/qapi/net.json b/qapi/net.json
-index 522ac582ed..327d7c5a37 100644
--- a/qapi/net.json
-+++ b/qapi/net.json
-@@ -36,6 +36,21 @@
- ##
- { 'command': 'set_link', 'data': {'name': 'str', 'up': 'bool'} }
- 
-+##
-+# @get_link_status:
-+#
-+# Get the current link state of the nics or nic.
-+#
-+# @name: name of the nic you get the state of
-+#
-+# Return: If link is up 1
-+#         If link is down 0
-+#         If an error occure an empty string.
-+#
-+# Notes: this is an Proxmox VE extension and not offical part of Qemu.
-+##
-+{ 'command': 'get_link_status', 'data': {'name': 'str'} , 'returns': 'int' }
-+
- ##
- # @netdev_add:
- #
-diff --git a/qapi/pragma.json b/qapi/pragma.json
-index 7f810b0e97..29233db825 100644
--- a/qapi/pragma.json
-+++ b/qapi/pragma.json
-@@ -15,6 +15,7 @@
-         'device_add',
-         'device_del',
-         'expire_password',
-+        'get_link_status',
-         'migrate_cancel',
-         'netdev_add',
-         'netdev_del',
-@@ -26,6 +27,7 @@
-         'system_wakeup' ],
-     # Commands allowed to return a non-dictionary
-     'command-returns-exceptions': [
-+        'get_link_status',
-         'human-monitor-command',
-         'qom-get',
-         'query-tpm-models',
--- a/debian/patches/pve/0008-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch
+++ b/debian/patches/pve/0008-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/qemu-img.c b/qemu-img.c
-index a9b3a8103c..0bc9f1af59 100644
+index 7668f86769..2575e97b43 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -3013,7 +3013,8 @@ static int img_info(int argc, char **argv)
+@@ -3075,7 +3075,8 @@ static int img_info(int argc, char **argv)
     list = collect_image_info_list(image_opts, filename, fmt, chain,
                                    force_share);
     if (!list) {
--- a/debian/patches/pve/0009-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch
+++ b/debian/patches/pve/0009-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch
@@ -38,10 +38,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 2 files changed, 133 insertions(+), 73 deletions(-)

 diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index 1b1dab5b17..d1616c045a 100644
+index c9dd70a892..048788b23d 100644
 --- a/qemu-img-cmds.hx
 +++ b/qemu-img-cmds.hx
-@@ -58,9 +58,9 @@ SRST
+@@ -60,9 +60,9 @@ SRST
 ERST
 
 DEF("dd", img_dd,
@@ -54,10 +54,10 @@ index 1b1dab5b17..d1616c045a 100644
 
 DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 0bc9f1af59..221b9d6a16 100644
+index 2575e97b43..8ec68b346f 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4829,10 +4829,12 @@ static int img_bitmap(int argc, char **argv)
+@@ -4993,10 +4993,12 @@ static int img_bitmap(int argc, char **argv)
 #define C_IF      04
 #define C_OF      010
 #define C_SKIP    020
@@ -70,7 +70,7 @@ index 0bc9f1af59..221b9d6a16 100644
 };
 
 struct DdIo {
-@@ -4908,6 +4910,19 @@ static int img_dd_skip(const char *arg,
+@@ -5072,6 +5074,19 @@ static int img_dd_skip(const char *arg,
     return 0;
 }
 
@@ -90,7 +90,7 @@ index 0bc9f1af59..221b9d6a16 100644
 static int img_dd(int argc, char **argv)
 {
     int ret = 0;
-@@ -4948,6 +4963,7 @@ static int img_dd(int argc, char **argv)
+@@ -5112,6 +5127,7 @@ static int img_dd(int argc, char **argv)
         { "if", img_dd_if, C_IF },
         { "of", img_dd_of, C_OF },
         { "skip", img_dd_skip, C_SKIP },
@@ -98,7 +98,7 @@ index 0bc9f1af59..221b9d6a16 100644
         { NULL, NULL, 0 }
     };
     const struct option long_options[] = {
-@@ -5023,91 +5039,112 @@ static int img_dd(int argc, char **argv)
+@@ -5187,91 +5203,112 @@ static int img_dd(int argc, char **argv)
         arg = NULL;
     }
 
@@ -275,7 +275,7 @@ index 0bc9f1af59..221b9d6a16 100644
     }
 
     if (dd.flags & C_SKIP && (in.offset > INT64_MAX / in.bsz ||
-@@ -5124,20 +5161,43 @@ static int img_dd(int argc, char **argv)
+@@ -5288,20 +5325,43 @@ static int img_dd(int argc, char **argv)
     in.buf = g_new(uint8_t, in.bsz);
 
     for (out_pos = 0; in_pos < size; ) {
--- a/debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-isize-parameter.patch
+++ b/debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-isize-parameter.patch
@@ -16,10 +16,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 1 file changed, 25 insertions(+), 3 deletions(-)

 diff --git a/qemu-img.c b/qemu-img.c
-index 221b9d6a16..c1306385a8 100644
+index 8ec68b346f..b98184bba1 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4830,11 +4830,13 @@ static int img_bitmap(int argc, char **argv)
+@@ -4994,11 +4994,13 @@ static int img_bitmap(int argc, char **argv)
 #define C_OF      010
 #define C_SKIP    020
 #define C_OSIZE   040
@@ -33,7 +33,7 @@ index 221b9d6a16..c1306385a8 100644
 };
 
 struct DdIo {
-@@ -4923,6 +4925,19 @@ static int img_dd_osize(const char *arg,
+@@ -5087,6 +5089,19 @@ static int img_dd_osize(const char *arg,
     return 0;
 }
 
@@ -53,7 +53,7 @@ index 221b9d6a16..c1306385a8 100644
 static int img_dd(int argc, char **argv)
 {
     int ret = 0;
-@@ -4937,12 +4952,14 @@ static int img_dd(int argc, char **argv)
+@@ -5101,12 +5116,14 @@ static int img_dd(int argc, char **argv)
     int c, i;
     const char *out_fmt = "raw";
     const char *fmt = NULL;
@@ -69,7 +69,7 @@ index 221b9d6a16..c1306385a8 100644
     };
     struct DdIo in = {
         .bsz = 512, /* Block size is by default 512 bytes */
-@@ -4964,6 +4981,7 @@ static int img_dd(int argc, char **argv)
+@@ -5128,6 +5145,7 @@ static int img_dd(int argc, char **argv)
         { "of", img_dd_of, C_OF },
         { "skip", img_dd_skip, C_SKIP },
         { "osize", img_dd_osize, C_OSIZE },
@@ -77,7 +77,7 @@ index 221b9d6a16..c1306385a8 100644
         { NULL, NULL, 0 }
     };
     const struct option long_options[] = {
-@@ -5160,9 +5178,10 @@ static int img_dd(int argc, char **argv)
+@@ -5324,9 +5342,10 @@ static int img_dd(int argc, char **argv)
 
     in.buf = g_new(uint8_t, in.bsz);
 
@@ -90,7 +90,7 @@ index 221b9d6a16..c1306385a8 100644
         if (blk1) {
             in_ret = blk_pread(blk1, in_pos, bytes, in.buf, 0);
             if (in_ret == 0) {
-@@ -5171,6 +5190,9 @@ static int img_dd(int argc, char **argv)
+@@ -5335,6 +5354,9 @@ static int img_dd(int argc, char **argv)
         } else {
             in_ret = read(STDIN_FILENO, in.buf, bytes);
             if (in_ret == 0) {
--- a/debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-n-skip_create.patch
+++ b/debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-n-skip_create.patch
@@ -13,10 +13,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 3 files changed, 26 insertions(+), 12 deletions(-)

 diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
-index 15aeddc6d8..5e713e231d 100644
+index 3653adb963..d83e8fb3c0 100644
 --- a/docs/tools/qemu-img.rst
 +++ b/docs/tools/qemu-img.rst
-@@ -208,6 +208,10 @@ Parameters to convert subcommand:
+@@ -212,6 +212,10 @@ Parameters to convert subcommand:
 
 Parameters to dd subcommand:
 
@@ -27,7 +27,7 @@ index 15aeddc6d8..5e713e231d 100644
 .. program:: qemu-img-dd
 
 .. option:: bs=BLOCK_SIZE
-@@ -488,7 +492,7 @@ Command description:
+@@ -492,7 +496,7 @@ Command description:
   it doesn't need to be specified separately in this case.
 
 
@@ -36,7 +36,7 @@ index 15aeddc6d8..5e713e231d 100644
 
   dd copies from *INPUT* file to *OUTPUT* file converting it from
   *FMT* format to *OUTPUT_FMT* format.
-@@ -499,6 +503,11 @@ Command description:
+@@ -503,6 +507,11 @@ Command description:
 
   The size syntax is similar to :manpage:`dd(1)`'s size syntax.
 
@@ -49,10 +49,10 @@ index 15aeddc6d8..5e713e231d 100644
 
   Give information about the disk image *FILENAME*. Use it in
 diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index d1616c045a..b5b0bb4467 100644
+index 048788b23d..0b29a67a06 100644
 --- a/qemu-img-cmds.hx
 +++ b/qemu-img-cmds.hx
-@@ -58,9 +58,9 @@ SRST
+@@ -60,9 +60,9 @@ SRST
 ERST
 
 DEF("dd", img_dd,
@@ -65,10 +65,10 @@ index d1616c045a..b5b0bb4467 100644
 
 DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index c1306385a8..59c403373b 100644
+index b98184bba1..6fc8384f64 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4954,7 +4954,7 @@ static int img_dd(int argc, char **argv)
+@@ -5118,7 +5118,7 @@ static int img_dd(int argc, char **argv)
     const char *fmt = NULL;
     int64_t size = 0, readsize = 0;
     int64_t out_pos, in_pos;
@@ -77,7 +77,7 @@ index c1306385a8..59c403373b 100644
     struct DdInfo dd = {
         .flags = 0,
         .count = 0,
-@@ -4992,7 +4992,7 @@ static int img_dd(int argc, char **argv)
+@@ -5156,7 +5156,7 @@ static int img_dd(int argc, char **argv)
         { 0, 0, 0, 0 }
     };
 
@@ -86,7 +86,7 @@ index c1306385a8..59c403373b 100644
         if (c == EOF) {
             break;
         }
-@@ -5012,6 +5012,9 @@ static int img_dd(int argc, char **argv)
+@@ -5176,6 +5176,9 @@ static int img_dd(int argc, char **argv)
         case 'h':
             help();
             break;
@@ -96,7 +96,7 @@ index c1306385a8..59c403373b 100644
         case 'U':
             force_share = true;
             break;
-@@ -5142,13 +5145,15 @@ static int img_dd(int argc, char **argv)
+@@ -5306,13 +5309,15 @@ static int img_dd(int argc, char **argv)
                                 size - in.bsz * in.offset, &error_abort);
         }
 
--- a/debian/patches/pve/0012-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch
+++ b/debian/patches/pve/0012-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch
@@ -1,9 +1,9 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Fabian Ebner <f.ebner@proxmox.com>
 Date: Mon, 7 Feb 2022 14:21:01 +0100
-Subject: [PATCH] qemu-img: dd: add -l option for loading a snapshot
+Subject: [PATCH] qemu-img dd: add -l option for loading a snapshot

-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 docs/tools/qemu-img.rst |  6 +++---
@@ -12,10 +12,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 3 files changed, 36 insertions(+), 7 deletions(-)

 diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
-index 5e713e231d..9390d5e5cf 100644
+index d83e8fb3c0..61c6b21859 100644
 --- a/docs/tools/qemu-img.rst
 +++ b/docs/tools/qemu-img.rst
-@@ -492,10 +492,10 @@ Command description:
+@@ -496,10 +496,10 @@ Command description:
   it doesn't need to be specified separately in this case.
 
 
@@ -30,10 +30,10 @@ index 5e713e231d..9390d5e5cf 100644
   The data is by default read and written using blocks of 512 bytes but can be
   modified by specifying *BLOCK_SIZE*. If count=\ *BLOCKS* is specified
 diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index b5b0bb4467..36f97e1f19 100644
+index 0b29a67a06..758f397232 100644
 --- a/qemu-img-cmds.hx
 +++ b/qemu-img-cmds.hx
-@@ -58,9 +58,9 @@ SRST
+@@ -60,9 +60,9 @@ SRST
 ERST
 
 DEF("dd", img_dd,
@@ -46,10 +46,10 @@ index b5b0bb4467..36f97e1f19 100644
 
 DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 59c403373b..065a54cc42 100644
+index 6fc8384f64..a6c88e0860 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4946,6 +4946,7 @@ static int img_dd(int argc, char **argv)
+@@ -5110,6 +5110,7 @@ static int img_dd(int argc, char **argv)
     BlockDriver *drv = NULL, *proto_drv = NULL;
     BlockBackend *blk1 = NULL, *blk2 = NULL;
     QemuOpts *opts = NULL;
@@ -57,7 +57,7 @@ index 59c403373b..065a54cc42 100644
     QemuOptsList *create_opts = NULL;
     Error *local_err = NULL;
     bool image_opts = false;
-@@ -4955,6 +4956,7 @@ static int img_dd(int argc, char **argv)
+@@ -5119,6 +5120,7 @@ static int img_dd(int argc, char **argv)
     int64_t size = 0, readsize = 0;
     int64_t out_pos, in_pos;
     bool force_share = false, skip_create = false;
@@ -65,7 +65,7 @@ index 59c403373b..065a54cc42 100644
     struct DdInfo dd = {
         .flags = 0,
         .count = 0,
-@@ -4992,7 +4994,7 @@ static int img_dd(int argc, char **argv)
+@@ -5156,7 +5158,7 @@ static int img_dd(int argc, char **argv)
         { 0, 0, 0, 0 }
     };
 
@@ -74,7 +74,7 @@ index 59c403373b..065a54cc42 100644
         if (c == EOF) {
             break;
         }
-@@ -5015,6 +5017,19 @@ static int img_dd(int argc, char **argv)
+@@ -5179,6 +5181,19 @@ static int img_dd(int argc, char **argv)
         case 'n':
             skip_create = true;
             break;
@@ -94,7 +94,7 @@ index 59c403373b..065a54cc42 100644
         case 'U':
             force_share = true;
             break;
-@@ -5074,11 +5089,24 @@ static int img_dd(int argc, char **argv)
+@@ -5238,11 +5253,24 @@ static int img_dd(int argc, char **argv)
     if (dd.flags & C_IF) {
         blk1 = img_open(image_opts, in.filename, fmt, 0, false, false,
                         force_share);
@@ -120,7 +120,7 @@ index 59c403373b..065a54cc42 100644
     }
 
     if (dd.flags & C_OSIZE) {
-@@ -5233,6 +5261,7 @@ static int img_dd(int argc, char **argv)
+@@ -5397,6 +5425,7 @@ static int img_dd(int argc, char **argv)
 out:
     g_free(arg);
     qemu_opts_del(opts);
--- a/debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch
+++ b/debian/patches/pve/0013-PVE-virtio-balloon-improve-query-balloon.patch
@@ -7,20 +7,62 @@ Actually provide memory information via the query-balloon
 command.

