Add Vitastor support

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

Makefile

@@ -58,7 +58,7 @@ $(BUILDDIR): submodule
 deb kvm: $(DEBS)
 $(DEB_DBG): $(DEB)
 $(DEB): $(BUILDDIR)
-	cd $(BUILDDIR); dpkg-buildpackage -b -us -uc
+	cd $(BUILDDIR); dpkg-buildpackage -b -us -uc -j32
 	lintian $(DEBS)
 
 sbuild: $(DSC)

debian/changelog

@@ -1,3 +1,51 @@
+pve-qemu-kvm (9.0.2-4+vitastor1) bookworm; urgency=medium
+
+  * Add Vitastor support
+
+ -- Vitaliy Filippov <vitalif@yourcmc.ru>  Sat, 16 Nov 2024 11:18:15 +0300
+
+pve-qemu-kvm (9.0.2-4) bookworm; urgency=medium
+
+  * async snapshot: ensure any dynamic vCPU-throttling applied for
+    auto-converge gets always disabled again after finishing the snapshot.
+
+ -- Proxmox Support Team <support@proxmox.com>  Sun, 10 Nov 2024 11:23:09 +0100
+
+pve-qemu-kvm (9.0.2-3) bookworm; urgency=medium
+
+  * pick up fix for VirtIO PCI regressions
+
+  * pick up stable fixes for 9.0, including fixes for VirtIO-net, ARM and
+    x86(_64) emulation, CVEs to harden NBD server against malicious clients,
+    as well as a few others (VNC, physmem, Intel IOMMU, ...).
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 06 Sep 2024 16:21:42 +0200
+
+pve-qemu-kvm (9.0.2-2) bookworm; urgency=medium
+
+  * actually update submodule to QEMU 9.0.2. The previous release was still
+    based on 9.0.0 by mistake.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 07 Aug 2024 10:16:01 +0200
+
+pve-qemu-kvm (9.0.2-1) bookworm; urgency=medium
+
+  * update submodule and patches to QEMU 9.0.2. While our version had most
+    stable fixes included already, there are new fixes for VirtIO and VGA
+    display screen blanking (#4786)
+
+  * backport fix for a regression with the LSI-53c895a controller and one for
+    the boot order getting ignored for USB storage
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Jul 2024 18:59:40 +0200
+
+pve-qemu-kvm (9.0.0-6) bookworm; urgency=medium
+
+  * fix a regression in the zeroinit block driver that prevented importing and
+    cloning disks to RBD storages which are not using the krbd setting
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Jul 2024 16:11:15 +0200
+
 pve-qemu-kvm (9.0.0-5) bookworm; urgency=medium
 
   * backport fix for CVE-2024-4467 to prevent malicious qcow2 image files from

debian/control

@@ -59,6 +59,7 @@ Depends: ceph-common (>= 0.48),
          libspice-server1 (>= 0.14.0~),
          libusb-1.0-0 (>= 1.0.17-1),
          libusbredirparser1 (>= 0.6-2),
+         vitastor-client (>= 0.9.4),
          libuuid1,
          ${misc:Depends},
          ${shlibs:Depends},

debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch

@@ -258,7 +258,7 @@ index 1bdce3b657..0c5c72df2e 100644
                       errp);
      if (!job) {
 diff --git a/blockdev.c b/blockdev.c
-index 057601dcf0..8682814a7a 100644
+index 4c33c3f5f0..f3e508a6a7 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -2776,6 +2776,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
@@ -349,7 +349,7 @@ index 057601dcf0..8682814a7a 100644
                             has_granularity, granularity,
                             has_buf_size, buf_size,
 diff --git a/include/block/block_int-global-state.h b/include/block/block_int-global-state.h
-index d2201e27f4..cc1387ae02 100644
+index eb2d92a226..f0c642b194 100644
 --- a/include/block/block_int-global-state.h
 +++ b/include/block/block_int-global-state.h
 @@ -158,7 +158,9 @@ void mirror_start(const char *job_id, BlockDriverState *bs,
@@ -364,7 +364,7 @@ index d2201e27f4..cc1387ae02 100644
                    BlockdevOnError on_source_error,
                    BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 746d1694c2..45ab548dfe 100644
+index b179d65520..905da8be72 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -2174,6 +2174,15 @@

debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch

@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/blockdev.c b/blockdev.c
-index 8682814a7a..5b75a085ee 100644
+index f3e508a6a7..37b8437f3e 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -2873,6 +2873,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,

debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch

@@ -62,7 +62,7 @@ index 6b3cce1007..2f1223852b 100644
  
          if (bitmap_mode != BITMAP_SYNC_MODE_NEVER) {
 diff --git a/blockdev.c b/blockdev.c
-index 5b75a085ee..d27d8c38ec 100644
+index 37b8437f3e..ed8198f351 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -2852,7 +2852,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,

debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch

@@ -144,7 +144,7 @@ index a239945e8d..589c9524f8 100644
          monitor_qmp_caps_reset(mon);
          data = qmp_greeting(mon);
 diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index f3488afeef..2624eb3470 100644
+index 176b549473..790bb7d1da 100644
 --- a/qapi/qmp-dispatch.c
 +++ b/qapi/qmp-dispatch.c
 @@ -117,16 +117,28 @@ typedef struct QmpDispatchBH {
@@ -180,7 +180,7 @@ index f3488afeef..2624eb3470 100644
      aio_co_wake(data->co);
  }
  
-@@ -250,6 +262,7 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+@@ -253,6 +265,7 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
              .ret        = &ret,
              .errp       = &err,
              .co         = qemu_coroutine_self(),

debian/patches/extra/0006-virtio-gpu-fix-v2-migration.patch

@@ -1,98 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Thu, 16 May 2024 12:40:22 +0400
-Subject: [PATCH] virtio-gpu: fix v2 migration
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit dfcf74fa ("virtio-gpu: fix scanout migration post-load") broke
-forward/backward version migration. Versioning of nested VMSD structures
-is not straightforward, as the wire format doesn't have nested
-structures versions. Introduce x-scanout-vmstate-version and a field
-test to save/load appropriately according to the machine version.
-
-Fixes: dfcf74fa ("virtio-gpu: fix scanout migration post-load")
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Peter Xu <peterx@redhat.com>
----
- hw/core/machine.c              |  1 +
- hw/display/virtio-gpu.c        | 24 ++++++++++++++++--------
- include/hw/virtio/virtio-gpu.h |  1 +
- 3 files changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 37ede0e7d4..d33a37a6f6 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -37,6 +37,7 @@ GlobalProperty hw_compat_8_2[] = {
-     { "migration", "zero-page-detection", "legacy"},
-     { TYPE_VIRTIO_IOMMU_PCI, "granule", "4k" },
-     { TYPE_VIRTIO_IOMMU_PCI, "aw-bits", "64" },
-+    { "virtio-gpu-device", "x-scanout-vmstate-version", "1" },
- };
- const size_t hw_compat_8_2_len = G_N_ELEMENTS(hw_compat_8_2);
- 
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index ae831b6b3e..85323daf99 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -1166,10 +1166,17 @@ static void virtio_gpu_cursor_bh(void *opaque)
-     virtio_gpu_handle_cursor(&g->parent_obj.parent_obj, g->cursor_vq);
- }
- 
-+static bool scanout_vmstate_after_v2(void *opaque, int version)
-+{
-+    struct VirtIOGPUBase *base = container_of(opaque, VirtIOGPUBase, scanout);
-+    struct VirtIOGPU *gpu = container_of(base, VirtIOGPU, parent_obj);
-+
-+    return gpu->scanout_vmstate_version >= 2;
-+}
-+
- static const VMStateDescription vmstate_virtio_gpu_scanout = {
-     .name = "virtio-gpu-one-scanout",
--    .version_id = 2,
--    .minimum_version_id = 1,
-+    .version_id = 1,
-     .fields = (const VMStateField[]) {
-         VMSTATE_UINT32(resource_id, struct virtio_gpu_scanout),
-         VMSTATE_UINT32(width, struct virtio_gpu_scanout),
-@@ -1181,12 +1188,12 @@ static const VMStateDescription vmstate_virtio_gpu_scanout = {
-         VMSTATE_UINT32(cursor.hot_y, struct virtio_gpu_scanout),
-         VMSTATE_UINT32(cursor.pos.x, struct virtio_gpu_scanout),
-         VMSTATE_UINT32(cursor.pos.y, struct virtio_gpu_scanout),
--        VMSTATE_UINT32_V(fb.format, struct virtio_gpu_scanout, 2),
--        VMSTATE_UINT32_V(fb.bytes_pp, struct virtio_gpu_scanout, 2),
--        VMSTATE_UINT32_V(fb.width, struct virtio_gpu_scanout, 2),
--        VMSTATE_UINT32_V(fb.height, struct virtio_gpu_scanout, 2),
--        VMSTATE_UINT32_V(fb.stride, struct virtio_gpu_scanout, 2),
--        VMSTATE_UINT32_V(fb.offset, struct virtio_gpu_scanout, 2),
-+        VMSTATE_UINT32_TEST(fb.format, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
-+        VMSTATE_UINT32_TEST(fb.bytes_pp, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
-+        VMSTATE_UINT32_TEST(fb.width, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
-+        VMSTATE_UINT32_TEST(fb.height, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
-+        VMSTATE_UINT32_TEST(fb.stride, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
-+        VMSTATE_UINT32_TEST(fb.offset, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
-         VMSTATE_END_OF_LIST()
-     },
- };
-@@ -1659,6 +1666,7 @@ static Property virtio_gpu_properties[] = {
-     DEFINE_PROP_BIT("blob", VirtIOGPU, parent_obj.conf.flags,
-                     VIRTIO_GPU_FLAG_BLOB_ENABLED, false),
-     DEFINE_PROP_SIZE("hostmem", VirtIOGPU, parent_obj.conf.hostmem, 0),
-+    DEFINE_PROP_UINT8("x-scanout-vmstate-version", VirtIOGPU, scanout_vmstate_version, 2),
-     DEFINE_PROP_END_OF_LIST(),
- };
- 
-diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
-index ed44cdad6b..842315d51d 100644
---- a/include/hw/virtio/virtio-gpu.h
-+++ b/include/hw/virtio/virtio-gpu.h
-@@ -177,6 +177,7 @@ typedef struct VGPUDMABuf {
- struct VirtIOGPU {
-     VirtIOGPUBase parent_obj;
- 
-+    uint8_t scanout_vmstate_version;
-     uint64_t conf_max_hostmem;
- 
-     VirtQueue *ctrl_vq;

debian/patches/extra/0007-hw-pflash-fix-block-write-start.patch

@@ -1,59 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 16 May 2024 10:46:34 +0200
-Subject: [PATCH] hw/pflash: fix block write start
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Move the pflash_blk_write_start() call.  We need the offset of the
-first data write, not the offset for the setup (number-of-bytes)
-write.  Without this fix u-boot can do block writes to the first
-flash block only.
-
-While being at it drop a leftover FIXME.
-
-Cc: qemu-stable@nongnu.org
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2343
-Fixes: fcc79f2e0955 ("hw/pflash: implement update buffer for block writes")
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-(picked up from https://lists.nongnu.org/archive/html/qemu-stable/2024-05/msg00091.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/block/pflash_cfi01.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
-index 1bda8424b9..c8f1cf5a87 100644
---- a/hw/block/pflash_cfi01.c
-+++ b/hw/block/pflash_cfi01.c
-@@ -518,10 +518,6 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
-             break;
-         case 0xe8: /* Write to buffer */
-             trace_pflash_write(pfl->name, "write to buffer");
--            /* FIXME should save @offset, @width for case 1+ */
--            qemu_log_mask(LOG_UNIMP,
--                          "%s: Write to buffer emulation is flawed\n",
--                          __func__);
-             pfl->status |= 0x80; /* Ready! */
-             break;
-         case 0xf0: /* Probe for AMD flash */
-@@ -574,7 +570,6 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
-             }
-             pfl->counter = value;
-             pfl->wcycle++;
--            pflash_blk_write_start(pfl, offset);
-             break;
-         case 0x60:
-             if (cmd == 0xd0) {
-@@ -605,6 +600,9 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
-         switch (pfl->cmd) {
-         case 0xe8: /* Block write */
-             /* FIXME check @offset, @width */
-+            if (pfl->blk_offset == -1 && pfl->counter) {
-+                pflash_blk_write_start(pfl, offset);
-+            }
-             if (!pfl->ro && (pfl->blk_offset != -1)) {
-                 pflash_data_write(pfl, offset, value, width, be);
-             } else {

debian/patches/extra/0008-target-i386-fix-operand-size-for-DATA16-REX.W-POPCNT.patch

@@ -1,51 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 9 May 2024 12:38:10 +0200
-Subject: [PATCH] target/i386: fix operand size for DATA16 REX.W POPCNT
-
-According to the manual, 32-bit vs 64-bit is governed by REX.W
-and REX ignores the 0x66 prefix.  This can be confirmed with this
-program:
-
-    #include <stdio.h>
-    int main()
-    {
-       int x = 0x12340000;
-       int y;
-       asm("popcntl %1, %0" : "=r" (y) : "r" (x)); printf("%x\n", y);
-       asm("mov $-1, %0; .byte 0x66; popcntl %1, %0" : "+r" (y) : "r" (x)); printf("%x\n", y);
-       asm("mov $-1, %0; .byte 0x66; popcntq %q1, %q0" : "+r" (y) : "r" (x)); printf("%x\n", y);
-    }
-
-which prints 5/ffff0000/5 on real hardware and 5/ffff0000/ffff0000
-on QEMU.
-
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 41c685dc59bb611096f3bb6a663cfa82e4cba97b)
-[FE: keep mo_64_32 helper which still has other users in 9.0.0]
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/translate.c | 7 +------
- 1 file changed, 1 insertion(+), 6 deletions(-)
-
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
-index 76a42c679c..b60f3bd642 100644
---- a/target/i386/tcg/translate.c
-+++ b/target/i386/tcg/translate.c
-@@ -6799,12 +6799,7 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
-         modrm = x86_ldub_code(env, s);
-         reg = ((modrm >> 3) & 7) | REX_R(s);
- 
--        if (s->prefix & PREFIX_DATA) {
--            ot = MO_16;
--        } else {
--            ot = mo_64_32(dflag);
--        }
--
-+        ot = dflag;
-         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
-         gen_extu(ot, s->T0);
-         tcg_gen_mov_tl(cpu_cc_src, s->T0);

debian/patches/extra/0009-qapi-blockdev-backup-add-discard-source-parameter.patch

@@ -45,10 +45,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  10 files changed, 37 insertions(+), 8 deletions(-)
 
 diff --git a/block/backup.c b/block/backup.c
-index 16d611c4ca..1963e47ab9 100644
+index ec29d6b810..3dd2e229d2 100644
 --- a/block/backup.c
 +++ b/block/backup.c
-@@ -332,7 +332,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -356,7 +356,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
                    BlockDriverState *target, int64_t speed,
                    MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
                    BitmapSyncMode bitmap_mode,
@@ -57,7 +57,7 @@ index 16d611c4ca..1963e47ab9 100644
                    const char *filter_node_name,
                    BackupPerf *perf,
                    BlockdevOnError on_source_error,
-@@ -433,7 +433,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -457,7 +457,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
          goto error;
      }
  