 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[FE: add BalloonInfo to member name exceptions list]
+[FE: add BalloonInfo to member name exceptions list
+     rebase for 8.0 - moved to hw/core/machine-hmp-cmds.c]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
+ hw/core/machine-hmp-cmds.c | 30 +++++++++++++++++++++++++++++-
 hw/virtio/virtio-balloon.c | 33 +++++++++++++++++++++++++++++++--
- monitor/hmp-cmds.c         | 30 +++++++++++++++++++++++++++++-
 qapi/machine.json          | 22 +++++++++++++++++++++-
 qapi/pragma.json           |  1 +
 4 files changed, 82 insertions(+), 4 deletions(-)

+diff --git a/hw/core/machine-hmp-cmds.c b/hw/core/machine-hmp-cmds.c
+index a6ff6a4875..e7f74d1c63 100644
+--- a/hw/core/machine-hmp-cmds.c
+++ b/hw/core/machine-hmp-cmds.c
+@@ -175,7 +175,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict)
+         return;
+     }
+ 
+-    monitor_printf(mon, "balloon: actual=%" PRId64 "\n", info->actual >> 20);
+    monitor_printf(mon, "balloon: actual=%" PRId64, info->actual >> 20);
+    monitor_printf(mon, " max_mem=%" PRId64, info->max_mem >> 20);
+    if (info->has_total_mem) {
+        monitor_printf(mon, " total_mem=%" PRId64, info->total_mem >> 20);
+    }
+    if (info->has_free_mem) {
+        monitor_printf(mon, " free_mem=%" PRId64, info->free_mem >> 20);
+    }
+
+    if (info->has_mem_swapped_in) {
+        monitor_printf(mon, " mem_swapped_in=%" PRId64, info->mem_swapped_in);
+    }
+    if (info->has_mem_swapped_out) {
+        monitor_printf(mon, " mem_swapped_out=%" PRId64, info->mem_swapped_out);
+    }
+    if (info->has_major_page_faults) {
+        monitor_printf(mon, " major_page_faults=%" PRId64,
+                       info->major_page_faults);
+    }
+    if (info->has_minor_page_faults) {
+        monitor_printf(mon, " minor_page_faults=%" PRId64,
+                       info->minor_page_faults);
+    }
+    if (info->has_last_update) {
+        monitor_printf(mon, " last_update=%" PRId64,
+                       info->last_update);
+    }
+
+    monitor_printf(mon, "\n");
+ 
+     qapi_free_BalloonInfo(info);
+ }
 diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
-index 73ac5eb675..bbfe7eca62 100644
+index 609e39a821..8cb6dfcac3 100644
 --- a/hw/virtio/virtio-balloon.c
 +++ b/hw/virtio/virtio-balloon.c
-@@ -806,8 +806,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
+@@ -781,8 +781,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
 static void virtio_balloon_stat(void *opaque, BalloonInfo *info)
 {
     VirtIOBalloon *dev = opaque;
@@ -60,54 +102,13 @@ index 73ac5eb675..bbfe7eca62 100644
 }
 
 static void virtio_balloon_to_target(void *opaque, ram_addr_t target)
-diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index 01b789a79e..480b798963 100644
--- a/monitor/hmp-cmds.c
-+++ b/monitor/hmp-cmds.c
-@@ -696,7 +696,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict)
-         return;
-     }
- 
-    monitor_printf(mon, "balloon: actual=%" PRId64 "\n", info->actual >> 20);
-+    monitor_printf(mon, "balloon: actual=%" PRId64, info->actual >> 20);
-+    monitor_printf(mon, " max_mem=%" PRId64, info->max_mem >> 20);
-+    if (info->has_total_mem) {
-+        monitor_printf(mon, " total_mem=%" PRId64, info->total_mem >> 20);
-+    }
-+    if (info->has_free_mem) {
-+        monitor_printf(mon, " free_mem=%" PRId64, info->free_mem >> 20);
-+    }
-+
-+    if (info->has_mem_swapped_in) {
-+        monitor_printf(mon, " mem_swapped_in=%" PRId64, info->mem_swapped_in);
-+    }
-+    if (info->has_mem_swapped_out) {
-+        monitor_printf(mon, " mem_swapped_out=%" PRId64, info->mem_swapped_out);
-+    }
-+    if (info->has_major_page_faults) {
-+        monitor_printf(mon, " major_page_faults=%" PRId64,
-+                       info->major_page_faults);
-+    }
-+    if (info->has_minor_page_faults) {
-+        monitor_printf(mon, " minor_page_faults=%" PRId64,
-+                       info->minor_page_faults);
-+    }
-+    if (info->has_last_update) {
-+        monitor_printf(mon, " last_update=%" PRId64,
-+                       info->last_update);
-+    }
-+
-+    monitor_printf(mon, "\n");
- 
-     qapi_free_BalloonInfo(info);
- }
 diff --git a/qapi/machine.json b/qapi/machine.json
-index b9228a5e46..10e77a9af3 100644
+index e8b60641f2..2054cdc70d 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
-@@ -1054,9 +1054,29 @@
- # @actual: the logical size of the VM in bytes
- #          Formula used: logical_vm_size = vm_ram_size - balloon_size
+@@ -1079,9 +1079,29 @@
+ # @actual: the logical size of the VM in bytes Formula used:
+ #     logical_vm_size = vm_ram_size - balloon_size
 #
 +# @last_update: time when stats got updated from guest
 +#
@@ -137,10 +138,10 @@ index b9228a5e46..10e77a9af3 100644
 ##
 # @query-balloon:
 diff --git a/qapi/pragma.json b/qapi/pragma.json
-index 29233db825..f2097b9020 100644
+index 59fbe74b8c..be8fa304c5 100644
 --- a/qapi/pragma.json
 +++ b/qapi/pragma.json
-@@ -37,6 +37,7 @@
+@@ -90,6 +90,7 @@
     'member-name-exceptions': [     # visible in:
         'ACPISlotType',             # query-acpi-ospm-status
         'AcpiTableOptions',         # -acpitable
--- a/debian/patches/pve/0014-PVE-qapi-modify-query-machines.patch
+++ b/debian/patches/pve/0014-PVE-qapi-modify-query-machines.patch
@@ -13,13 +13,13 @@ Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 2 files changed, 9 insertions(+), 1 deletion(-)

 diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
-index 4f4ab30f8c..76fff60a6b 100644
+index 4b72009cd3..314351cdff 100644
 --- a/hw/core/machine-qmp-cmds.c
 +++ b/hw/core/machine-qmp-cmds.c
-@@ -99,6 +99,12 @@ MachineInfoList *qmp_query_machines(Error **errp)
-         info->hotpluggable_cpus = mc->has_hotpluggable_cpus;
+@@ -90,6 +90,12 @@ MachineInfoList *qmp_query_machines(Error **errp)
         info->numa_mem_supported = mc->numa_mem_supported;
         info->deprecated = !!mc->deprecation_reason;
+         info->acpi = !!object_class_property_find(OBJECT_CLASS(mc), "acpi");
 +
 +        if (strcmp(mc->name, MACHINE_GET_CLASS(current_machine)->name) == 0) {
 +            info->has_is_current = true;
@@ -28,21 +28,21 @@ index 4f4ab30f8c..76fff60a6b 100644
 +
         if (mc->default_cpu_type) {
             info->default_cpu_type = g_strdup(mc->default_cpu_type);
-             info->has_default_cpu_type = true;
+         }
 diff --git a/qapi/machine.json b/qapi/machine.json
-index 10e77a9af3..9156103c8f 100644
+index 2054cdc70d..a024d5b05d 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
-@@ -138,6 +138,8 @@
+@@ -146,6 +146,8 @@
 #
 # @is-default: whether the machine is default
 #
 +# @is-current: whether this machine is currently used
 +#
 # @cpu-max: maximum number of CPUs supported by the machine type
- #           (since 1.5)
+ #     (since 1.5)
 #
-@@ -159,7 +161,7 @@
+@@ -170,7 +172,7 @@
 ##
 { 'struct': 'MachineInfo',
   'data': { 'name': 'str', '*alias': 'str',
@@ -50,4 +50,4 @@ index 10e77a9af3..9156103c8f 100644
 +            '*is-default': 'bool', '*is-current': 'bool', 'cpu-max': 'int',
             'hotpluggable-cpus': 'bool',  'numa-mem-supported': 'bool',
             'deprecated': 'bool', '*default-cpu-type': 'str',
-             '*default-ram-id': 'str' } }
+             '*default-ram-id': 'str', 'acpi': 'bool' } }
--- a/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
+++ b/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
@@ -6,16 +6,18 @@ Subject: [PATCH] PVE: qapi: modify spice query
 Provide the last ticket in the SpiceInfo struct optionally.

 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: adapt to QAPI change]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 qapi/ui.json    | 3 +++
- ui/spice-core.c | 5 +++++
- 2 files changed, 8 insertions(+)
+ ui/spice-core.c | 4 ++++
+ 2 files changed, 7 insertions(+)

 diff --git a/qapi/ui.json b/qapi/ui.json
-index 0abba3e930..bf8f441227 100644
+index f610bce118..6ea26a9acb 100644
 --- a/qapi/ui.json
 +++ b/qapi/ui.json
-@@ -310,11 +310,14 @@
+@@ -314,11 +314,14 @@
 #
 # @channels: a list of @SpiceChannel for each active spice channel
 #
@@ -31,15 +33,14 @@ index 0abba3e930..bf8f441227 100644
   'if': 'CONFIG_SPICE' }
 
 diff --git a/ui/spice-core.c b/ui/spice-core.c
-index 37774f1c0a..367f77f2b4 100644
+index ea20e6153c..55a15fba8b 100644
 --- a/ui/spice-core.c
 +++ b/ui/spice-core.c
-@@ -534,6 +534,11 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)
+@@ -548,6 +548,10 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)
     micro = SPICE_SERVER_VERSION & 0xff;
     info->compiled_version = g_strdup_printf("%d.%d.%d", major, minor, micro);
 
 +    if (auth_passwd) {
-+        info->has_ticket = true;
 +        info->ticket =  g_strdup(auth_passwd);
 +    }
 +
--- a/debian/patches/pve/0016-PVE-add-IOChannel-implementation-for-savevm-async.patch
+++ b/debian/patches/pve/0016-PVE-add-IOChannel-implementation-for-savevm-async.patch
@@ -14,20 +14,21 @@ Additionally, allows tracking the current position from the outside
 (intended to be used for progress tracking).

 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- migration/channel-savevm-async.c | 182 +++++++++++++++++++++++++++++++
+ migration/channel-savevm-async.c | 184 +++++++++++++++++++++++++++++++
 migration/channel-savevm-async.h |  51 +++++++++
 migration/meson.build            |   1 +
- 3 files changed, 234 insertions(+)
+ 3 files changed, 236 insertions(+)
 create mode 100644 migration/channel-savevm-async.c
 create mode 100644 migration/channel-savevm-async.h

 diff --git a/migration/channel-savevm-async.c b/migration/channel-savevm-async.c
 new file mode 100644
-index 0000000000..06d5484778
+index 0000000000..081a192f49
 --- /dev/null
 +++ b/migration/channel-savevm-async.c
-@@ -0,0 +1,182 @@
+@@ -0,0 +1,184 @@
 +/*
 + * QIO Channel implementation to be used by savevm-async QMP calls
 + */
@@ -71,6 +72,7 @@ index 0000000000..06d5484778
 +                               size_t niov,
 +                               int **fds,
 +                               size_t *nfds,
+                               int flags,
 +                               Error **errp)
 +{
 +    QIOChannelSavevmAsync *saioc = QIO_CHANNEL_SAVEVM_ASYNC(ioc);
@@ -173,8 +175,9 @@ index 0000000000..06d5484778
 +
 +static void
 +qio_channel_savevm_async_set_aio_fd_handler(QIOChannel *ioc,
-+                                            AioContext *ctx,
+                                            AioContext *read_ctx,
 +                                            IOHandler *io_read,
+                                            AioContext *write_ctx,
 +                                            IOHandler *io_write,
 +                                            void *opaque)
 +{
@@ -268,14 +271,14 @@ index 0000000000..17ae2cb261
 +
 +#endif /* QIO_CHANNEL_SAVEVM_ASYNC_H */
 diff --git a/migration/meson.build b/migration/meson.build
-index 690487cf1a..8cac83c06c 100644
+index 1eeb915ff6..95d1cf2250 100644
 --- a/migration/meson.build
 +++ b/migration/meson.build
-@@ -13,6 +13,7 @@ softmmu_ss.add(files(
+@@ -13,6 +13,7 @@ system_ss.add(files(
   'block-dirty-bitmap.c',
   'channel.c',
   'channel-block.c',
 +  'channel-savevm-async.c',
-   'colo-failover.c',
-   'colo.c',
+   'dirtyrate.c',
   'exec.c',
+   'fd.c',
--- a/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
+++ b/debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch
@@ -21,32 +21,36 @@ still opened by QEMU.
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-[improve aborting]
+[SR: improve aborting
+     register yank before migration_incoming_state_destroy]
 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 [FE: further improve aborting
     adapt to removal of QEMUFileOps
-     improve condition for entering final stage]
+     improve condition for entering final stage
+     adapt to QAPI and other changes for 8.2
+     make sure to not call vm_start() from coroutine
+     stop CPU throttling after finishing]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 hmp-commands-info.hx         |  13 +
- hmp-commands.hx              |  33 +++
+ hmp-commands.hx              |  17 ++
 include/migration/snapshot.h |   2 +
- include/monitor/hmp.h        |   5 +
+ include/monitor/hmp.h        |   3 +
 migration/meson.build        |   1 +
- migration/savevm-async.c     | 538 +++++++++++++++++++++++++++++++++++
- monitor/hmp-cmds.c           |  57 ++++
+ migration/savevm-async.c     | 545 +++++++++++++++++++++++++++++++++++
+ monitor/hmp-cmds.c           |  38 +++
 qapi/migration.json          |  34 +++
- qapi/misc.json               |  32 +++
+ qapi/misc.json               |  18 ++
 qemu-options.hx              |  12 +
- softmmu/vl.c                 |  10 +
- 11 files changed, 737 insertions(+)
+ system/vl.c                  |  10 +
+ 11 files changed, 693 insertions(+)
 create mode 100644 migration/savevm-async.c

 diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
-index 754b1e8408..489c524e9e 100644
+index ad1b1306e3..d5ab880492 100644
 --- a/hmp-commands-info.hx
 +++ b/hmp-commands-info.hx
-@@ -540,6 +540,19 @@ SRST
+@@ -525,6 +525,19 @@ SRST
     Show current migration parameters.
 ERST
 