@@ -203,10 +203,10 @@ index ca6bd0a720..0415a5e8b7 100644
                                  BLOCKDEV_ON_ERROR_REPORT, JOB_INTERNAL,
                                  backup_job_completed, bs, NULL, &local_err);
 diff --git a/blockdev.c b/blockdev.c
-index 5e5dbc1da9..1054a69279 100644
+index 057601dcf0..4c33c3f5f0 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -2727,7 +2727,7 @@ static BlockJob *do_backup_common(BackupCommon *backup,
+@@ -2726,7 +2726,7 @@ static BlockJob *do_backup_common(BackupCommon *backup,
  
      job = backup_job_create(backup->job_id, bs, target_bs, backup->speed,
                              backup->sync, bmap, backup->bitmap_mode,
@@ -241,10 +241,10 @@ index 8b41643bfa..bdc703bacd 100644
  
  /* Function should be called prior any actual copy request */
 diff --git a/include/block/block_int-global-state.h b/include/block/block_int-global-state.h
-index cc1387ae02..f0c642b194 100644
+index d2201e27f4..eb2d92a226 100644
 --- a/include/block/block_int-global-state.h
 +++ b/include/block/block_int-global-state.h
-@@ -195,7 +195,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -193,7 +193,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
                              MirrorSyncMode sync_mode,
                              BdrvDirtyBitmap *sync_bitmap,
                              BitmapSyncMode bitmap_mode,
@@ -254,10 +254,10 @@ index cc1387ae02..f0c642b194 100644
                              BackupPerf *perf,
                              BlockdevOnError on_source_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index f516d8e95a..d796d49abb 100644
+index 4b18e01b85..b179d65520 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -1849,6 +1849,9 @@
+@@ -1610,6 +1610,9 @@
  #     node specified by @drive.  If this option is not given, a node
  #     name is autogenerated.  (Since: 4.2)
  #
@@ -267,7 +267,7 @@ index f516d8e95a..d796d49abb 100644
  # @x-perf: Performance options.  (Since 6.0)
  #
  # Features:
-@@ -1870,6 +1873,7 @@
+@@ -1631,6 +1634,7 @@
              '*on-target-error': 'BlockdevOnError',
              '*auto-finalize': 'bool', '*auto-dismiss': 'bool',
              '*filter-node-name': 'str',

debian/patches/extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch

@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 9 May 2024 15:55:47 +0200
-Subject: [PATCH] target/i386: rdpkru/wrpkru are no-prefix instructions
-
-Reject 0x66/0xf3/0xf2 in front of them.
-
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 40a3ec7b5ffde500789d016660a171057d6b467c)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/translate.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
-index b60f3bd642..3e949fe964 100644
---- a/target/i386/tcg/translate.c
-+++ b/target/i386/tcg/translate.c
-@@ -6083,7 +6083,8 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
-             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
-             break;
-         case 0xee: /* rdpkru */
--            if (prefixes & PREFIX_LOCK) {
-+            if (s->prefix & (PREFIX_LOCK | PREFIX_DATA
-+                             | PREFIX_REPZ | PREFIX_REPNZ)) {
-                 goto illegal_op;
-             }
-             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
-@@ -6091,7 +6092,8 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
-             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
-             break;
-         case 0xef: /* wrpkru */
--            if (prefixes & PREFIX_LOCK) {
-+            if (s->prefix & (PREFIX_LOCK | PREFIX_DATA
-+                             | PREFIX_REPZ | PREFIX_REPNZ)) {
-                 goto illegal_op;
-             }
-             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],

debian/patches/extra/0010-hw-virtio-Fix-the-de-initialization-of-vhost-user-de.patch

@@ -0,0 +1,92 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 18 Jun 2024 14:19:58 +0200
+Subject: [PATCH] hw/virtio: Fix the de-initialization of vhost-user devices
+
+The unrealize functions of the various vhost-user devices are
+calling the corresponding vhost_*_set_status() functions with a
+status of 0 to shut down the device correctly.
+
+Now these vhost_*_set_status() functions all follow this scheme:
+
+    bool should_start = virtio_device_should_start(vdev, status);
+
+    if (vhost_dev_is_started(&vvc->vhost_dev) == should_start) {
+        return;
+    }
+
+    if (should_start) {
+        /* ... do the initialization stuff ... */
+    } else {
+        /* ... do the cleanup stuff ... */
+    }
+
+The problem here is virtio_device_should_start(vdev, 0) currently
+always returns "true" since it internally only looks at vdev->started
+instead of looking at the "status" parameter. Thus once the device
+got started once, virtio_device_should_start() always returns true
+and thus the vhost_*_set_status() functions return early, without
+ever doing any clean-up when being called with status == 0. This
+causes e.g. problems when trying to hot-plug and hot-unplug a vhost
+user devices multiple times since the de-initialization step is
+completely skipped during the unplug operation.
+
+This bug has been introduced in commit 9f6bcfd99f ("hw/virtio: move
+vm_running check to virtio_device_started") which replaced
+
+ should_start = status & VIRTIO_CONFIG_S_DRIVER_OK;
+
+with
+
+ should_start = virtio_device_started(vdev, status);
+
+which later got replaced by virtio_device_should_start(). This blocked
+the possibility to set should_start to false in case the status flag
+VIRTIO_CONFIG_S_DRIVER_OK was not set.
+
+Fix it by adjusting the virtio_device_should_start() function to
+only consider the status flag instead of vdev->started. Since this
+function is only used in the various vhost_*_set_status() functions
+for exactly the same purpose, it should be fine to fix it in this
+central place there without any risk to change the behavior of other
+code.
+
+Fixes: 9f6bcfd99f ("hw/virtio: move vm_running check to virtio_device_started")
+Buglink: https://issues.redhat.com/browse/RHEL-40708
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20240618121958.88673-1-thuth@redhat.com>
+Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit d72479b11797c28893e1e3fc565497a9cae5ca16)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ include/hw/virtio/virtio.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index 7d5ffdc145..2eafad17b8 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -470,9 +470,9 @@ static inline bool virtio_device_started(VirtIODevice *vdev, uint8_t status)
+  * @vdev - the VirtIO device
+  * @status - the devices status bits
+  *
+- * This is similar to virtio_device_started() but also encapsulates a
+- * check on the VM status which would prevent a device starting
+- * anyway.
++ * This is similar to virtio_device_started() but ignores vdev->started
++ * and also encapsulates a check on the VM status which would prevent a
++ * device from starting anyway.
+  */
+ static inline bool virtio_device_should_start(VirtIODevice *vdev, uint8_t status)
+ {
+@@ -480,7 +480,7 @@ static inline bool virtio_device_should_start(VirtIODevice *vdev, uint8_t status
+         return false;
+     }
+ 
+-    return virtio_device_started(vdev, status);
++    return status & VIRTIO_CONFIG_S_DRIVER_OK;
+ }
+ 
+ static inline void virtio_set_started(VirtIODevice *vdev, bool started)

debian/patches/extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch

@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 8 May 2024 11:10:54 +0200
-Subject: [PATCH] target/i386: fix feature dependency for WAITPKG
-
-The VMX feature bit depends on general availability of WAITPKG,
-not the other way round.
-
-Fixes: 33cc88261c3 ("target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE", 2023-08-28)
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit fe01af5d47d4cf7fdf90c54d43f784e5068c8d72)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/cpu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 33760a2ee1..e693f8ca9a 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -1550,8 +1550,8 @@ static FeatureDep feature_dependencies[] = {
-         .to = { FEAT_SVM,                   ~0ull },
-     },
-     {
--        .from = { FEAT_VMX_SECONDARY_CTLS,  VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE },
--        .to = { FEAT_7_0_ECX,               CPUID_7_0_ECX_WAITPKG },
-+        .from = { FEAT_7_0_ECX,             CPUID_7_0_ECX_WAITPKG },
-+        .to = { FEAT_VMX_SECONDARY_CTLS,    VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE },
-     },
- };
- 

debian/patches/extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch

@@ -1,87 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Thu, 16 May 2024 12:59:52 +0200
-Subject: [PATCH] Revert "virtio-pci: fix use of a released vector"
-
-This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0.
-
-The fix causes some issues:
-https://gitlab.com/qemu-project/qemu/-/issues/2321
-https://gitlab.com/qemu-project/qemu/-/issues/2334
-
-The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released
-vector") is CVE-2024-4693 [0] and allows a malicious guest that
-controls the boot process in the guest to crash its QEMU process.
-
-The issues sound worse than the CVE, so revert until there is a proper
-fix.
-
-[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693
-
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/virtio/virtio-pci.c | 37 ++-----------------------------------
- 1 file changed, 2 insertions(+), 35 deletions(-)
-
-diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
-index cb159fd078..cb6940fc0e 100644
---- a/hw/virtio/virtio-pci.c
-+++ b/hw/virtio/virtio-pci.c
-@@ -1424,38 +1424,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy,
-     return offset;
- }
- 
--static void virtio_pci_set_vector(VirtIODevice *vdev,
--                                  VirtIOPCIProxy *proxy,
--                                  int queue_no, uint16_t old_vector,
--                                  uint16_t new_vector)
--{
--    bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
--        msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();
--
--    if (new_vector == old_vector) {
--        return;
--    }
--
--    /*
--     * If the device uses irqfd and the vector changes after DRIVER_OK is
--     * set, we need to release the old vector and set up the new one.
--     * Otherwise just need to set the new vector on the device.
--     */
--    if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {
--        kvm_virtio_pci_vector_release_one(proxy, queue_no);
--    }
--    /* Set the new vector on the device. */
--    if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
--        vdev->config_vector = new_vector;
--    } else {
--        virtio_queue_set_vector(vdev, queue_no, new_vector);
--    }
--    /* If the new vector changed need to set it up. */
--    if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {
--        kvm_virtio_pci_vector_use_one(proxy, queue_no);
--    }
--}
--
- int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy,
-                            uint8_t bar, uint64_t offset, uint64_t length,
-                            uint8_t id)
-@@ -1602,8 +1570,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
-         } else {
-             val = VIRTIO_NO_VECTOR;
-         }
--        virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX,
--                              vdev->config_vector, val);
-+        vdev->config_vector = val;
-         break;
-     case VIRTIO_PCI_COMMON_STATUS:
-         if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {
-@@ -1643,7 +1610,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
-         } else {
-             val = VIRTIO_NO_VECTOR;
-         }
--        virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val);
-+        virtio_queue_set_vector(vdev, vdev->queue_sel, val);
-         break;
-     case VIRTIO_PCI_COMMON_Q_ENABLE:
-         if (val == 1) {

debian/patches/extra/0011-target-arm-Use-float_status-copy-in-sme_fmopa_s.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniyal Khan <danikhan632@gmail.com>
+Date: Wed, 17 Jul 2024 16:01:47 +1000
+Subject: [PATCH] target/arm: Use float_status copy in sme_fmopa_s
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We made a copy above because the fp exception flags
+are not propagated back to the FPST register, but
+then failed to use the copy.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 558e956c719 ("target/arm: Implement FMOPA, FMOPS (non-widening)")
+Signed-off-by: Daniyal Khan <danikhan632@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20240717060149.204788-2-richard.henderson@linaro.org
+[rth: Split from a larger patch]
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 31d93fedf41c24b0badb38cd9317590d1ef74e37)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/sme_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index e2e0575039..5a6dd76489 100644
+--- a/target/arm/tcg/sme_helper.c
++++ b/target/arm/tcg/sme_helper.c
+@@ -916,7 +916,7 @@ void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
+                         if (pb & 1) {
+                             uint32_t *a = vza_row + H1_4(col);
+                             uint32_t *m = vzm + H1_4(col);
+-                            *a = float32_muladd(n, *m, *a, 0, vst);
++                            *a = float32_muladd(n, *m, *a, 0, &fpst);
+                         }
+                         col += 4;
+                         pb >>= 4;

debian/patches/extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch

@@ -1,57 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Thu, 16 May 2024 15:21:07 +0200
-Subject: [PATCH] hw/core/machine: move compatibility flags for VirtIO-net USO
- to machine 8.1
-
-Migration from an 8.2 or 9.0 binary to an 8.1 binary with machine
-version 8.1 can fail with:
-
-> kvm: Features 0x1c0010130afffa7 unsupported. Allowed features: 0x10179bfffe7
-> kvm: Failed to load virtio-net:virtio
-> kvm: error while loading state for instance 0x0 of device '0000:00:12.0/virtio-net'
-> kvm: load of migration failed: Operation not permitted
-
-The series
-
-53da8b5a99 virtio-net: Add support for USO features
-9da1684954 virtio-net: Add USO flags to vhost support.
-f03e0cf63b tap: Add check for USO features
-2ab0ec3121 tap: Add USO support to tap device.
-
-only landed in QEMU 8.2, so the compatibility flags should be part of
-machine version 8.1.
-
-Moving the flags unfortunately breaks forward migration with machine
-version 8.1 from a binary without this patch to a binary with this
-patch when the feature is enabled by the guest.
-
-Fixes: 53da8b5a99 ("virtio-net: Add support for USO features")
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/core/machine.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index d33a37a6f6..4273de16a0 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -46,15 +46,15 @@ GlobalProperty hw_compat_8_1[] = {
-     { "ramfb", "x-migrate", "off" },
-     { "vfio-pci-nohotplug", "x-ramfb-migrate", "off" },
-     { "igb", "x-pcie-flr-init", "off" },
-+    { TYPE_VIRTIO_NET, "host_uso", "off"},
-+    { TYPE_VIRTIO_NET, "guest_uso4", "off"},
-+    { TYPE_VIRTIO_NET, "guest_uso6", "off"},
- };
- const size_t hw_compat_8_1_len = G_N_ELEMENTS(hw_compat_8_1);
- 
- GlobalProperty hw_compat_8_0[] = {
-     { "migration", "multifd-flush-after-each-section", "on"},
-     { TYPE_PCI_DEVICE, "x-pcie-ari-nextfn-1", "on" },
--    { TYPE_VIRTIO_NET, "host_uso", "off"},
--    { TYPE_VIRTIO_NET, "guest_uso4", "off"},
--    { TYPE_VIRTIO_NET, "guest_uso6", "off"},
- };
- const size_t hw_compat_8_0_len = G_N_ELEMENTS(hw_compat_8_0);
- 

debian/patches/extra/0012-target-arm-Use-FPST_F16-for-SME-FMOPA-widening.patch

@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Wed, 17 Jul 2024 16:01:48 +1000
+Subject: [PATCH] target/arm: Use FPST_F16 for SME FMOPA (widening)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This operation has float16 inputs and thus must use
+the FZ16 control not the FZ control.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 3916841ac75 ("target/arm: Implement FMOPA, FMOPS (widening)")
+Reported-by: Daniyal Khan <danikhan632@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20240717060149.204788-3-richard.henderson@linaro.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2374
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 207d30b5fdb5b45a36f26eefcf52fe2c1714dd4f)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/translate-sme.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+index 46c7fce8b4..185a8a917b 100644
+--- a/target/arm/tcg/translate-sme.c
++++ b/target/arm/tcg/translate-sme.c
+@@ -304,6 +304,7 @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
+ }
+ 
+ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
++                            ARMFPStatusFlavour e_fpst,
+                             gen_helper_gvec_5_ptr *fn)
+ {
+     int svl = streaming_vec_reg_size(s);
+@@ -319,15 +320,18 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+     zm = vec_full_reg_ptr(s, a->zm);
+     pn = pred_full_reg_ptr(s, a->pn);
+     pm = pred_full_reg_ptr(s, a->pm);
+-    fpst = fpstatus_ptr(FPST_FPCR);
++    fpst = fpstatus_ptr(e_fpst);
+ 
+     fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
+     return true;
+ }
+ 
+-TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
+-TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
+-TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
++TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a,
++           MO_32, FPST_FPCR_F16, gen_helper_sme_fmopa_h)
++TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a,
++           MO_32, FPST_FPCR, gen_helper_sme_fmopa_s)
++TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a,
++           MO_64, FPST_FPCR, gen_helper_sme_fmopa_d)
+ 
+ /* TODO: FEAT_EBF16 */
+ TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)

debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch

@@ -1,53 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Mon, 6 May 2024 15:06:21 -0400
-Subject: [PATCH] Revert "monitor: use aio_co_reschedule_self()"
-
-Commit 1f25c172f837 ("monitor: use aio_co_reschedule_self()") was a code
-cleanup that uses aio_co_reschedule_self() instead of open coding
-coroutine rescheduling.
-
-Bug RHEL-34618 was reported and Kevin Wolf <kwolf@redhat.com> identified
-the root cause. I missed that aio_co_reschedule_self() ->
-qemu_get_current_aio_context() only knows about
-qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It
-does not function correctly when going back from the iohandler_ctx to
-qemu_aio_context.
-
-Go back to open coding the AioContext transitions to avoid this bug.
-
-This reverts commit 1f25c172f83704e350c0829438d832384084a74d.
-
-Buglink: https://issues.redhat.com/browse/RHEL-34618
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-(picked from: https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg01090.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- qapi/qmp-dispatch.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index 2624eb3470..790bb7d1da 100644
---- a/qapi/qmp-dispatch.c
-+++ b/qapi/qmp-dispatch.c
-@@ -224,7 +224,8 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
-              * executing the command handler so that it can make progress if it
-              * involves an AIO_WAIT_WHILE().
-              */
--            aio_co_reschedule_self(qemu_get_aio_context());
-+            aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self());
-+            qemu_coroutine_yield();
-         }
- 
-         monitor_set_cur(qemu_coroutine_self(), cur_mon);
-@@ -238,7 +239,9 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
-              * Move back to iohandler_ctx so that nested event loops for
-              * qemu_aio_context don't start new monitor commands.
-              */
--            aio_co_reschedule_self(iohandler_get_aio_context());
-+            aio_co_schedule(iohandler_get_aio_context(),
-+                            qemu_coroutine_self());
-+            qemu_coroutine_yield();
-         }
-     } else {
-        /*

debian/patches/extra/0013-scsi-fix-regression-and-honor-bootindex-again-for-le.patch

@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Wed, 10 Jul 2024 17:25:29 +0200
+Subject: [PATCH] scsi: fix regression and honor bootindex again for legacy
+ drives
+
+Commit 3089637461 ("scsi: Don't ignore most usb-storage properties")
+removed the call to object_property_set_int() and thus the 'set'
+method for the bootindex property was also not called anymore. Here
+that method is device_set_bootindex() (as configured by
+scsi_dev_instance_init() -> device_add_bootindex_property()) which as
+a side effect registers the device via add_boot_device_path().
+
+As reported by a downstream user [0], the bootindex property did not
+have the desired effect anymore for legacy drives. Fix the regression
+by explicitly calling the add_boot_device_path() function after
+checking that the bootindex is not yet used (to avoid
+add_boot_device_path() calling exit()).
+
+[0]: https://forum.proxmox.com/threads/149772/post-679433
+
+Cc: qemu-stable@nongnu.org
+Fixes: 3089637461 ("scsi: Don't ignore most usb-storage properties")
+Suggested-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Link: https://lore.kernel.org/r/20240710152529.1737407-1-f.ebner@proxmox.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 57a8a80d1a5b28797b21d30bfc60601945820e51)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/scsi-bus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
+index 9e40b0c920..53eff5dd3d 100644
+--- a/hw/scsi/scsi-bus.c
++++ b/hw/scsi/scsi-bus.c
+@@ -384,6 +384,7 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
+     DeviceState *dev;
+     SCSIDevice *s;
+     DriveInfo *dinfo;
++    Error *local_err = NULL;
+ 
+     if (blk_is_sg(blk)) {
+         driver = "scsi-generic";
+@@ -403,6 +404,14 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
+     s = SCSI_DEVICE(dev);
+     s->conf = *conf;
+ 
++    check_boot_index(conf->bootindex, &local_err);
++    if (local_err) {
++        object_unparent(OBJECT(dev));
++        error_propagate(errp, local_err);
++        return NULL;
++    }
++    add_boot_device_path(conf->bootindex, dev, NULL);
++
+     qdev_prop_set_uint32(dev, "scsi-id", unit);
+     if (object_property_find(OBJECT(dev), "removable")) {
+         qdev_prop_set_bit(dev, "removable", removable);

debian/patches/extra/0014-hw-scsi-lsi53c895a-bump-instruction-limit-in-scripts.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Mon, 15 Jul 2024 15:14:03 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: bump instruction limit in scripts
+ processing to fix regression
+
+Commit 9876359990 ("hw/scsi/lsi53c895a: add timer to scripts
+processing") reduced the maximum allowed instruction count by
+a factor of 100 all the way down to 100.
+
+This causes the "Check Point R81.20 Gaia" appliance [0] to fail to
+boot after fully finishing the installation via the appliance's web
+interface (there is already one reboot before that).
+
+With a limit of 150, the appliance still fails to boot, while with a
+limit of 200, it works. Bump to 500 to fix the regression and be on
+the safe side.
+
+Originally reported in the Proxmox community forum[1].
+
+[0]: https://support.checkpoint.com/results/download/124397
+[1]: https://forum.proxmox.com/threads/149772/post-683459
+
+Cc: qemu-stable@nongnu.org
+Fixes: 9876359990 ("hw/scsi/lsi53c895a: add timer to scripts processing")
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Acked-by: Sven Schnelle <svens@stackframe.org>
+Link: https://lore.kernel.org/r/20240715131403.223239-1-f.ebner@proxmox.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit a4975023fb13cf229bd59c9ceec1b8cbdc5b9a20)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/lsi53c895a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index eb9828dd5e..f1935e5328 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -188,7 +188,7 @@ static const char *names[] = {
+ #define LSI_TAG_VALID     (1 << 16)
+ 
+ /* Maximum instructions to process. */
+-#define LSI_MAX_INSN    100
++#define LSI_MAX_INSN    500
+ 
+ typedef struct lsi_request {
+     SCSIRequest *req;

debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch

@@ -1,51 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Mon, 22 Apr 2024 10:07:22 -0700
-Subject: [PATCH] target/arm: Restrict translation disabled alignment check to
- VMSA
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-For cpus using PMSA, when the MPU is disabled, the default memory
-type is Normal, Non-cachable. This means that it should not
-have alignment restrictions enforced.
-
-Cc: qemu-stable@nongnu.org
-Fixes: 59754f85ed3 ("target/arm: Do memory type alignment check when translation disabled")
-Reported-by: Clément Chigot <chigot@adacore.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Tested-by: Clément Chigot <chigot@adacore.com>
-Message-id: 20240422170722.117409-1-richard.henderson@linaro.org
-[PMM: trivial comment, commit message tweaks]
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 7b19a3554d2df22d29c75319a1dac17615d1b20e)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/arm/tcg/hflags.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
-index 5da1b0fc1d..f03977b4b0 100644
---- a/target/arm/tcg/hflags.c
-+++ b/target/arm/tcg/hflags.c
-@@ -38,8 +38,16 @@ static bool aprofile_require_alignment(CPUARMState *env, int el, uint64_t sctlr)
-     }
- 
-     /*
--     * If translation is disabled, then the default memory type is
--     * Device(-nGnRnE) instead of Normal, which requires that alignment
-+     * With PMSA, when the MPU is disabled, all memory types in the
-+     * default map are Normal, so don't need aligment enforcing.
-+     */
-+    if (arm_feature(env, ARM_FEATURE_PMSA)) {
-+        return false;
-+    }
-+
-+    /*
-+     * With VMSA, if translation is disabled, then the default memory type
-+     * is Device(-nGnRnE) instead of Normal, which requires that alignment
-      * be enforced.  Since this affects all ram, it is most efficient
-      * to handle this during translation.
-      */