@@ -67,11 +71,11 @@ index 754b1e8408..489c524e9e 100644
         .name       = "balloon",
         .args_type  = "",
 diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 673e39a697..039be0033d 100644
+index 2e2a3bcf98..7506de251c 100644
 --- a/hmp-commands.hx
 +++ b/hmp-commands.hx
-@@ -1815,3 +1815,36 @@ SRST
-   Dump the FDT in dtb format to *filename*.
+@@ -1862,3 +1862,20 @@ SRST
+   List event channels in the guest
 ERST
 #endif
 +
@@ -84,22 +88,6 @@ index 673e39a697..039be0033d 100644
 +    },
 +
 +    {
-+        .name       = "snapshot-drive",
-+        .args_type  = "device:s,name:s",
-+        .params     = "device name",
-+        .help       = "Create internal snapshot.",
-+        .cmd = hmp_snapshot_drive,
-+    },
-+
-+    {
-+        .name       = "delete-drive-snapshot",
-+        .args_type  = "device:s,name:s",
-+        .params     = "device name",
-+        .help       = "Delete internal snapshot.",
-+        .cmd = hmp_delete_drive_snapshot,
-+    },
-+
-+    {
 +        .name       = "savevm-end",
 +        .args_type  = "",
 +        .params     = "",
@@ -108,21 +96,21 @@ index 673e39a697..039be0033d 100644
 +        .coroutine  = true,
 +    },
 diff --git a/include/migration/snapshot.h b/include/migration/snapshot.h
-index e72083b117..c846d37806 100644
+index 9e4dcaaa75..2581730d74 100644
 --- a/include/migration/snapshot.h
 +++ b/include/migration/snapshot.h
-@@ -61,4 +61,6 @@ bool delete_snapshot(const char *name,
-                     bool has_devices, strList *devices,
-                     Error **errp);
+@@ -68,4 +68,6 @@ bool delete_snapshot(const char *name,
+  */
+ void load_snapshot_resume(RunState state);
 
 +int load_snapshot_from_blockdev(const char *filename, Error **errp);
 +
 #endif
 diff --git a/include/monitor/hmp.h b/include/monitor/hmp.h
-index dfbc0c9a2f..440f86aba8 100644
+index 13f9a2dedb..7a7def7530 100644
 --- a/include/monitor/hmp.h
 +++ b/include/monitor/hmp.h
-@@ -27,6 +27,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict);
+@@ -28,6 +28,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict);
 void hmp_info_uuid(Monitor *mon, const QDict *qdict);
 void hmp_info_chardev(Monitor *mon, const QDict *qdict);
 void hmp_info_mice(Monitor *mon, const QDict *qdict);
@@ -130,43 +118,44 @@ index dfbc0c9a2f..440f86aba8 100644
 void hmp_info_migrate(Monitor *mon, const QDict *qdict);
 void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
 void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict);
-@@ -81,6 +82,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict);
- void hmp_netdev_del(Monitor *mon, const QDict *qdict);
- void hmp_getfd(Monitor *mon, const QDict *qdict);
- void hmp_closefd(Monitor *mon, const QDict *qdict);
+@@ -94,6 +95,8 @@ void hmp_closefd(Monitor *mon, const QDict *qdict);
+ void hmp_mouse_move(Monitor *mon, const QDict *qdict);
+ void hmp_mouse_button(Monitor *mon, const QDict *qdict);
+ void hmp_mouse_set(Monitor *mon, const QDict *qdict);
 +void hmp_savevm_start(Monitor *mon, const QDict *qdict);
-+void hmp_snapshot_drive(Monitor *mon, const QDict *qdict);
-+void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict);
 +void hmp_savevm_end(Monitor *mon, const QDict *qdict);
 void hmp_sendkey(Monitor *mon, const QDict *qdict);
 void coroutine_fn hmp_screendump(Monitor *mon, const QDict *qdict);
 void hmp_chardev_add(Monitor *mon, const QDict *qdict);
 diff --git a/migration/meson.build b/migration/meson.build
-index 8cac83c06c..0842d00cd2 100644
+index 95d1cf2250..800f12a60d 100644
 --- a/migration/meson.build
 +++ b/migration/meson.build
-@@ -24,6 +24,7 @@ softmmu_ss.add(files(
-   'multifd-zlib.c',
+@@ -28,6 +28,7 @@ system_ss.add(files(
+   'options.c',
   'postcopy-ram.c',
   'savevm.c',
 +  'savevm-async.c',
   'socket.c',
   'tls.c',
- ), gnutls)
+   'threadinfo.c',
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
 new file mode 100644
-index 0000000000..dc30558713
+index 0000000000..1af32604c7
 --- /dev/null
 +++ b/migration/savevm-async.c
-@@ -0,0 +1,538 @@
+@@ -0,0 +1,545 @@
 +#include "qemu/osdep.h"
 +#include "migration/channel-savevm-async.h"
 +#include "migration/migration.h"
+#include "migration/migration-stats.h"
+#include "migration/options.h"
 +#include "migration/savevm.h"
 +#include "migration/snapshot.h"
 +#include "migration/global_state.h"
 +#include "migration/ram.h"
 +#include "migration/qemu-file.h"
+#include "sysemu/cpu-throttle.h"
 +#include "sysemu/sysemu.h"
 +#include "sysemu/runstate.h"
 +#include "block/block.h"
@@ -181,6 +170,7 @@ index 0000000000..dc30558713
 +#include "qemu/timer.h"
 +#include "qemu/main-loop.h"
 +#include "qemu/rcu.h"
+#include "qemu/yank.h"
 +
 +/* #define DEBUG_SAVEVM_STATE */
 +
@@ -231,24 +221,20 @@ index 0000000000..dc30558713
 +        info->bytes = s->bs_pos;
 +        switch (s->state) {
 +        case SAVE_STATE_ERROR:
-+            info->has_status = true;
 +            info->status = g_strdup("failed");
 +            info->has_total_time = true;
 +            info->total_time = s->total_time;
 +            if (s->error) {
-+                info->has_error = true;
 +                info->error = g_strdup(error_get_pretty(s->error));
 +            }
 +            break;
 +        case SAVE_STATE_ACTIVE:
-+            info->has_status = true;
 +            info->status = g_strdup("active");
 +            info->has_total_time = true;
 +            info->total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME)
 +                - s->total_time;
 +            break;
 +        case SAVE_STATE_COMPLETED:
-+            info->has_status = true;
 +            info->status = g_strdup("completed");
 +            info->has_total_time = true;
 +            info->total_time = s->total_time;
@@ -294,7 +280,7 @@ index 0000000000..dc30558713
 +    return ret;
 +}
 +
-+static void save_snapshot_error(const char *fmt, ...)
+static void G_GNUC_PRINTF(1, 2) save_snapshot_error(const char *fmt, ...)
 +{
 +    va_list ap;
 +    char *msg;
@@ -317,7 +303,6 @@ index 0000000000..dc30558713
 +static void process_savevm_finalize(void *opaque)
 +{
 +    int ret;
-+    AioContext *iohandler_ctx = iohandler_get_aio_context();
 +    MigrationState *ms = migrate_get_current();
 +
 +    bool aborted = savevm_aborted();
@@ -334,9 +319,7 @@ index 0000000000..dc30558713
 +     * so move it back. It can stay in the main context and live out its live
 +     * there, since we're done with it after this method ends anyway.
 +     */
-+    aio_context_acquire(iohandler_ctx);
 +    blk_set_aio_context(snap_state.target, qemu_get_aio_context(), NULL);
-+    aio_context_release(iohandler_ctx);
 +
 +    ret = vm_stop_force_state(RUN_STATE_FINISH_MIGRATE);
 +    if (ret < 0) {
@@ -361,6 +344,12 @@ index 0000000000..dc30558713
 +        ret || aborted ? MIGRATION_STATUS_FAILED : MIGRATION_STATUS_COMPLETED);
 +    ms->to_dst_file = NULL;
 +
+    /*
+     * Same as in migration_iteration_finish(): saving RAM might've turned on CPU throttling for
+     * auto-converge, make sure to disable it.
+     */
+    cpu_throttle_stop();
+
 +    qemu_savevm_state_cleanup();
 +
 +    ret = save_snapshot_cleanup();
@@ -405,14 +394,21 @@ index 0000000000..dc30558713
 +    }
 +
 +    while (snap_state.state == SAVE_STATE_ACTIVE) {
-+        uint64_t pending_size, pend_precopy, pend_compatible, pend_postcopy;
+        uint64_t pending_size, pend_precopy, pend_postcopy;
+        uint64_t threshold = 400 * 1000;
 +
-+        /* pending is expected to be called without iothread lock */
-+        qemu_mutex_unlock_iothread();
-+        qemu_savevm_state_pending(snap_state.file, 0, &pend_precopy, &pend_compatible, &pend_postcopy);
-+        qemu_mutex_lock_iothread();
-+
-+        pending_size = pend_precopy + pend_compatible + pend_postcopy;
+        /*
+         * pending_{estimate,exact} are expected to be called without iothread
+         * lock. Similar to what is done in migration.c, call the exact variant
+         * only once pend_precopy in the estimate is below the threshold.
+         */
+        bql_unlock();
+        qemu_savevm_state_pending_estimate(&pend_precopy, &pend_postcopy);
+        if (pend_precopy <= threshold) {
+            qemu_savevm_state_pending_exact(&pend_precopy, &pend_postcopy);
+        }
+        bql_lock();
+        pending_size = pend_precopy + pend_postcopy;
 +
 +        /*
 +         * A guest reaching this cutoff is dirtying lots of RAM. It should be
@@ -423,7 +419,7 @@ index 0000000000..dc30558713
 +        maxlen = blk_getlength(snap_state.target) - 100*1024*1024;
 +
 +        /* Note that there is no progress for pend_postcopy when iterating */
-+        if (pending_size - pend_postcopy > 400000 && snap_state.bs_pos + pending_size < maxlen) {
+        if (pend_precopy > threshold && snap_state.bs_pos + pending_size < maxlen) {
 +            ret = qemu_savevm_state_iterate(snap_state.file, false);
 +            if (ret < 0) {
 +                save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
@@ -432,11 +428,7 @@ index 0000000000..dc30558713
 +            DPRINTF("savevm iterate pending size %lu ret %d\n", pending_size, ret);
 +        } else {
 +            qemu_system_wakeup_request(QEMU_WAKEUP_REASON_OTHER, NULL);
-+            ret = global_state_store();
-+            if (ret) {
-+                save_snapshot_error("global_state_store error %d", ret);
-+                break;
-+            }
+            global_state_store();
 +
 +            DPRINTF("savevm iterate complete\n");
 +            break;
@@ -455,19 +447,25 @@ index 0000000000..dc30558713
 +     * so move there now and after every flush.
 +     */
 +    aio_co_reschedule_self(qemu_get_aio_context());
-+    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
+    bdrv_graph_co_rdlock();
+    bs = bdrv_first(&it);
+    bdrv_graph_co_rdunlock();
+    while (bs) {
 +        /* target has BDRV_O_NO_FLUSH, no sense calling bdrv_flush on it */
-+        if (bs == blk_bs(snap_state.target)) {
-+            continue;
-+        }
-+
-+        AioContext *bs_ctx = bdrv_get_aio_context(bs);
-+        if (bs_ctx != qemu_get_aio_context()) {
-+            DPRINTF("savevm: async flushing drive %s\n", bs->filename);
-+            aio_co_reschedule_self(bs_ctx);
-+            bdrv_flush(bs);
-+            aio_co_reschedule_self(qemu_get_aio_context());
+        if (bs != blk_bs(snap_state.target)) {
+            AioContext *bs_ctx = bdrv_get_aio_context(bs);
+            if (bs_ctx != qemu_get_aio_context()) {
+                DPRINTF("savevm: async flushing drive %s\n", bs->filename);
+                aio_co_reschedule_self(bs_ctx);
+                bdrv_graph_co_rdlock();
+                bdrv_flush(bs);
+                bdrv_graph_co_rdunlock();
+                aio_co_reschedule_self(qemu_get_aio_context());
+            }
 +        }
+        bdrv_graph_co_rdlock();
+        bs = bdrv_next(&it);
+        bdrv_graph_co_rdunlock();
 +    }
 +
 +    DPRINTF("timing: async flushing took %ld ms\n",
@@ -476,7 +474,7 @@ index 0000000000..dc30558713
 +    qemu_bh_schedule(snap_state.finalize_bh);
 +}
 +
-+void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+void qmp_savevm_start(const char *statefile, Error **errp)
 +{
 +    Error *local_err = NULL;
 +    MigrationState *ms = migrate_get_current();
@@ -490,12 +488,12 @@ index 0000000000..dc30558713
 +        return;
 +    }
 +
-+    if (migration_is_running(ms->state)) {
+    if (migration_is_running()) {
 +        error_set(errp, ERROR_CLASS_GENERIC_ERROR, QERR_MIGRATION_ACTIVE);
 +        return;
 +    }
 +
-+    if (migrate_use_block()) {
+    if (migrate_block()) {
 +        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
 +                  "Block migration and snapshots are incompatible");
 +        return;
@@ -513,7 +511,7 @@ index 0000000000..dc30558713
 +        snap_state.error = NULL;
 +    }
 +
-+    if (!has_statefile) {
+    if (!statefile) {
 +        vm_stop(RUN_STATE_SAVE_VM);
 +        snap_state.state = SAVE_STATE_COMPLETED;
 +        return;
@@ -547,8 +545,10 @@ index 0000000000..dc30558713
 +     * State is cleared in process_savevm_co, but has to be initialized
 +     * here (blocking main thread, from QMP) to avoid race conditions.
 +     */
-+    migrate_init(ms);
-+    memset(&ram_counters, 0, sizeof(ram_counters));
+    if (migrate_init(ms, errp)) {
+        return;
+    }
+    memset(&mig_stats, 0, sizeof(mig_stats));
 +    ms->to_dst_file = snap_state.file;
 +
 +    error_setg(&snap_state.blocker, "block device is in use by savevm");
@@ -557,10 +557,8 @@ index 0000000000..dc30558713
 +    snap_state.state = SAVE_STATE_ACTIVE;
 +    snap_state.finalize_bh = qemu_bh_new(process_savevm_finalize, &snap_state);
 +    snap_state.co = qemu_coroutine_create(&process_savevm_co, NULL);
-+    qemu_mutex_unlock_iothread();
 +    qemu_savevm_state_header(snap_state.file);
 +    qemu_savevm_state_setup(snap_state.file);
-+    qemu_mutex_lock_iothread();
 +
 +    /* Async processing from here on out happens in iohandler context, so let
 +     * the target bdrv have its home there.
@@ -581,29 +579,10 @@ index 0000000000..dc30558713
 +    }
 +}
 +
-+void coroutine_fn qmp_savevm_end(Error **errp)
+static void coroutine_fn wait_for_close_co(void *opaque)
 +{
 +    int64_t timeout;
 +
-+    if (snap_state.state == SAVE_STATE_DONE) {
-+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
-+                  "VM snapshot not started\n");
-+        return;
-+    }
-+
-+    if (snap_state.state == SAVE_STATE_ACTIVE) {
-+        snap_state.state = SAVE_STATE_CANCELLED;
-+        goto wait_for_close;
-+    }
-+
-+    if (snap_state.saved_vm_running) {
-+        vm_start();
-+        snap_state.saved_vm_running = false;
-+    }
-+
-+    snap_state.state = SAVE_STATE_DONE;
-+
-+wait_for_close:
 +    if (!snap_state.target) {
 +        DPRINTF("savevm-end: no target file open\n");
 +        return;
@@ -631,20 +610,30 @@ index 0000000000..dc30558713
 +    DPRINTF("savevm-end: cleanup done\n");
 +}
 +
-+// FIXME: Deprecated
-+void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
+void qmp_savevm_end(Error **errp)
 +{
-+    // Compatibility to older qemu-server.
-+    qmp_blockdev_snapshot_internal_sync(device, name, errp);
-+}
+    if (snap_state.state == SAVE_STATE_DONE) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "VM snapshot not started\n");
+        return;
+    }
 +
-+// FIXME: Deprecated
-+void qmp_delete_drive_snapshot(const char *device, const char *name,
-+                               Error **errp)
-+{
-+    // Compatibility to older qemu-server.
-+    (void)qmp_blockdev_snapshot_delete_internal_sync(device, false, NULL,
-+                                                     true, name, errp);
+    Coroutine *wait_for_close = qemu_coroutine_create(wait_for_close_co, NULL);
+
+    if (snap_state.state == SAVE_STATE_ACTIVE) {
+        snap_state.state = SAVE_STATE_CANCELLED;
+        qemu_coroutine_enter(wait_for_close);
+        return;
+    }
+
+    if (snap_state.saved_vm_running) {
+        vm_start();
+        snap_state.saved_vm_running = false;
+    }
+
+    snap_state.state = SAVE_STATE_DONE;
+
+    qemu_coroutine_enter(wait_for_close);
 +}
 +
 +int load_snapshot_from_blockdev(const char *filename, Error **errp)
@@ -681,6 +670,10 @@ index 0000000000..dc30558713
 +    dirty_bitmap_mig_before_vm_start();
 +
 +    qemu_fclose(f);
+
+    /* state_destroy assumes a real migration which would have added a yank */
+    yank_register_instance(MIGRATION_YANK_INSTANCE, &error_abort);
+
 +    migration_incoming_state_destroy();
 +    if (ret < 0) {
 +        error_setg_errno(errp, -ret, "Error while loading VM state");
@@ -698,39 +691,28 @@ index 0000000000..dc30558713
 +    return ret;
 +}
 diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
-index 480b798963..cfebfd1db5 100644
+index 871898ac46..ef4634e5c1 100644
 --- a/monitor/hmp-cmds.c
 +++ b/monitor/hmp-cmds.c
-@@ -1906,6 +1906,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
-     hmp_handle_error(mon, err);
- }
+@@ -22,6 +22,7 @@
+ #include "monitor/monitor-internal.h"
+ #include "qapi/error.h"
+ #include "qapi/qapi-commands-control.h"
+#include "qapi/qapi-commands-migration.h"
+ #include "qapi/qapi-commands-misc.h"
+ #include "qapi/qmp/qdict.h"
+ #include "qemu/cutils.h"
+@@ -443,3 +444,40 @@ void hmp_info_mtree(Monitor *mon, const QDict *qdict)
 
+     mtree_info(flatview, dispatch_tree, owner, disabled);
+ }
+
 +void hmp_savevm_start(Monitor *mon, const QDict *qdict)
 +{
 +    Error *errp = NULL;
 +    const char *statefile = qdict_get_try_str(qdict, "statefile");
 +
-+    qmp_savevm_start(statefile != NULL, statefile, &errp);
-+    hmp_handle_error(mon, errp);
-+}
-+
-+void hmp_snapshot_drive(Monitor *mon, const QDict *qdict)
-+{
-+    Error *errp = NULL;
-+    const char *name = qdict_get_str(qdict, "name");
-+    const char *device = qdict_get_str(qdict, "device");
-+
-+    qmp_snapshot_drive(device, name, &errp);
-+    hmp_handle_error(mon, errp);
-+}
-+
-+void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict)
-+{
-+    Error *errp = NULL;
-+    const char *name = qdict_get_str(qdict, "name");
-+    const char *device = qdict_get_str(qdict, "device");
-+
-+    qmp_delete_drive_snapshot(device, name, &errp);
+    qmp_savevm_start(statefile, &errp);
 +    hmp_handle_error(mon, errp);
 +}
 +
@@ -747,7 +729,7 @@ index 480b798963..cfebfd1db5 100644
 +    SaveVMInfo *info;
 +    info = qmp_query_savevm(NULL);
 +
-+    if (info->has_status) {
+    if (info->status) {
 +        monitor_printf(mon, "savevm status: %s\n", info->status);
 +        monitor_printf(mon, "total time: %" PRIu64 " milliseconds\n",
 +                       info->total_time);
@@ -757,21 +739,17 @@ index 480b798963..cfebfd1db5 100644
 +    if (info->has_bytes) {
 +        monitor_printf(mon, "Bytes saved: %"PRIu64"\n", info->bytes);
 +    }
-+    if (info->has_error) {
+    if (info->error) {
 +        monitor_printf(mon, "Error: %s\n", info->error);
 +    }
 +}
-+
- void hmp_info_iothreads(Monitor *mon, const QDict *qdict)
- {
-     IOThreadInfoList *info_list = qmp_query_iothreads(NULL);
 diff --git a/qapi/migration.json b/qapi/migration.json
-index 88ecf86ac8..4435866379 100644
+index 8c65b90328..ed20d066cd 100644
 --- a/qapi/migration.json
 +++ b/qapi/migration.json
-@@ -261,6 +261,40 @@
-            '*compression': 'CompressionStats',
-            '*socket-address': ['SocketAddress'] } }
+@@ -297,6 +297,40 @@
+            '*dirty-limit-throttle-time-per-round': 'uint64',
+            '*dirty-limit-ring-full-time': 'uint64'} }
 
 +##
 +# @SaveVMInfo:
@@ -811,10 +789,10 @@ index 88ecf86ac8..4435866379 100644
 # @query-migrate:
 #
 diff --git a/qapi/misc.json b/qapi/misc.json
-index 27ef5a2b20..b3ce75dcae 100644
+index ec30e5c570..3c68633f68 100644
 --- a/qapi/misc.json
 +++ b/qapi/misc.json
-@@ -435,6 +435,38 @@
+@@ -454,6 +454,24 @@
 ##
 { 'command': 'query-fdsets', 'returns': ['FdsetInfo'] }
 
@@ -823,41 +801,27 @@ index 27ef5a2b20..b3ce75dcae 100644
 +#
 +# Prepare for snapshot and halt VM. Save VM state to statefile.
 +#
+# @statefile: target file that state should be written to.
+#
 +##
 +{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } }
 +
 +##
-+# @snapshot-drive:
-+#
-+# Create an internal drive snapshot.
-+#
-+##
-+{ 'command': 'snapshot-drive', 'data': { 'device': 'str', 'name': 'str' } }
-+
-+##
-+# @delete-drive-snapshot:
-+#
-+# Delete a drive snapshot.
-+#
-+##
-+{ 'command': 'delete-drive-snapshot', 'data': { 'device': 'str', 'name': 'str' } }
-+
-+##
 +# @savevm-end:
 +#
 +# Resume VM after a snapshot.
 +#
 +##
-+{ 'command': 'savevm-end', 'coroutine': true }
+{ 'command': 'savevm-end' }
 +
 ##
 # @CommandLineParameterType:
 #
 diff --git a/qemu-options.hx b/qemu-options.hx
-index 7f99d15b23..54efb127c4 100644
+index 8ce85d4559..511ab9415e 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -4391,6 +4391,18 @@ SRST
+@@ -4610,6 +4610,18 @@ SRST
     Start right away with a saved state (``loadvm`` in monitor)
 ERST
 
@@ -876,11 +840,11 @@ index 7f99d15b23..54efb127c4 100644
 #ifndef _WIN32
 DEF("daemonize", 0, QEMU_OPTION_daemonize, \
     "-daemonize      daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
-diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 5f7f6ca981..21f067d115 100644
--- a/softmmu/vl.c
-+++ b/softmmu/vl.c
-@@ -164,6 +164,7 @@ static const char *accelerators;
+diff --git a/system/vl.c b/system/vl.c
+index c644222982..2738ab7c91 100644
+--- a/system/vl.c
+++ b/system/vl.c
+@@ -163,6 +163,7 @@ static const char *accelerators;
 static bool have_custom_ram_size;
 static const char *ram_memdev_id;
 static QDict *machine_opts_dict;
@@ -888,10 +852,10 @@ index 5f7f6ca981..21f067d115 100644
 static QTAILQ_HEAD(, ObjectOption) object_opts = QTAILQ_HEAD_INITIALIZER(object_opts);
 static QTAILQ_HEAD(, DeviceOption) device_opts = QTAILQ_HEAD_INITIALIZER(device_opts);
 static int display_remote;
-@@ -2607,6 +2608,12 @@ void qmp_x_exit_preconfig(Error **errp)
- 
-     if (loadvm) {
+@@ -2712,6 +2713,12 @@ void qmp_x_exit_preconfig(Error **errp)
+         RunState state = autostart ? RUN_STATE_RUNNING : runstate_get();
         load_snapshot(loadvm, NULL, false, NULL, &error_fatal);
+         load_snapshot_resume(state);
 +    } else if (loadstate) {
 +        Error *local_err = NULL;
 +        if (load_snapshot_from_blockdev(loadstate, &local_err) < 0) {
@@ -901,7 +865,7 @@ index 5f7f6ca981..21f067d115 100644
     }
     if (replay_mode != REPLAY_MODE_NONE) {
         replay_vmstate_init();
-@@ -3151,6 +3158,9 @@ void qemu_init(int argc, char **argv)
+@@ -3259,6 +3266,9 @@ void qemu_init(int argc, char **argv)
             case QEMU_OPTION_loadvm:
                 loadvm = optarg;
                 break;
--- a/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
+++ b/debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch
@@ -13,18 +13,18 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 [FE: adapt to removal of QEMUFileOps]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- migration/qemu-file.c    | 49 +++++++++++++++++++++++++++-------------
+ migration/qemu-file.c    | 50 +++++++++++++++++++++++++++-------------
 migration/qemu-file.h    |  2 ++
 migration/savevm-async.c |  5 ++--
- 3 files changed, 38 insertions(+), 18 deletions(-)
+ 3 files changed, 39 insertions(+), 18 deletions(-)

 diff --git a/migration/qemu-file.c b/migration/qemu-file.c
-index 2d5f74ffc2..9fd97e6fe1 100644
+index a10882d47f..19c1de0472 100644
 --- a/migration/qemu-file.c
 +++ b/migration/qemu-file.c
-@@ -31,8 +31,8 @@
- #include "trace.h"
- #include "qapi/error.h"
+@@ -35,8 +35,8 @@
+ #include "rdma.h"
+ #include "io/channel-file.h"
 
 -#define IO_BUF_SIZE 32768
 -#define MAX_IOV_SIZE MIN_CONST(IOV_MAX, 64)
@@ -32,8 +32,8 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 +#define MAX_IOV_SIZE MIN_CONST(IOV_MAX, 256)
 
 struct QEMUFile {
-     const QEMUFileHooks *hooks;
-@@ -55,7 +55,8 @@ struct QEMUFile {
+     QIOChannel *ioc;
+@@ -44,7 +44,8 @@ struct QEMUFile {
 
     int buf_index;
     int buf_size; /* 0 when writing */
@@ -43,8 +43,8 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 
     DECLARE_BITMAP(may_free, MAX_IOV_SIZE);
     struct iovec iov[MAX_IOV_SIZE];
-@@ -127,7 +128,9 @@ bool qemu_file_mode_is_not_valid(const char *mode)
-     return false;
+@@ -101,7 +102,9 @@ int qemu_file_shutdown(QEMUFile *f)
+     return 0;
 }
 
 -static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
@@ -54,7 +54,7 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 {
     QEMUFile *f;
 
-@@ -136,6 +139,8 @@ static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
+@@ -110,6 +113,8 @@ static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
     object_ref(ioc);
     f->ioc = ioc;
     f->is_writable = is_writable;
@@ -63,7 +63,7 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 
     return f;
 }
-@@ -146,17 +151,27 @@ static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
+@@ -120,17 +125,27 @@ static QEMUFile *qemu_file_new_impl(QIOChannel *ioc, bool is_writable)
  */
 QEMUFile *qemu_file_get_return_path(QEMUFile *f)
 {
@@ -93,8 +93,8 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 +    return qemu_file_new_impl(ioc, false, buffer_size);
 }
 