debian/patches/extra/0015-block-copy-Fix-missing-graph-lock.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 27 Jun 2024 20:12:44 +0200
+Subject: [PATCH] block-copy: Fix missing graph lock
+
+The graph lock needs to be held when calling bdrv_co_pdiscard(). Fix
+block_copy_task_entry() to take it for the call.
+
+WITH_GRAPH_RDLOCK_GUARD() was implemented in a weak way because of
+limitations in clang's Thread Safety Analysis at the time, so that it
+only asserts that the lock is held (which allows calling functions that
+require the lock), but we never deal with the unlocking (so even after
+the scope of the guard, the compiler assumes that the lock is still
+held). This is why the compiler didn't catch this locking error.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+(picked from https://lore.kernel.org/qemu-devel/20240627181245.281403-2-kwolf@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ block/block-copy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/block/block-copy.c b/block/block-copy.c
+index 7e3b378528..cc618e4561 100644
+--- a/block/block-copy.c
++++ b/block/block-copy.c
+@@ -595,7 +595,9 @@ static coroutine_fn int block_copy_task_entry(AioTask *task)
+     if (s->discard_source && ret == 0) {
+         int64_t nbytes =
+             MIN(t->req.offset + t->req.bytes, s->len) - t->req.offset;
+-        bdrv_co_pdiscard(s->source, t->req.offset, nbytes);
++        WITH_GRAPH_RDLOCK_GUARD() {
++            bdrv_co_pdiscard(s->source, t->req.offset, nbytes);
++        }
+     }
+ 
+     return ret;

debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch

@@ -1,80 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ruihan Li <lrh2000@pku.edu.cn>
-Date: Mon, 15 Apr 2024 14:45:21 +0800
-Subject: [PATCH] target/i386: Give IRQs a chance when resetting
- HF_INHIBIT_IRQ_MASK
-
-When emulated with QEMU, interrupts will never come in the following
-loop. However, if the NOP instruction is uncommented, interrupts will
-fire as normal.
-
-	loop:
-		cli
-    		call do_sti
-		jmp loop
-
-	do_sti:
-		sti
-		# nop
-		ret
-
-This behavior is different from that of a real processor. For example,
-if KVM is enabled, interrupts will always fire regardless of whether the
-NOP instruction is commented or not. Also, the Intel Software Developer
-Manual states that after the STI instruction is executed, the interrupt
-inhibit should end as soon as the next instruction (e.g., the RET
-instruction if the NOP instruction is commented) is executed.
-
-This problem is caused because the previous code may choose not to end
-the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the
-case where the STI instruction is immediately followed by the RET
-instruction), so that IRQs may not have a change to trigger. This commit
-fixes the problem by always terminating the current TB to give IRQs a
-chance to trigger when HF_INHIBIT_IRQ_MASK is reset.
-
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
-Message-ID: <20240415064518.4951-4-lrh2000@pku.edu.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/translate.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
-index 3e949fe964..b5ebff2c89 100644
---- a/target/i386/tcg/translate.c
-+++ b/target/i386/tcg/translate.c
-@@ -2798,13 +2798,17 @@ static void gen_bnd_jmp(DisasContext *s)
- static void
- do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
- {
-+    bool inhibit_reset;
-+
-     gen_update_cc_op(s);
- 
-     /* If several instructions disable interrupts, only the first does it.  */
--    if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
--        gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
--    } else {
-+    inhibit_reset = false;
-+    if (s->flags & HF_INHIBIT_IRQ_MASK) {
-         gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
-+        inhibit_reset = true;
-+    } else if (inhibit) {
-+        gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
-     }
- 
-     if (s->base.tb->flags & HF_RF_MASK) {
-@@ -2815,7 +2819,9 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
-         tcg_gen_exit_tb(NULL, 0);
-     } else if (s->flags & HF_TF_MASK) {
-         gen_helper_single_step(tcg_env);
--    } else if (jr) {
-+    } else if (jr &&
-+               /* give irqs a chance to happen */
-+               !inhibit_reset) {
-         tcg_gen_lookup_and_goto_ptr();
-     } else {
-         tcg_gen_exit_tb(NULL, 0);

debian/patches/extra/0016-Revert-qemu-char-do-not-operate-on-sources-from-fina.patch

@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sergey Dyasli <sergey.dyasli@nutanix.com>
+Date: Fri, 12 Jul 2024 09:26:59 +0000
+Subject: [PATCH] Revert "qemu-char: do not operate on sources from finalize
+ callbacks"
+
+This reverts commit 2b316774f60291f57ca9ecb6a9f0712c532cae34.
+
+After 038b4217884c ("Revert "chardev: use a child source for qio input
+source"") we've been observing the "iwp->src == NULL" assertion
+triggering periodically during the initial capabilities querying by
+libvirtd. One of possible backtraces:
+
+Thread 1 (Thread 0x7f16cd4f0700 (LWP 43858)):
+0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
+1  0x00007f16c6c21e65 in __GI_abort () at abort.c:79
+2  0x00007f16c6c21d39 in __assert_fail_base  at assert.c:92
+3  0x00007f16c6c46e86 in __GI___assert_fail (assertion=assertion@entry=0x562e9bcdaadd "iwp->src == NULL", file=file@entry=0x562e9bcdaac8 "../chardev/char-io.c", line=line@entry=99, function=function@entry=0x562e9bcdab10 <__PRETTY_FUNCTION__.20549> "io_watch_poll_finalize") at assert.c:101
+4  0x0000562e9ba20c2c in io_watch_poll_finalize (source=<optimized out>) at ../chardev/char-io.c:99
+5  io_watch_poll_finalize (source=<optimized out>) at ../chardev/char-io.c:88
+6  0x00007f16c904aae0 in g_source_unref_internal () from /lib64/libglib-2.0.so.0
+7  0x00007f16c904baf9 in g_source_destroy_internal () from /lib64/libglib-2.0.so.0
+8  0x0000562e9ba20db0 in io_remove_watch_poll (source=0x562e9d6720b0) at ../chardev/char-io.c:147
+9  remove_fd_in_watch (chr=chr@entry=0x562e9d5f3800) at ../chardev/char-io.c:153
+10 0x0000562e9ba23ffb in update_ioc_handlers (s=0x562e9d5f3800) at ../chardev/char-socket.c:592
+11 0x0000562e9ba2072f in qemu_chr_fe_set_handlers_full at ../chardev/char-fe.c:279
+12 0x0000562e9ba207a9 in qemu_chr_fe_set_handlers at ../chardev/char-fe.c:304
+13 0x0000562e9ba2ca75 in monitor_qmp_setup_handlers_bh (opaque=0x562e9d4c2c60) at ../monitor/qmp.c:509
+14 0x0000562e9bb6222e in aio_bh_poll (ctx=ctx@entry=0x562e9d4c2f20) at ../util/async.c:216
+15 0x0000562e9bb4de0a in aio_poll (ctx=0x562e9d4c2f20, blocking=blocking@entry=true) at ../util/aio-posix.c:722
+16 0x0000562e9b99dfaa in iothread_run (opaque=0x562e9d4c26f0) at ../iothread.c:63
+17 0x0000562e9bb505a4 in qemu_thread_start (args=0x562e9d4c7ea0) at ../util/qemu-thread-posix.c:543
+18 0x00007f16c70081ca in start_thread (arg=<optimized out>) at pthread_create.c:479
+19 0x00007f16c6c398d3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
+
+io_remove_watch_poll(), which makes sure that iwp->src is NULL, calls
+g_source_destroy() which finds that iwp->src is not NULL in the finalize
+callback. This can only happen if another thread has managed to trigger
+io_watch_poll_prepare() callback in the meantime.
+
+Move iwp->src destruction back to the finalize callback to prevent the
+described race, and also remove the stale comment. The deadlock glib bug
+was fixed back in 2010 by b35820285668 ("gmain: move finalization of
+GSource outside of context lock").
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sergey Dyasli <sergey.dyasli@nutanix.com>
+Link: https://lore.kernel.org/r/20240712092659.216206-1-sergey.dyasli@nutanix.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit e0bf95443ee9326d44031373420cf9f3513ee255)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ chardev/char-io.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/chardev/char-io.c b/chardev/char-io.c
+index dab77b112e..3be17b51ca 100644
+--- a/chardev/char-io.c
++++ b/chardev/char-io.c
+@@ -87,16 +87,12 @@ static gboolean io_watch_poll_dispatch(GSource *source, GSourceFunc callback,
+ 
+ static void io_watch_poll_finalize(GSource *source)
+ {
+-    /*
+-     * Due to a glib bug, removing the last reference to a source
+-     * inside a finalize callback causes recursive locking (and a
+-     * deadlock).  This is not a problem inside other callbacks,
+-     * including dispatch callbacks, so we call io_remove_watch_poll
+-     * to remove this source.  At this point, iwp->src must
+-     * be NULL, or we would leak it.
+-     */
+     IOWatchPoll *iwp = io_watch_poll_from_source(source);
+-    assert(iwp->src == NULL);
++    if (iwp->src) {
++        g_source_destroy(iwp->src);
++        g_source_unref(iwp->src);
++        iwp->src = NULL;
++    }
+ }
+ 
+ static GSourceFuncs io_watch_poll_funcs = {
+@@ -139,11 +135,6 @@ static void io_remove_watch_poll(GSource *source)
+     IOWatchPoll *iwp;
+ 
+     iwp = io_watch_poll_from_source(source);
+-    if (iwp->src) {
+-        g_source_destroy(iwp->src);
+-        g_source_unref(iwp->src);
+-        iwp->src = NULL;
+-    }
+     g_source_destroy(&iwp->parent);
+ }
+ 

debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch

@@ -1,60 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: donsheng <dongsheng.x.zhang@intel.com>
-Date: Wed, 22 May 2024 04:01:14 +0800
-Subject: [PATCH] target-i386: hyper-v: Correct kvm_hv_handle_exit return value
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This bug fix addresses the incorrect return value of kvm_hv_handle_exit for
-KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT.
-
-Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous.
-This means that async_synic_update should run in the current QEMU vCPU
-thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this.
-Returning 0 can cause async_synic_update to run asynchronously.
-
-One problem (kvm-unit-tests's hyperv_synic test fails with timeout error)
-caused by this bug:
-
-When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC,
-a VM exit is triggered and processed by the kvm_hv_handle_exit function of the
-QEMU vCPU. This function then calls the async_synic_update function to set
-synic->sctl_enabled to true. A true value of synic->sctl_enabled is required
-before creating SINT routes using the hyperv_sint_route_new() function.
-
-If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU
-vCPU thread may return to KVM and enter the guest VM before running
-async_synic_update. In such case, the hyperv_synic test’s subsequent call to
-synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to
-HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return
-prematurely (because synic->sctl_enabled is false).
-
-If the SINT route is not created successfully, the SINT interrupt will not be
-fired, resulting in a timeout error in the hyperv_synic test.
-
-Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”)
-Suggested-by: Chao Gao <chao.gao@intel.com>
-Signed-off-by: Dongsheng Zhang <dongsheng.x.zhang@intel.com>
-Message-ID: <20240521200114.11588-1-dongsheng.x.zhang@intel.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/kvm/hyperv.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/kvm/hyperv.c b/target/i386/kvm/hyperv.c
-index f2a3fe650a..b94f12acc2 100644
---- a/target/i386/kvm/hyperv.c
-+++ b/target/i386/kvm/hyperv.c
-@@ -81,7 +81,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit)
-          */
-         async_safe_run_on_cpu(CPU(cpu), async_synic_update, RUN_ON_CPU_NULL);
- 
--        return 0;
-+        return EXCP_INTERRUPT;
-     case KVM_EXIT_HYPERV_HCALL: {
-         uint16_t code = exit->u.hcall.input & 0xffff;
-         bool fast = exit->u.hcall.input & HV_HYPERCALL_FAST;

debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch

@@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 24 May 2024 17:17:47 +0200
-Subject: [PATCH] target/i386: disable jmp_opt if EFLAGS.RF is 1
-
-If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and
-therefore goto_tb cannot be used.
-
-Suggested-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/translate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
-index b5ebff2c89..c2c5e73b3f 100644
---- a/target/i386/tcg/translate.c
-+++ b/target/i386/tcg/translate.c
-@@ -6971,7 +6971,7 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
-     dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
-     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
-     dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
--                    (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
-+                    (flags & (HF_RF_MASK | HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
-     /*
-      * If jmp_opt, we want to handle each string instruction individually.
-      * For icount also disable repz optimization so that each iteration

debian/patches/extra/0017-virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch

@@ -0,0 +1,77 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Cindy Lu <lulu@redhat.com>
+Date: Tue, 6 Aug 2024 17:37:12 +0800
+Subject: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd
+
+The crash was reported in MAC OS and NixOS, here is the link for this bug
+https://gitlab.com/qemu-project/qemu/-/issues/2334
+https://gitlab.com/qemu-project/qemu/-/issues/2321
+
+In this bug, they are using the virtio_input device. The guest notifier was
+not supported for this device, The function virtio_pci_set_guest_notifiers()
+was not called, and the vector_irqfd was not initialized.
+
+So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier()
+
+The function virtio_pci_get_notifier() can be used in various devices.
+It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation,
+the vector_irqfd being NULL is acceptable. We can allow the device continue to boot
+
+If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK
+is set, it means that the function set_guest_notifiers was not called before the
+driver started. This indicates that the device is not using the notifier.
+At this point, we will let the check fail.
+
+This fix is verified in vyatta,MacOS,NixOS,fedora system.
+
+The bt tree for this bug is:
+Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0x7c817be006c0 (LWP 1269146)]
+kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
+817         if (irqfd->users == 0) {
+(gdb) thread apply all bt
+...
+Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):
+0  kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
+1  kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893
+2  0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497
+3  0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573
+4  0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528
+5  0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713
+6  0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743
+7  flatview_write () at ../qemu-9.0.0/system/physmem.c:2774
+8  0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894
+9  0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904
+10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917
+11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50
+12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541
+13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6
+14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6
+
+Fixes: 2ce6cff94d ("virtio-pci: fix use of a released vector")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Cindy Lu <lulu@redhat.com>
+Message-Id: <20240806093715.65105-1-lulu@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit a8e63ff289d137197ad7a701a587cc432872d798)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/virtio/virtio-pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
+index e04218a9fb..389bab003f 100644
+--- a/hw/virtio/virtio-pci.c
++++ b/hw/virtio/virtio-pci.c
+@@ -860,6 +860,9 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no,
+     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+     VirtQueue *vq;
+ 
++    if (!proxy->vector_irqfd && vdev->status & VIRTIO_CONFIG_S_DRIVER_OK)
++        return -1;
++
+     if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
+         *n = virtio_config_get_guest_notifier(vdev);
+         *vector = vdev->config_vector;

debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch

@@ -1,30 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Sat, 25 May 2024 10:03:22 +0200
-Subject: [PATCH] target/i386: no single-step exception after MOV or POP SS
-
-Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction
-loads the SS register executes with EFLAGS.TF = 1, no single-step debug
-exception occurs following the MOV or POP instruction."
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/translate.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
-index c2c5e73b3f..a55df176c6 100644
---- a/target/i386/tcg/translate.c
-+++ b/target/i386/tcg/translate.c
-@@ -2817,7 +2817,7 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
-     if (recheck_tf) {
-         gen_helper_rechecking_single_step(tcg_env);
-         tcg_gen_exit_tb(NULL, 0);
--    } else if (s->flags & HF_TF_MASK) {
-+    } else if ((s->flags & HF_TF_MASK) && !inhibit) {
-         gen_helper_single_step(tcg_env);
-     } else if (jr &&
-                /* give irqs a chance to happen */

debian/patches/extra/0018-virtio-net-Ensure-queue-index-fits-with-RSS.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Date: Mon, 1 Jul 2024 20:58:04 +0900
+Subject: [PATCH] virtio-net: Ensure queue index fits with RSS
+
+Ensure the queue index points to a valid queue when software RSS
+enabled. The new calculation matches with the behavior of Linux's TAP
+device with the RSS eBPF program.
+
+Fixes: 4474e37a5b3a ("virtio-net: implement RX RSS processing")
+Reported-by: Zhibin Hu <huzhibin5@huawei.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit f1595ceb9aad36a6c1da95bcb77ab9509b38822d)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/net/virtio-net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 3644bfd91b..f48588638d 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1949,7 +1949,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+     if (!no_rss && n->rss_data.enabled && n->rss_data.enabled_software_rss) {
+         int index = virtio_net_process_rss(nc, buf, size);
+         if (index >= 0) {
+-            NetClientState *nc2 = qemu_get_subqueue(n->nic, index);
++            NetClientState *nc2 =
++                qemu_get_subqueue(n->nic, index % n->curr_queue_pairs);
+             return virtio_net_receive_rcu(nc2, buf, size, true);
+         }
+     }

debian/patches/extra/0019-qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO.patch