- void qemu_file_set_hooks(QEMUFile *f, const QEMUFileHooks *hooks)
-@@ -414,7 +429,7 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
+ /*
+@@ -328,7 +343,7 @@ static ssize_t coroutine_mixed_fn qemu_fill_buffer(QEMUFile *f)
     do {
         len = qio_channel_read(f->ioc,
                                (char *)f->buf + pending,
@@ -103,16 +103,17 @@ index 2d5f74ffc2..9fd97e6fe1 100644
                                &local_error);
         if (len == QIO_CHANNEL_ERR_BLOCK) {
             if (qemu_in_coroutine()) {
-@@ -464,6 +479,8 @@ int qemu_fclose(QEMUFile *f)
+@@ -368,6 +383,9 @@ int qemu_fclose(QEMUFile *f)
+         ret = ret2;
     }
     g_clear_pointer(&f->ioc, object_unref);
- 
+
 +    free(f->buf);
 +
-     /* If any error was spotted before closing, we should report it
-      * instead of the close() return value.
-      */
-@@ -518,7 +535,7 @@ static void add_buf_to_iovec(QEMUFile *f, size_t len)
+     error_free(f->last_error_obj);
+     g_free(f);
+     trace_qemu_file_fclose();
+@@ -416,7 +434,7 @@ static void add_buf_to_iovec(QEMUFile *f, size_t len)
 {
     if (!add_to_iovec(f, f->buf + f->buf_index, len, false)) {
         f->buf_index += len;
@@ -121,7 +122,7 @@ index 2d5f74ffc2..9fd97e6fe1 100644
             qemu_fflush(f);
         }
     }
-@@ -544,7 +561,7 @@ void qemu_put_buffer(QEMUFile *f, const uint8_t *buf, size_t size)
+@@ -441,7 +459,7 @@ void qemu_put_buffer(QEMUFile *f, const uint8_t *buf, size_t size)
     }
 
     while (size > 0) {
@@ -130,7 +131,7 @@ index 2d5f74ffc2..9fd97e6fe1 100644
         if (l > size) {
             l = size;
         }
-@@ -591,8 +608,8 @@ size_t qemu_peek_buffer(QEMUFile *f, uint8_t **buf, size_t size, size_t offset)
+@@ -587,8 +605,8 @@ size_t coroutine_mixed_fn qemu_peek_buffer(QEMUFile *f, uint8_t **buf, size_t si
     size_t index;
 
     assert(!qemu_file_is_writable(f));
@@ -141,7 +142,7 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 
     /* The 1st byte to read from */
     index = f->buf_index + offset;
-@@ -642,7 +659,7 @@ size_t qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size)
+@@ -638,7 +656,7 @@ size_t coroutine_mixed_fn qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size
         size_t res;
         uint8_t *src;
 
@@ -150,16 +151,16 @@ index 2d5f74ffc2..9fd97e6fe1 100644
         if (res == 0) {
             return done;
         }
-@@ -676,7 +693,7 @@ size_t qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size)
+@@ -672,7 +690,7 @@ size_t coroutine_mixed_fn qemu_get_buffer(QEMUFile *f, uint8_t *buf, size_t size
  */
- size_t qemu_get_buffer_in_place(QEMUFile *f, uint8_t **buf, size_t size)
+ size_t coroutine_mixed_fn qemu_get_buffer_in_place(QEMUFile *f, uint8_t **buf, size_t size)
 {
 -    if (size < IO_BUF_SIZE) {
 +    if (size < f->buf_allocated_size) {
         size_t res;
         uint8_t *src = NULL;
 
-@@ -701,7 +718,7 @@ int qemu_peek_byte(QEMUFile *f, int offset)
+@@ -697,7 +715,7 @@ int coroutine_mixed_fn qemu_peek_byte(QEMUFile *f, int offset)
     int index = f->buf_index + offset;
 
     assert(!qemu_file_is_writable(f));
@@ -168,7 +169,7 @@ index 2d5f74ffc2..9fd97e6fe1 100644
 
     if (index >= f->buf_size) {
         qemu_fill_buffer(f);
-@@ -853,7 +870,7 @@ static int qemu_compress_data(z_stream *stream, uint8_t *dest, size_t dest_len,
+@@ -811,7 +829,7 @@ static int qemu_compress_data(z_stream *stream, uint8_t *dest, size_t dest_len,
 ssize_t qemu_put_compression_data(QEMUFile *f, z_stream *stream,
                                   const uint8_t *p, size_t size)
 {
@@ -178,24 +179,24 @@ index 2d5f74ffc2..9fd97e6fe1 100644
     if (blen < compressBound(size)) {
         return -1;
 diff --git a/migration/qemu-file.h b/migration/qemu-file.h
-index fa13d04d78..914f1a63a8 100644
+index 32fd4a34fd..36a0cd8cc8 100644
 --- a/migration/qemu-file.h
 +++ b/migration/qemu-file.h
-@@ -63,7 +63,9 @@ typedef struct QEMUFileHooks {
- } QEMUFileHooks;
+@@ -30,7 +30,9 @@
+ #include "io/channel.h"
 
 QEMUFile *qemu_file_new_input(QIOChannel *ioc);
 +QEMUFile *qemu_file_new_input_sized(QIOChannel *ioc, size_t buffer_size);
 QEMUFile *qemu_file_new_output(QIOChannel *ioc);
 +QEMUFile *qemu_file_new_output_sized(QIOChannel *ioc, size_t buffer_size);
- void qemu_file_set_hooks(QEMUFile *f, const QEMUFileHooks *hooks);
 int qemu_fclose(QEMUFile *f);
 
+ /*
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index dc30558713..a38e7351c1 100644
+index 1af32604c7..be2035cd2e 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -374,7 +374,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+@@ -386,7 +386,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
 
     QIOChannel *ioc = QIO_CHANNEL(qio_channel_savevm_async_new(snap_state.target,
                                                                &snap_state.bs_pos));
@@ -204,7 +205,7 @@ index dc30558713..a38e7351c1 100644
 
     if (!snap_state.file) {
         error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
-@@ -507,7 +507,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
+@@ -510,7 +510,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
     blk_op_block_all(be, blocker);
 
     /* restore the VM state */
--- a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
+++ b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch
@@ -4,32 +4,34 @@ Date: Mon, 6 Apr 2020 12:16:47 +0200
 Subject: [PATCH] PVE: block: add the zeroinit block driver filter

 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[adapt to changed function signatures]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: adapt to changed function signatures
+     adhere to block graph lock requirements
+     use dedicated function to open file child]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 block/meson.build |   1 +
- block/zeroinit.c  | 198 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 199 insertions(+)
+ block/zeroinit.c  | 207 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 208 insertions(+)
 create mode 100644 block/zeroinit.c

 diff --git a/block/meson.build b/block/meson.build
-index b7c68b83a3..020a89ae07 100644
+index e1f03fd773..b530e117b5 100644
 --- a/block/meson.build
 +++ b/block/meson.build
-@@ -43,6 +43,7 @@ block_ss.add(files(
-   'vmdk.c',
-   'vpc.c',
+@@ -39,6 +39,7 @@ block_ss.add(files(
+   'throttle.c',
+   'throttle-groups.c',
   'write-threshold.c',
 +  'zeroinit.c',
 ), zstd, zlib, gnutls)
 
- softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
+ system_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
 diff --git a/block/zeroinit.c b/block/zeroinit.c
 new file mode 100644
-index 0000000000..b60e1b84dc
+index 0000000000..7998c9332d
 --- /dev/null
 +++ b/block/zeroinit.c
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,207 @@
 +/*
 + * Filter to fake a zero-initialized block device.
 + *
@@ -43,6 +45,8 @@ index 0000000000..b60e1b84dc
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "block/block_int.h"
+#include "block/block-io.h"
+#include "block/graph-lock.h"
 +#include "qapi/qmp/qdict.h"
 +#include "qapi/qmp/qstring.h"
 +#include "qemu/cutils.h"
@@ -108,12 +112,9 @@ index 0000000000..b60e1b84dc
 +    }
 +
 +    /* Open the raw file */
-+    bs->file = bdrv_open_child(qemu_opt_get(opts, "x-next"), options, "next",
-+                               bs, &child_of_bds,
-+                               BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
-+                               false, &local_err);
-+    if (local_err) {
-+        ret = -EINVAL;
+    ret = bdrv_open_file_child(qemu_opt_get(opts, "x-next"), options, "next",
+                               bs, &local_err);
+    if (ret < 0) {
 +        error_propagate(errp, local_err);
 +        goto fail;
 +    }
@@ -124,7 +125,9 @@ index 0000000000..b60e1b84dc
 +    ret = 0;
 +fail:
 +    if (ret < 0) {
+        bdrv_graph_wrlock();
 +        bdrv_unref_child(bs, bs->file);
+        bdrv_graph_wrunlock();
 +    }
 +    qemu_opts_del(opts);
 +    return ret;
@@ -136,19 +139,22 @@ index 0000000000..b60e1b84dc
 +    (void)s;
 +}
 +
-+static int64_t zeroinit_getlength(BlockDriverState *bs)
+static coroutine_fn int64_t GRAPH_RDLOCK
+zeroinit_co_getlength(BlockDriverState *bs)
 +{
-+    return bdrv_getlength(bs->file->bs);
+    return bdrv_co_getlength(bs->file->bs);
 +}
 +
-+static int coroutine_fn zeroinit_co_preadv(BlockDriverState *bs,
-+    int64_t offset, int64_t bytes, QEMUIOVector *qiov, BdrvRequestFlags flags)
+static int coroutine_fn GRAPH_RDLOCK
+zeroinit_co_preadv(BlockDriverState *bs, int64_t offset, int64_t bytes,
+                   QEMUIOVector *qiov, BdrvRequestFlags flags)
 +{
 +    return bdrv_co_preadv(bs->file, offset, bytes, qiov, flags);
 +}
 +
-+static int coroutine_fn zeroinit_co_pwrite_zeroes(BlockDriverState *bs, int64_t offset,
-+                                                 int64_t bytes, BdrvRequestFlags flags)
+static int coroutine_fn GRAPH_RDLOCK
+zeroinit_co_pwrite_zeroes(BlockDriverState *bs, int64_t offset, int64_t bytes,
+                          BdrvRequestFlags flags)
 +{
 +    BDRVZeroinitState *s = bs->opaque;
 +    if (offset >= s->extents)
@@ -156,8 +162,9 @@ index 0000000000..b60e1b84dc
 +    return bdrv_pwrite_zeroes(bs->file, offset, bytes, flags);
 +}
 +
-+static int coroutine_fn zeroinit_co_pwritev(BlockDriverState *bs,
-+    int64_t offset, int64_t bytes, QEMUIOVector *qiov, BdrvRequestFlags flags)
+static int coroutine_fn GRAPH_RDLOCK
+zeroinit_co_pwritev(BlockDriverState *bs, int64_t offset, int64_t bytes,
+                    QEMUIOVector *qiov, BdrvRequestFlags flags)
 +{
 +    BDRVZeroinitState *s = bs->opaque;
 +    int64_t extents = offset + bytes;
@@ -166,33 +173,37 @@ index 0000000000..b60e1b84dc
 +    return bdrv_co_pwritev(bs->file, offset, bytes, qiov, flags);
 +}
 +
-+static coroutine_fn int zeroinit_co_flush(BlockDriverState *bs)
+static coroutine_fn int GRAPH_RDLOCK
+zeroinit_co_flush(BlockDriverState *bs)
 +{
 +    return bdrv_co_flush(bs->file->bs);
 +}
 +
-+static int zeroinit_has_zero_init(BlockDriverState *bs)
+static int GRAPH_RDLOCK
+zeroinit_has_zero_init(BlockDriverState *bs)
 +{
 +    BDRVZeroinitState *s = bs->opaque;
 +    return s->has_zero_init;
 +}
 +
-+static int coroutine_fn zeroinit_co_pdiscard(BlockDriverState *bs,
-+                                             int64_t offset, int64_t bytes)
+static int coroutine_fn GRAPH_RDLOCK
+zeroinit_co_pdiscard(BlockDriverState *bs, int64_t offset, int64_t bytes)
 +{
 +    return bdrv_co_pdiscard(bs->file, offset, bytes);
 +}
 +
-+static int zeroinit_co_truncate(BlockDriverState *bs, int64_t offset,
-+                                _Bool exact, PreallocMode prealloc,
-+                                BdrvRequestFlags req_flags, Error **errp)
+static int GRAPH_RDLOCK
+zeroinit_co_truncate(BlockDriverState *bs, int64_t offset, _Bool exact,
+                     PreallocMode prealloc, BdrvRequestFlags req_flags,
+                     Error **errp)
 +{
 +    return bdrv_co_truncate(bs->file, offset, exact, prealloc, req_flags, errp);
 +}
 +
-+static int zeroinit_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
+static coroutine_fn int GRAPH_RDLOCK
+zeroinit_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
 +{
-+    return bdrv_get_info(bs->file->bs, bdi);
+    return bdrv_co_get_info(bs->file->bs, bdi);
 +}
 +
 +static BlockDriver bdrv_zeroinit = {
@@ -203,7 +214,7 @@ index 0000000000..b60e1b84dc
 +    .bdrv_parse_filename              = zeroinit_parse_filename,
 +    .bdrv_file_open                   = zeroinit_open,
 +    .bdrv_close                       = zeroinit_close,
-+    .bdrv_getlength                   = zeroinit_getlength,
+    .bdrv_co_getlength                = zeroinit_co_getlength,
 +    .bdrv_child_perm                  = bdrv_default_perms,
 +    .bdrv_co_flush_to_disk            = zeroinit_co_flush,
 +
@@ -219,7 +230,7 @@ index 0000000000..b60e1b84dc
 +    .bdrv_co_pdiscard                 = zeroinit_co_pdiscard,
 +
 +    .bdrv_co_truncate                 = zeroinit_co_truncate,
-+    .bdrv_get_info                    = zeroinit_get_info,
+    .bdrv_co_get_info                 = zeroinit_co_get_info,
 +};
 +
 +static void bdrv_zeroinit_init(void)
--- a/debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch
+++ b/debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch
@@ -10,14 +10,14 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 qemu-options.hx | 3 +++
- softmmu/vl.c    | 8 ++++++++
+ system/vl.c     | 8 ++++++++
 2 files changed, 11 insertions(+)

 diff --git a/qemu-options.hx b/qemu-options.hx
-index 54efb127c4..ef456d03ec 100644
+index 511ab9415e..92e301d545 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -1147,6 +1147,9 @@ backend describes how QEMU handles the data.
+@@ -1237,6 +1237,9 @@ legacy PC, they are not recommended for modern configurations.
 
 ERST
 
@@ -27,11 +27,11 @@ index 54efb127c4..ef456d03ec 100644
 DEF("fda", HAS_ARG, QEMU_OPTION_fda,
     "-fda/-fdb file  use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL)
 DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL)
-diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 21f067d115..9d737e7914 100644
--- a/softmmu/vl.c
-+++ b/softmmu/vl.c
-@@ -2643,6 +2643,7 @@ void qemu_init(int argc, char **argv)
+diff --git a/system/vl.c b/system/vl.c
+index 2738ab7c91..20ebf2c920 100644
+--- a/system/vl.c
+++ b/system/vl.c
+@@ -2748,6 +2748,7 @@ void qemu_init(int argc, char **argv)
     MachineClass *machine_class;
     bool userconfig = true;
     FILE *vmstate_dump_file = NULL;
@@ -39,7 +39,7 @@ index 21f067d115..9d737e7914 100644
 
     qemu_add_opts(&qemu_drive_opts);
     qemu_add_drive_opts(&qemu_legacy_drive_opts);
-@@ -3263,6 +3264,13 @@ void qemu_init(int argc, char **argv)
+@@ -3371,6 +3372,13 @@ void qemu_init(int argc, char **argv)
                 machine_parse_property_opt(qemu_find_opts("smp-opts"),
                                            "smp", optarg);
                 break;
@@ -50,6 +50,6 @@ index 21f067d115..9d737e7914 100644
 +                    exit(1);
 +                }
 +                break;
+ #ifdef CONFIG_VNC
             case QEMU_OPTION_vnc:
                 vnc_parse(optarg);
-                 break;
--- a/debian/patches/pve/0021-PVE-Config-Revert-target-i386-disable-LINT0-after-re.patch
+++ b/debian/patches/pve/0021-PVE-Config-Revert-target-i386-disable-LINT0-after-re.patch
@@ -11,10 +11,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 9 insertions(+)

 diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
-index 2a20982066..7968ad5a93 100644
+index d8fc1e2815..789694b8b3 100644
 --- a/hw/intc/apic_common.c
 +++ b/hw/intc/apic_common.c
-@@ -278,6 +278,15 @@ static void apic_reset_common(DeviceState *dev)
+@@ -263,6 +263,15 @@ static void apic_reset_common(DeviceState *dev)
     info->vapic_base_update(s);
 
     apic_init_reset(dev);
--- a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
+++ b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch
@@ -9,14 +9,14 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 block/file-posix.c   | 59 ++++++++++++++++++++++++++++++--------------
- qapi/block-core.json |  3 ++-
- 2 files changed, 42 insertions(+), 20 deletions(-)
+ qapi/block-core.json |  7 +++++-
+ 2 files changed, 46 insertions(+), 20 deletions(-)

 diff --git a/block/file-posix.c b/block/file-posix.c
-index 9a16d86344..bd68df57ad 100644
+index 43bc0bd520..60e98c87f1 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
-@@ -2487,6 +2487,7 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2876,6 +2876,7 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
     int fd;
     uint64_t perm, shared;
     int result = 0;
@@ -24,7 +24,7 @@ index 9a16d86344..bd68df57ad 100644
 
     /* Validate options and set default values */
     assert(options->driver == BLOCKDEV_DRIVER_FILE);
-@@ -2527,19 +2528,22 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2916,19 +2917,22 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
     perm = BLK_PERM_WRITE | BLK_PERM_RESIZE;
     shared = BLK_PERM_ALL & ~BLK_PERM_RESIZE;
 
@@ -59,7 +59,7 @@ index 9a16d86344..bd68df57ad 100644
     }
 
     /* Clear the file by truncating it to 0 */
-@@ -2593,13 +2597,15 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2982,13 +2986,15 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
     }
 
 out_unlock:
@@ -82,7 +82,7 @@ index 9a16d86344..bd68df57ad 100644
     }
 
 out_close:
-@@ -2624,6 +2630,7 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
+@@ -3012,6 +3018,7 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
     PreallocMode prealloc;
     char *buf = NULL;
     Error *local_err = NULL;
@@ -90,7 +90,7 @@ index 9a16d86344..bd68df57ad 100644
 
     /* Skip file: protocol prefix */
     strstart(filename, "file:", &filename);
-@@ -2646,6 +2653,18 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
+@@ -3034,6 +3041,18 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
         return -EINVAL;
     }
 
@@ -109,7 +109,7 @@ index 9a16d86344..bd68df57ad 100644
     options = (BlockdevCreateOptions) {
         .driver     = BLOCKDEV_DRIVER_FILE,
         .u.file     = {
-@@ -2657,6 +2676,8 @@ static int coroutine_fn raw_co_create_opts(BlockDriver *drv,
+@@ -3045,6 +3064,8 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
             .nocow              = nocow,
             .has_extent_size_hint = has_extent_size_hint,
             .extent_size_hint   = extent_size_hint,
@@ -119,10 +119,21 @@ index 9a16d86344..bd68df57ad 100644
     };
     return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 7daaf545be..9e902b96bb 100644
+index 905da8be72..3db587a6e4 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -4624,7 +4624,8 @@
+@@ -4956,6 +4956,10 @@
+ # @extent-size-hint: Extent size hint to add to the image file; 0 for
+ #     not adding an extent size hint (default: 1 MB, since 5.1)
+ #
+# @locking: whether to enable file locking.  If set to 'auto', only
+#     enable when Open File Descriptor (OFD) locking API is available
+#     (default: auto).
+#
+ # Since: 2.12
+ ##
+ { 'struct': 'BlockdevCreateOptionsFile',
+@@ -4963,7 +4967,8 @@
             'size':                 'size',
             '*preallocation':       'PreallocMode',
             '*nocow':               'bool',
--- a/debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch
+++ b/debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch
@@ -18,10 +18,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 1 insertion(+), 2 deletions(-)

 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 6b8cfcf6d8..3ec67e32d3 100644
+index 589c9524f8..2505dd658a 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
-@@ -519,8 +519,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
+@@ -536,8 +536,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
     qemu_chr_fe_set_echo(&mon->common.chr, true);
 
     /* Note: we run QMP monitor in I/O thread when @chr supports that */
--- a/debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch
+++ b/debian/patches/pve/0024-PVE-Compat-4.0-used-balloon-qemu-4-0-config-size-fal.patch
@@ -26,10 +26,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 8d34caa31d..2df9037c4e 100644
+index 4273de16a0..83f1fc0293 100644
 --- a/hw/core/machine.c
 +++ b/hw/core/machine.c
-@@ -132,7 +132,8 @@ GlobalProperty hw_compat_4_0[] = {
+@@ -162,7 +162,8 @@ GlobalProperty hw_compat_4_0[] = {
     { "virtio-vga",     "edid", "false" },
     { "virtio-gpu-device", "edid", "false" },
     { "virtio-device", "use-started", "false" },
--- a/debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch
+++ b/debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch
@@ -11,35 +11,36 @@ and only if 'is-current').

 Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+[FE: adapt to QAPI changes]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
- hw/core/machine-qmp-cmds.c |  6 ++++++
+ hw/core/machine-qmp-cmds.c |  5 +++++
 include/hw/boards.h        |  2 ++
 qapi/machine.json          |  4 +++-
- softmmu/vl.c               | 25 +++++++++++++++++++++++++
- 4 files changed, 36 insertions(+), 1 deletion(-)
+ system/vl.c                | 25 +++++++++++++++++++++++++
+ 4 files changed, 35 insertions(+), 1 deletion(-)

 diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
-index 76fff60a6b..ec9201fb9a 100644
+index 314351cdff..628a3537c5 100644
 --- a/hw/core/machine-qmp-cmds.c
 +++ b/hw/core/machine-qmp-cmds.c
-@@ -103,6 +103,12 @@ MachineInfoList *qmp_query_machines(Error **errp)
+@@ -94,6 +94,11 @@ MachineInfoList *qmp_query_machines(Error **errp)
         if (strcmp(mc->name, MACHINE_GET_CLASS(current_machine)->name) == 0) {
             info->has_is_current = true;
             info->is_current = true;
 +
 +            // PVE version string only exists for current machine
 +            if (mc->pve_version) {
-+                info->has_pve_version = true;
 +                info->pve_version = g_strdup(mc->pve_version);
 +            }
         }
 
         if (mc->default_cpu_type) {
 diff --git a/include/hw/boards.h b/include/hw/boards.h
-index 90f1dd3aeb..14d60520d9 100644
+index 8b8f6d5c00..dd6d0a1447 100644
 --- a/include/hw/boards.h
 +++ b/include/hw/boards.h
-@@ -230,6 +230,8 @@ struct MachineClass {
+@@ -246,6 +246,8 @@ struct MachineClass {
     const char *desc;
     const char *deprecation_reason;
 
@@ -49,40 +50,40 @@ index 90f1dd3aeb..14d60520d9 100644
     void (*reset)(MachineState *state, ShutdownCause reason);
     void (*wakeup)(MachineState *state);
 diff --git a/qapi/machine.json b/qapi/machine.json
-index 9156103c8f..f4fb1b2c9c 100644
+index a024d5b05d..1d69bffaa0 100644
 --- a/qapi/machine.json
 +++ b/qapi/machine.json
-@@ -157,6 +157,8 @@
+@@ -168,6 +168,8 @@
 #
- # @default-ram-id: the default ID of initial RAM memory backend (since 5.2)
+ # @acpi: machine type supports ACPI (since 8.0)
 #
 +# @pve-version: custom PVE version suffix specified as 'machine+pveN'
 +#
 # Since: 1.2
 ##
 { 'struct': 'MachineInfo',
-@@ -164,7 +166,7 @@
+@@ -175,7 +177,7 @@
             '*is-default': 'bool', '*is-current': 'bool', 'cpu-max': 'int',
             'hotpluggable-cpus': 'bool',  'numa-mem-supported': 'bool',
             'deprecated': 'bool', '*default-cpu-type': 'str',
-            '*default-ram-id': 'str' } }
-+            '*default-ram-id': 'str', '*pve-version': 'str' } }
+-            '*default-ram-id': 'str', 'acpi': 'bool' } }
+            '*default-ram-id': 'str', 'acpi': 'bool', '*pve-version': 'str' } }
 
 ##
 # @query-machines:
-diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 9d737e7914..a64eee2fad 100644
--- a/softmmu/vl.c
-+++ b/softmmu/vl.c
-@@ -1578,6 +1578,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
+diff --git a/system/vl.c b/system/vl.c
+index 20ebf2c920..4d39e32097 100644
+--- a/system/vl.c
+++ b/system/vl.c
+@@ -1659,6 +1659,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
 static MachineClass *select_machine(QDict *qdict, Error **errp)
 {
-     const char *optarg = qdict_get_try_str(qdict, "type");
+     const char *machine_type = qdict_get_try_str(qdict, "type");
 +    const char *pvever = qdict_get_try_str(qdict, "pvever");
     GSList *machines = object_class_get_list(TYPE_MACHINE, false);
     MachineClass *machine_class;
     Error *local_err = NULL;
-@@ -1595,6 +1596,11 @@ static MachineClass *select_machine(QDict *qdict, Error **errp)
+@@ -1676,6 +1677,11 @@ static MachineClass *select_machine(QDict *qdict, Error **errp)
         }
     }
 
@@ -94,7 +95,7 @@ index 9d737e7914..a64eee2fad 100644
     g_slist_free(machines);
     if (local_err) {
         error_append_hint(&local_err, "Use -machine help to list supported machines\n");
-@@ -3205,12 +3211,31 @@ void qemu_init(int argc, char **argv)
+@@ -3313,12 +3319,31 @@ void qemu_init(int argc, char **argv)
             case QEMU_OPTION_machine:
                 {
                     bool help;
--- a/debian/patches/pve/0026-block-backup-move-bcs-bitmap-initialization-to-job-c.patch
+++ b/debian/patches/pve/0026-block-backup-move-bcs-bitmap-initialization-to-job-c.patch
@@ -25,7 +25,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 4 insertions(+), 4 deletions(-)

 diff --git a/block/backup.c b/block/backup.c
-index 6a9ad97a53..9b0151c5be 100644
+index 3dd2e229d2..eba5b11493 100644
 --- a/block/backup.c
 +++ b/block/backup.c
@@ -237,8 +237,8 @@ static void backup_init_bcs_bitmap(BackupBlockJob *job)
@@ -48,9 +48,9 @@ index 6a9ad97a53..9b0151c5be 100644
     if (s->sync_mode == MIRROR_SYNC_MODE_TOP) {
         int64_t offset = 0;
         int64_t count;
-@@ -492,6 +490,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
-     block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL,
+@@ -502,6 +500,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
                        &error_abort);
+     bdrv_graph_wrunlock();
 
 +    backup_init_bcs_bitmap(job);
 +
--- a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
@@ -3,40 +3,46 @@ From: Dietmar Maurer <dietmar@proxmox.com>
 Date: Mon, 6 Apr 2020 12:16:57 +0200
 Subject: [PATCH] PVE-Backup: add vma backup format code

+Notes about partial restoring: skipping a certain drive is done via a
+map line of the form skip=drive-scsi0. Since in PVE, most archives are
+compressed and piped to vma for restore, it's not easily possible to
+skip reads.
+
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-[FE: create: register all streams before entering coroutines]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
+[FE: improvements during create
+     allow partial restore]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 block/meson.build |   2 +
 meson.build       |   5 +
- vma-reader.c      | 859 ++++++++++++++++++++++++++++++++++++++++++++++
- vma-writer.c      | 791 ++++++++++++++++++++++++++++++++++++++++++
- vma.c             | 849 +++++++++++++++++++++++++++++++++++++++++++++
+ vma-reader.c      | 870 ++++++++++++++++++++++++++++++++++++++++++++
+ vma-writer.c      | 817 +++++++++++++++++++++++++++++++++++++++++
+ vma.c             | 901 ++++++++++++++++++++++++++++++++++++++++++++++
 vma.h             | 150 ++++++++
- 6 files changed, 2656 insertions(+)
+ 6 files changed, 2745 insertions(+)
 create mode 100644 vma-reader.c
 create mode 100644 vma-writer.c
 create mode 100644 vma.c
 create mode 100644 vma.h

 diff --git a/block/meson.build b/block/meson.build
-index 020a89ae07..4feae20e37 100644
+index b530e117b5..b245daa98e 100644
 --- a/block/meson.build
 +++ b/block/meson.build
-@@ -46,6 +46,8 @@ block_ss.add(files(
+@@ -42,6 +42,8 @@ block_ss.add(files(
   'zeroinit.c',
 ), zstd, zlib, gnutls)
 
 +block_ss.add(files('../vma-writer.c'), libuuid)
 +
- softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
- softmmu_ss.add(files('block-ram-registrar.c'))
+ system_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
+ system_ss.add(files('block-ram-registrar.c'))
 
 diff --git a/meson.build b/meson.build
-index 5c6b5a1c75..e8cf7e3d78 100644
+index 91a0aa64c6..620cc594b2 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -1525,6 +1525,8 @@ keyutils = dependency('libkeyutils', required: false,
+@@ -1922,6 +1922,8 @@ endif
 
 has_gettid = cc.has_function('gettid')
 
@@ -45,7 +51,7 @@ index 5c6b5a1c75..e8cf7e3d78 100644
 # libselinux
 selinux = dependency('libselinux',
                      required: get_option('selinux'),
-@@ -3596,6 +3598,9 @@ if have_tools
+@@ -4023,6 +4025,9 @@ if have_tools
                dependencies: [blockdev, qemuutil, gnutls, selinux],
                install: true)
 
@@ -53,14 +59,14 @@ index 5c6b5a1c75..e8cf7e3d78 100644
 +                   dependencies: [authz, block, crypto, io, qom], install: true)
 +
   subdir('storage-daemon')
-   subdir('contrib/rdmacm-mux')
-   subdir('contrib/elf2dmp')
+ 
+   foreach exe: [ 'qemu-img', 'qemu-io', 'qemu-nbd', 'qemu-storage-daemon']
 diff --git a/vma-reader.c b/vma-reader.c
 new file mode 100644
-index 0000000000..e65f1e8415
+index 0000000000..d0b6721812
 --- /dev/null
 +++ b/vma-reader.c
-@@ -0,0 +1,859 @@
+@@ -0,0 +1,870 @@
 +/*
 + * VMA: Virtual Machine Archive
 + *
@@ -82,6 +88,7 @@ index 0000000000..e65f1e8415
 +#include "qemu/ratelimit.h"
 +#include "vma.h"
 +#include "block/block.h"
+#include "block/graph-lock.h"
 +#include "sysemu/block-backend.h"
 +
 +static unsigned char zero_vma_block[VMA_BLOCK_SIZE];
@@ -91,6 +98,7 @@ index 0000000000..e65f1e8415
 +    bool write_zeroes;
 +    unsigned long *bitmap;
 +    int bitmap_size;
+    bool skip;
 +}  VmaRestoreState;
 +
 +struct VmaReader {
@@ -488,13 +496,14 @@ index 0000000000..e65f1e8415
 +}
 +
 +static void allocate_rstate(VmaReader *vmar,  guint8 dev_id,
-+                            BlockBackend *target, bool write_zeroes)
+                            BlockBackend *target, bool write_zeroes, bool skip)
 +{
 +    assert(vmar);
 +    assert(dev_id);
 +
 +    vmar->rstate[dev_id].target = target;
 +    vmar->rstate[dev_id].write_zeroes = write_zeroes;
+    vmar->rstate[dev_id].skip = skip;
 +
 +    int64_t size = vmar->devinfo[dev_id].size;
 +
@@ -509,28 +518,30 @@ index 0000000000..e65f1e8415
 +}
 +
 +int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockBackend *target,
-+                           bool write_zeroes, Error **errp)
+                           bool write_zeroes, bool skip, Error **errp)
 +{
 +    assert(vmar);
-+    assert(target != NULL);
+    assert(target != NULL || skip);
 +    assert(dev_id);
-+    assert(vmar->rstate[dev_id].target == NULL);
+    assert(vmar->rstate[dev_id].target == NULL && !vmar->rstate[dev_id].skip);
 +
-+    int64_t size = blk_getlength(target);
-+    int64_t size_diff = size - vmar->devinfo[dev_id].size;
+    if (target != NULL) {
+        int64_t size = blk_getlength(target);
+        int64_t size_diff = size - vmar->devinfo[dev_id].size;
 +
-+    /* storage types can have different size restrictions, so it
-+     * is not always possible to create an image with exact size.
-+     * So we tolerate a size difference up to 4MB.
-+     */
-+    if ((size_diff < 0) || (size_diff > 4*1024*1024)) {
-+        error_setg(errp, "vma_reader_register_bs for stream %s failed - "
-+                   "unexpected size %zd != %zd", vmar->devinfo[dev_id].devname,
-+                   size, vmar->devinfo[dev_id].size);
-+        return -1;
+        /* storage types can have different size restrictions, so it
+         * is not always possible to create an image with exact size.
+         * So we tolerate a size difference up to 4MB.
+         */
+        if ((size_diff < 0) || (size_diff > 4*1024*1024)) {
+            error_setg(errp, "vma_reader_register_bs for stream %s failed - "
+                       "unexpected size %zd != %zd", vmar->devinfo[dev_id].devname,
+                       size, vmar->devinfo[dev_id].size);
+            return -1;
+        }
 +    }
 +
-+    allocate_rstate(vmar, dev_id, target, write_zeroes);
+    allocate_rstate(vmar, dev_id, target, write_zeroes, skip);
 +
 +    return 0;
 +}
@@ -590,8 +601,10 @@ index 0000000000..e65f1e8415
 +    } else {
 +        int res = blk_pwrite(target, sector_num * BDRV_SECTOR_SIZE, nb_sectors * BDRV_SECTOR_SIZE, buf, 0);
 +        if (res < 0) {
+            bdrv_graph_rdlock_main_loop();
 +            error_setg(errp, "blk_pwrite to %s failed (%d)",
 +                       bdrv_get_device_name(blk_bs(target)), res);
+            bdrv_graph_rdunlock_main_loop();
 +            return -1;
 +        }
 +    }
@@ -623,19 +636,23 @@ index 0000000000..e65f1e8415
 +        VmaRestoreState *rstate = &vmar->rstate[dev_id];
 +        BlockBackend *target = NULL;
 +
+        bool skip = rstate->skip;
+
 +        if (dev_id != vmar->vmstate_stream) {
 +            target = rstate->target;
-+            if (!verify && !target) {
+            if (!verify && !target && !skip) {
 +                error_setg(errp, "got wrong dev id %d", dev_id);
 +                return -1;
 +            }
 +
-+            if (vma_reader_get_bitmap(rstate, cluster_num)) {
-+                error_setg(errp, "found duplicated cluster %zd for stream %s",
-+                          cluster_num, vmar->devinfo[dev_id].devname);
-+                return -1;
+            if (!skip) {
+                if (vma_reader_get_bitmap(rstate, cluster_num)) {
+                    error_setg(errp, "found duplicated cluster %zd for stream %s",
+                              cluster_num, vmar->devinfo[dev_id].devname);
+                    return -1;
+                }
+                vma_reader_set_bitmap(rstate, cluster_num, 1);
 +            }
-+            vma_reader_set_bitmap(rstate, cluster_num, 1);
 +
 +            max_sector = vmar->devinfo[dev_id].size/BDRV_SECTOR_SIZE;
 +        } else {
@@ -681,7 +698,7 @@ index 0000000000..e65f1e8415
 +                return -1;
 +            }
 +
-+            if (!verify) {
+            if (!verify && !skip) {
 +                int nb_sectors = end_sector - sector_num;
 +                if (restore_write_data(vmar, dev_id, target, vmstate_fd,
 +                                       buf + start, sector_num, nb_sectors,
@@ -717,7 +734,7 @@ index 0000000000..e65f1e8415
 +                        return -1;
 +                    }
 +
-+                    if (!verify) {
+                    if (!verify && !skip) {
 +                        int nb_sectors = end_sector - sector_num;
 +                        if (restore_write_data(vmar, dev_id, target, vmstate_fd,
 +                                               buf + start, sector_num,
@@ -742,7 +759,7 @@ index 0000000000..e65f1e8415
 +                            vmar->partial_zero_cluster_data += zero_size;
 +                        }
 +
-+                        if (rstate->write_zeroes && !verify) {
+                        if (rstate->write_zeroes && !verify && !skip) {
 +                            if (restore_write_data(vmar, dev_id, target, vmstate_fd,
 +                                                   zero_vma_block, sector_num,
 +                                                   nb_sectors, errp) < 0) {
@@ -913,7 +930,7 @@ index 0000000000..e65f1e8415
 +
 +    for (dev_id = 1; dev_id < 255; dev_id++) {
 +        if (vma_reader_get_device_info(vmar, dev_id)) {
-+            allocate_rstate(vmar, dev_id, NULL, false);
+            allocate_rstate(vmar, dev_id, NULL, false, false);
 +        }
 +    }
 +
@@ -922,10 +939,10 @@ index 0000000000..e65f1e8415
 +
 diff --git a/vma-writer.c b/vma-writer.c
 new file mode 100644
-index 0000000000..df4b20793d
+index 0000000000..a466652a5d
 --- /dev/null
 +++ b/vma-writer.c
-@@ -0,0 +1,791 @@
+@@ -0,0 +1,817 @@
 +/*
 + * VMA: Virtual Machine Archive
 + *
@@ -941,6 +958,8 @@ index 0000000000..df4b20793d
 +
 +#include "qemu/osdep.h"
 +#include <glib.h>
+#include <linux/magic.h>
+#include <sys/vfs.h>
 +#include <uuid/uuid.h>
 +
 +#include "vma.h"
@@ -949,6 +968,7 @@ index 0000000000..df4b20793d
 +#include "qemu/main-loop.h"
 +#include "qemu/coroutine.h"
 +#include "qemu/cutils.h"
+#include "qemu/error-report.h"
 +#include "qemu/memalign.h"
 +
 +#define DEBUG_VMA 0
@@ -1132,10 +1152,10 @@ index 0000000000..df4b20793d
 +{
 +    assert(qemu_in_coroutine());
 +    AioContext *ctx = qemu_get_current_aio_context();
-+    aio_set_fd_handler(ctx, fd, false, NULL, (IOHandler *)qemu_coroutine_enter,
-+                       NULL, NULL, qemu_coroutine_self());
+    aio_set_fd_handler(ctx, fd, NULL, (IOHandler *)qemu_coroutine_enter, NULL,
+                       NULL, qemu_coroutine_self());
 +    qemu_coroutine_yield();
-+    aio_set_fd_handler(ctx, fd, false, NULL, NULL, NULL, NULL, NULL);
+    aio_set_fd_handler(ctx, fd, NULL, NULL, NULL, NULL, NULL);
 +}
 +
 +static ssize_t coroutine_fn
@@ -1184,6 +1204,23 @@ index 0000000000..df4b20793d
 +    return (done == bytes) ? bytes : -1;
 +}
 +
+static bool is_path_tmpfs(const char *path) {
+    struct statfs fs;
+    int ret;
+
+    do {
+        ret = statfs(path, &fs);
+    } while (ret != 0 && errno == EINTR);
+
+    if (ret != 0) {
+        warn_report("statfs call for %s failed, assuming not tmpfs - %s\n",
+                    path, strerror(errno));
+        return false;
+    }
+
+    return fs.f_type == TMPFS_MAGIC;
+}
+
 +VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp)
 +{
 +    const char *p;
@@ -1233,12 +1270,19 @@ index 0000000000..df4b20793d
 +            }
 +            /* try to use O_NONBLOCK */
 +            fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_NONBLOCK);
-+        } else  {
-+            oflags = O_NONBLOCK|O_DIRECT|O_WRONLY|O_EXCL;
+        } else {
+            gchar *dirname = g_path_get_dirname(filename);
+            oflags = O_NONBLOCK|O_WRONLY|O_EXCL;
+            if (!is_path_tmpfs(dirname)) {
+                oflags |= O_DIRECT;
+            }
+            g_free(dirname);
 +            vmaw->fd = qemu_create(filename, oflags, 0644, errp);
 +        }
 +
 +        if (vmaw->fd < 0) {
+            error_free(*errp);
+            *errp = NULL;
 +            error_setg(errp, "can't open file %s - %s\n", filename,
 +                       g_strerror(errno));
 +            goto err;
@@ -1473,17 +1517,16 @@ index 0000000000..df4b20793d
 +    int i;
 +
 +    g_assert(vmaw != NULL);
+    g_assert(status != NULL);
 +
-+    if (status) {
-+        status->status = vmaw->status;
-+        g_strlcpy(status->errmsg, vmaw->errmsg, sizeof(status->errmsg));
-+        for (i = 0; i <= 255; i++) {
-+            status->stream_info[i] = vmaw->stream_info[i];
-+        }
-+
-+        uuid_unparse_lower(vmaw->uuid, status->uuid_str);
+    status->status = vmaw->status;
+    g_strlcpy(status->errmsg, vmaw->errmsg, sizeof(status->errmsg));
+    for (i = 0; i <= 255; i++) {
+        status->stream_info[i] = vmaw->stream_info[i];
 +    }
 +
+    uuid_unparse_lower(vmaw->uuid, status->uuid_str);
+
 +    status->closed = vmaw->closed;
 +
 +    return vmaw->status;
@@ -1719,10 +1762,10 @@ index 0000000000..df4b20793d
 +}
 diff --git a/vma.c b/vma.c
 new file mode 100644
-index 0000000000..e8dffb43e0
+index 0000000000..bb715e9061
 --- /dev/null
 +++ b/vma.c
-@@ -0,0 +1,849 @@
+@@ -0,0 +1,901 @@
 +/*
 + * VMA: Virtual Machine Archive
 + *
@@ -1756,7 +1799,7 @@ index 0000000000..e8dffb43e0
 +        "vma list <filename>\n"
 +        "vma config <filename> [-c config]\n"
 +        "vma create <filename> [-c config] pathname ...\n"
-+        "vma extract <filename> [-r <fifo>] <targetdir>\n"
+        "vma extract <filename> [-d <drive-list>] [-r <fifo>] <targetdir>\n"
 +        "vma verify <filename> [-v]\n"
 +        ;
 +
@@ -1863,6 +1906,7 @@ index 0000000000..e8dffb43e0
 +    char *throttling_group;
 +    char *cache;
 +    bool write_zero;
+    bool skip;
 +} RestoreMap;
 +
 +static bool try_parse_option(char **line, const char *optname, char **out, const char *inbuf) {
@@ -1900,9 +1944,10 @@ index 0000000000..e8dffb43e0
 +    const char *filename;
 +    const char *dirname;
 +    const char *readmap = NULL;
+    gchar **drive_list = NULL;
 +
 +    for (;;) {
-+        c = getopt(argc, argv, "hvr:");
+        c = getopt(argc, argv, "hvd:r:");
 +        if (c == -1) {
 +            break;
 +        }
@@ -1911,6 +1956,9 @@ index 0000000000..e8dffb43e0
 +        case 'h':
 +            help();
 +            break;
+        case 'd':
+            drive_list = g_strsplit(optarg, ",", 254);
+            break;
 +        case 'r':
 +            readmap = optarg;
 +            break;
@@ -1970,74 +2018,89 @@ index 0000000000..e8dffb43e0
 +            char *bps = NULL;
 +            char *group = NULL;
 +            char *cache = NULL;
+            char *devname = NULL;
+            bool skip = false;
+            uint64_t bps_value = 0;
+            const char *path = NULL;
+            bool write_zero = true;
+
 +            if (!line || line[0] == '\0' || !strcmp(line, "done\n")) {
 +                break;
 +            }
 +            int len = strlen(line);
 +            if (line[len - 1] == '\n') {
 +                line[len - 1] = '\0';
-+                if (len == 1) {
+                len = len - 1;
+                if (len == 0) {
 +                    break;
 +                }
 +            }
 +
-+            while (1) {
-+                if (!try_parse_option(&line, "format", &format, inbuf) &&
-+                    !try_parse_option(&line, "throttling.bps", &bps, inbuf) &&
-+                    !try_parse_option(&line, "throttling.group", &group, inbuf) &&
-+                    !try_parse_option(&line, "cache", &cache, inbuf))
-+                {
-+                    break;
+            if (strncmp(line, "skip", 4) == 0) {
+                if (len < 6 || line[4] != '=') {
+                    g_error("read map failed - option 'skip' has no value ('%s')",
+                            inbuf);
+                } else {
+                    devname = line + 5;
+                    skip = true;
 +                }
-+            }
-+
-+            uint64_t bps_value = 0;
-+            if (bps) {
-+                bps_value = verify_u64(bps);
-+                g_free(bps);
-+            }
-+
-+            const char *path;
-+            bool write_zero;
-+            if (line[0] == '0' && line[1] == ':') {
-+                path = line + 2;
-+                write_zero = false;
-+            } else if (line[0] == '1' && line[1] == ':') {
-+                path = line + 2;
-+                write_zero = true;
 +            } else {
-+                g_error("read map failed - parse error ('%s')", inbuf);
+                while (1) {
+                    if (!try_parse_option(&line, "format", &format, inbuf) &&
+                        !try_parse_option(&line, "throttling.bps", &bps, inbuf) &&
+                        !try_parse_option(&line, "throttling.group", &group, inbuf) &&
+                        !try_parse_option(&line, "cache", &cache, inbuf))
+                    {
+                        break;
+                    }
+                }
+
+                if (bps) {
+                    bps_value = verify_u64(bps);
+                    g_free(bps);
+                }
+
+                if (line[0] == '0' && line[1] == ':') {
+                    path = line + 2;
+                    write_zero = false;
+                } else if (line[0] == '1' && line[1] == ':') {
+                    path = line + 2;
+                    write_zero = true;
+                } else {
+                    g_error("read map failed - parse error ('%s')", inbuf);
+                }
+
+                path = extract_devname(path, &devname, -1);
 +            }
 +
-+            char *devname = NULL;
-+            path = extract_devname(path, &devname, -1);
 +            if (!devname) {
 +                g_error("read map failed - no dev name specified ('%s')",
 +                        inbuf);
 +            }
 +
-+            RestoreMap *map = g_new0(RestoreMap, 1);
-+            map->devname = g_strdup(devname);
-+            map->path = g_strdup(path);
-+            map->format = format;
-+            map->throttling_bps = bps_value;
-+            map->throttling_group = group;
-+            map->cache = cache;
-+            map->write_zero = write_zero;
+            RestoreMap *restore_map = g_new0(RestoreMap, 1);
+            restore_map->devname = g_strdup(devname);
+            restore_map->path = g_strdup(path);
+            restore_map->format = format;
+            restore_map->throttling_bps = bps_value;
+            restore_map->throttling_group = group;
+            restore_map->cache = cache;
+            restore_map->write_zero = write_zero;
+            restore_map->skip = skip;
 +
-+            g_hash_table_insert(devmap, map->devname, map);
+            g_hash_table_insert(devmap, restore_map->devname, restore_map);
 +
 +        };
 +    }
 +
 +    int i;
 +    int vmstate_fd = -1;
-+    guint8 vmstate_stream = 0;
+    bool drive_rename_bitmap[255];
+    memset(drive_rename_bitmap, 0, sizeof(drive_rename_bitmap));
 +
 +    for (i = 1; i < 255; i++) {
 +        VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i);
 +        if (di && (strcmp(di->devname, "vmstate") == 0)) {
-+            vmstate_stream = i;
 +            char *statefn = g_strdup_printf("%s/vmstate.bin", dirname);
 +            vmstate_fd = open(statefn, O_WRONLY|O_CREAT|O_EXCL, 0644);
 +            if (vmstate_fd < 0) {
@@ -2053,10 +2116,25 @@ index 0000000000..e8dffb43e0
 +            const char *cache = NULL;
 +            int flags = BDRV_O_RDWR;
 +            bool write_zero = true;
+            bool skip = false;
 +
 +            BlockBackend *blk = NULL;
 +
-+            if (readmap) {
+            if (drive_list) {
+                skip = true;
+                int j;
+                for (j = 0; drive_list[j]; j++) {
+                    if (strcmp(drive_list[j], di->devname) == 0) {
+                        skip = false;
+                        drive_rename_bitmap[i] = true;
+                        break;
+                    }
+                }
+            } else {
+                drive_rename_bitmap[i] = true;
+            }
+
+            if (!skip && readmap) {
 +                RestoreMap *map;
 +                map = (RestoreMap *)g_hash_table_lookup(devmap, di->devname);
 +                if (map == NULL) {
@@ -2068,7 +2146,8 @@ index 0000000000..e8dffb43e0
 +                throttling_group = map->throttling_group;
 +                cache = map->cache;
 +                write_zero = map->write_zero;
-+            } else {
+                skip = map->skip;
+            } else if (!skip) {
 +                devfn = g_strdup_printf("%s/tmp-disk-%s.raw",
 +                                        dirname, di->devname);
 +                printf("DEVINFO %s %zd\n", devfn, di->size);
@@ -2086,57 +2165,60 @@ index 0000000000..e8dffb43e0
 +                write_zero = false;
 +            }
 +
-+	    size_t devlen = strlen(devfn);
-+	    QDict *options = NULL;
-+            bool writethrough;
-+            if (format) {
-+                /* explicit format from commandline */
-+                options = qdict_new();
-+                qdict_put_str(options, "driver", format);
-+            } else if ((devlen > 4 && strcmp(devfn+devlen-4, ".raw") == 0) ||
-+	               strncmp(devfn, "/dev/", 5) == 0)
-+	    {
-+                /* This part is now deprecated for PVE as well (just as qemu
-+                 * deprecated not specifying an explicit raw format, too.
-+                 */
-+		/* explicit raw format */
-+		options = qdict_new();
-+		qdict_put_str(options, "driver", "raw");
-+	    }
-+            if (cache && bdrv_parse_cache_mode(cache, &flags, &writethrough)) {
-+                g_error("invalid cache option: %s\n", cache);
-+            }
-+
-+	    if (errp || !(blk = blk_new_open(devfn, NULL, options, flags, &errp))) {
-+                g_error("can't open file %s - %s", devfn,
-+                        error_get_pretty(errp));
-+            }
-+
-+            if (cache) {
-+                blk_set_enable_write_cache(blk, !writethrough);
-+            }
-+
-+            if (throttling_group) {
-+                blk_io_limits_enable(blk, throttling_group);
-+            }
-+
-+            if (throttling_bps) {
-+                if (!throttling_group) {
-+                    blk_io_limits_enable(blk, devfn);
+            if (!skip) {
+                size_t devlen = strlen(devfn);
+                QDict *options = NULL;
+                bool writethrough;
+                if (format) {
+                    /* explicit format from commandline */
+                    options = qdict_new();
+                    qdict_put_str(options, "driver", format);
+                } else if ((devlen > 4 && strcmp(devfn+devlen-4, ".raw") == 0) ||
+                    strncmp(devfn, "/dev/", 5) == 0)
+                {
+                    /* This part is now deprecated for PVE as well (just as qemu
+                     * deprecated not specifying an explicit raw format, too.
+                     */
+                    /* explicit raw format */
+                    options = qdict_new();
+                    qdict_put_str(options, "driver", "raw");
 +                }
 +
-+                ThrottleConfig cfg;
-+                throttle_config_init(&cfg);
-+                cfg.buckets[THROTTLE_BPS_WRITE].avg = throttling_bps;
-+                Error *err = NULL;
-+                if (!throttle_is_valid(&cfg, &err)) {
-+                    error_report_err(err);
-+                    g_error("failed to apply throttling");
+                if (cache && bdrv_parse_cache_mode(cache, &flags, &writethrough)) {
+                    g_error("invalid cache option: %s\n", cache);
+                }
+
+                if (errp || !(blk = blk_new_open(devfn, NULL, options, flags, &errp))) {
+                    g_error("can't open file %s - %s", devfn,
+                            error_get_pretty(errp));
+                }
+
+                if (cache) {
+                    blk_set_enable_write_cache(blk, !writethrough);
+                }
+
+                if (throttling_group) {
+                    blk_io_limits_enable(blk, throttling_group);
+                }
+
+                if (throttling_bps) {
+                    if (!throttling_group) {
+                        blk_io_limits_enable(blk, devfn);
+                    }
+
+                    ThrottleConfig cfg;
+                    throttle_config_init(&cfg);
+                    cfg.buckets[THROTTLE_BPS_WRITE].avg = throttling_bps;
+                    Error *err = NULL;
+                    if (!throttle_is_valid(&cfg, &err)) {
+                        error_report_err(err);
+                        g_error("failed to apply throttling");
+                    }
+                    blk_set_io_limits(blk, &cfg);
 +                }
-+                blk_set_io_limits(blk, &cfg);
 +            }
 +
-+            if (vma_reader_register_bs(vmar, i, blk, write_zero, &errp) < 0) {
+            if (vma_reader_register_bs(vmar, i, blk, write_zero, skip, &errp) < 0) {
 +                g_error("%s", error_get_pretty(errp));
 +            }
 +
@@ -2146,6 +2228,10 @@ index 0000000000..e8dffb43e0
 +        }
 +    }
 +
+    if (drive_list) {
+        g_strfreev(drive_list);
+    }
+
 +    if (vma_reader_restore(vmar, vmstate_fd, verbose, &errp) < 0) {
 +        g_error("restore failed - %s", error_get_pretty(errp));
 +    }
@@ -2153,7 +2239,7 @@ index 0000000000..e8dffb43e0
 +    if (!readmap) {
 +        for (i = 1; i < 255; i++) {
 +            VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i);
-+            if (di && (i != vmstate_stream)) {
+            if (di && drive_rename_bitmap[i]) {
 +                char *tmpfn = g_strdup_printf("%s/tmp-disk-%s.raw",
 +                                              dirname, di->devname);
 +                char *fn = g_strdup_printf("%s/disk-%s.raw",
@@ -2252,7 +2338,7 @@ index 0000000000..e8dffb43e0
 +    struct iovec iov;
 +    QEMUIOVector qiov;
 +
-+    int64_t start, end;
+    int64_t start, end, readlen;
 +    int ret = 0;
 +
 +    unsigned char *buf = blk_blockalign(job->target, VMA_CLUSTER_SIZE);
@@ -2266,16 +2352,24 @@ index 0000000000..e8dffb43e0
 +        iov.iov_len = VMA_CLUSTER_SIZE;
 +        qemu_iovec_init_external(&qiov, &iov, 1);
 +
+        if (start + 1 == end) {
+            memset(buf, 0, VMA_CLUSTER_SIZE);
+            readlen = job->len - start * VMA_CLUSTER_SIZE;
+            assert(readlen > 0 && readlen <= VMA_CLUSTER_SIZE);
+        } else {
+            readlen = VMA_CLUSTER_SIZE;
+        }
+
 +        ret = blk_co_preadv(job->target, start * VMA_CLUSTER_SIZE,
-+                            VMA_CLUSTER_SIZE, &qiov, 0);
+                            readlen, &qiov, 0);
 +        if (ret < 0) {
-+            vma_writer_set_error(job->vmaw, "read error", -1);
+            vma_writer_set_error(job->vmaw, "read error");
 +            goto out;
 +        }
 +
 +        size_t zb = 0;
 +        if (vma_writer_write(job->vmaw, job->dev_id, start, buf, &zb) < 0) {
-+            vma_writer_set_error(job->vmaw, "backup_dump_cb vma_writer_write failed", -1);
+            vma_writer_set_error(job->vmaw, "backup_dump_cb vma_writer_write failed");
 +            goto out;
 +        }
 +    }
@@ -2293,7 +2387,7 @@ index 0000000000..e8dffb43e0
 +
 +static int create_archive(int argc, char **argv)
 +{
-+    int i, c;
+    int c;
 +    int verbose = 0;
 +    const char *archivename;
 +    GList *backup_coroutines = NULL;
@@ -2451,6 +2545,7 @@ index 0000000000..e8dffb43e0
 +    vma_writer_get_status(vmaw, &vmastat);
 +
 +    if (verbose) {
+        int i;
 +        for (i = 0; i < 256; i++) {
 +            VmaStreamInfo *si = &vmastat.stream_info[i];
 +            if (si->size) {
@@ -2574,7 +2669,7 @@ index 0000000000..e8dffb43e0
 +}
 diff --git a/vma.h b/vma.h
 new file mode 100644
-index 0000000000..c895c97f6d
+index 0000000000..86d2873aa5
 --- /dev/null
 +++ b/vma.h
@@ -0,0 +1,150 @@
@@ -2712,7 +2807,7 @@ index 0000000000..c895c97f6d
 +int coroutine_fn vma_writer_flush_output(VmaWriter *vmaw);
 +
 +int vma_writer_get_status(VmaWriter *vmaw, VmaStatus *status);
-+void vma_writer_set_error(VmaWriter *vmaw, const char *fmt, ...);
+void vma_writer_set_error(VmaWriter *vmaw, const char *fmt, ...) G_GNUC_PRINTF(2, 3);
 +
 +
 +VmaReader *vma_reader_create(const char *filename, Error **errp);
@@ -2722,7 +2817,7 @@ index 0000000000..c895c97f6d
 +VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id);
 +int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id,
 +                           BlockBackend *target, bool write_zeroes,
-+                           Error **errp);
+                           bool skip, Error **errp);
 +int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
 +                       Error **errp);
 +int vma_reader_verify(VmaReader *vmar, bool verbose, Error **errp);
--- a/Show More
+++ b/Show More