@@ -1,107 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Tue, 2 Jul 2024 18:39:40 +0200
-Subject: [PATCH] qcow2: Don't open data_file with BDRV_O_NO_IO
-
-One use case for 'qemu-img info' is verifying that untrusted images
-don't reference an unwanted external file, be it as a backing file or an
-external data file. To make sure that calling 'qemu-img info' can't
-already have undesired side effects with a malicious image, just don't
-open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
-I/O, we don't need to have it open.
-
-This changes the output of iotests case 061, which used 'qemu-img info'
-to show that opening an image with an invalid data file fails. After
-this patch, it succeeds. Replace this part of the test with a qemu-io
-call, but keep the final 'qemu-img info' to show that the invalid data
-file is correctly displayed in the output.
-
-Fixes: CVE-2024-4467
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
-(picked from https://lore.kernel.org/qemu-devel/20240702163943.276618-2-kwolf@redhat.com/)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/qcow2.c              | 17 ++++++++++++++++-
- tests/qemu-iotests/061     |  6 ++++--
- tests/qemu-iotests/061.out |  8 ++++++--
- 3 files changed, 26 insertions(+), 5 deletions(-)
-
-diff --git a/block/qcow2.c b/block/qcow2.c
-index 956128b409..4c78665bcb 100644
---- a/block/qcow2.c
-+++ b/block/qcow2.c
-@@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags,
-         goto fail;
-     }
- 
--    if (open_data_file) {
-+    if (open_data_file && (flags & BDRV_O_NO_IO)) {
-+        /*
-+         * Don't open the data file for 'qemu-img info' so that it can be used
-+         * to verify that an untrusted qcow2 image doesn't refer to external
-+         * files.
-+         *
-+         * Note: This still makes has_data_file() return true.
-+         */
-+        if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
-+            s->data_file = NULL;
-+        } else {
-+            s->data_file = bs->file;
-+        }
-+        qdict_extract_subqdict(options, NULL, "data-file.");
-+        qdict_del(options, "data-file");
-+    } else if (open_data_file) {
-         /* Open external data file */
-         bdrv_graph_co_rdunlock();
-         s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs,
-diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
-index 53c7d428e3..b71ac097d1 100755
---- a/tests/qemu-iotests/061
-+++ b/tests/qemu-iotests/061
-@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
- echo
- _make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
- $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
--_img_info --format-specific
-+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
-+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
- TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
- 
- echo
- $QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
--_img_info --format-specific
-+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
-+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
- TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
- 
- echo
-diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
-index 139fc68177..24c33add7c 100644
---- a/tests/qemu-iotests/061.out
-+++ b/tests/qemu-iotests/061.out
-@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
- qemu-img: data-file can only be set for images that use an external data file
- 
- Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
--qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory
-+qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory
-+read 4096/4096 bytes at offset 0
-+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
- virtual size: 64 MiB (67108864 bytes)
-@@ -560,7 +562,9 @@ Format specific information:
-     corrupt: false
-     extended l2: false
- 
--qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image
-+qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image
-+read 4096/4096 bytes at offset 0
-+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
- virtual size: 64 MiB (67108864 bytes)

debian/patches/extra/0019-virtio-net-Fix-network-stall-at-the-host-side-waitin.patch

@@ -0,0 +1,338 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: thomas <east.moutain.yang@gmail.com>
+Date: Fri, 12 Jul 2024 11:10:53 +0800
+Subject: [PATCH] virtio-net: Fix network stall at the host side waiting for
+ kick
+
+Patch 06b12970174 ("virtio-net: fix network stall under load")
+added double-check to test whether the available buffer size
+can satisfy the request or not, in case the guest has added
+some buffers to the avail ring simultaneously after the first
+check. It will be lucky if the available buffer size becomes
+okay after the double-check, then the host can send the packet
+to the guest. If the buffer size still can't satisfy the request,
+even if the guest has added some buffers, viritio-net would
+stall at the host side forever.
+
+The patch enables notification and checks whether the guest has
+added some buffers since last check of available buffers when
+the available buffers are insufficient. If no buffer is added,
+return false, else recheck the available buffers in the loop.
+If the available buffers are sufficient, disable notification
+and return true.
+
+Changes:
+1. Change the return type of virtqueue_get_avail_bytes() from void
+   to int, it returns an opaque that represents the shadow_avail_idx
+   of the virtqueue on success, else -1 on error.
+2. Add a new API: virtio_queue_enable_notification_and_check(),
+   it takes an opaque as input arg which is returned from
+   virtqueue_get_avail_bytes(). It enables notification firstly,
+   then checks whether the guest has added some buffers since
+   last check of available buffers or not by virtio_queue_poll(),
+   return ture if yes.
+
+The patch also reverts patch "06b12970174".
+
+The case below can reproduce the stall.
+
+                                       Guest 0
+                                     +--------+
+                                     | iperf  |
+                    ---------------> | server |
+         Host       |                +--------+
+       +--------+   |                    ...
+       | iperf  |----
+       | client |----                  Guest n
+       +--------+   |                +--------+
+                    |                | iperf  |
+                    ---------------> | server |
+                                     +--------+
+
+Boot many guests from qemu with virtio network:
+ qemu ... -netdev tap,id=net_x \
+    -device virtio-net-pci-non-transitional,\
+    iommu_platform=on,mac=xx:xx:xx:xx:xx:xx,netdev=net_x
+
+Each guest acts as iperf server with commands below:
+ iperf3 -s -D -i 10 -p 8001
+ iperf3 -s -D -i 10 -p 8002
+
+The host as iperf client:
+ iperf3 -c guest_IP -p 8001 -i 30 -w 256k -P 20 -t 40000
+ iperf3 -c guest_IP -p 8002 -i 30 -w 256k -P 20 -t 40000
+
+After some time, the host loses connection to the guest,
+the guest can send packet to the host, but can't receive
+packet from the host.
+
+It's more likely to happen if SWIOTLB is enabled in the guest,
+allocating and freeing bounce buffer takes some CPU ticks,
+copying from/to bounce buffer takes more CPU ticks, compared
+with that there is no bounce buffer in the guest.
+Once the rate of producing packets from the host approximates
+the rate of receiveing packets in the guest, the guest would
+loop in NAPI.
+
+         receive packets    ---
+               |             |
+               v             |
+           free buf      virtnet_poll
+               |             |
+               v             |
+     add buf to avail ring  ---
+               |
+               |  need kick the host?
+               |  NAPI continues
+               v
+         receive packets    ---
+               |             |
+               v             |
+           free buf      virtnet_poll
+               |             |
+               v             |
+     add buf to avail ring  ---
+               |
+               v
+              ...           ...
+
+On the other hand, the host fetches free buf from avail
+ring, if the buf in the avail ring is not enough, the
+host notifies the guest the event by writing the avail
+idx read from avail ring to the event idx of used ring,
+then the host goes to sleep, waiting for the kick signal
+from the guest.
+
+Once the guest finds the host is waiting for kick singal
+(in virtqueue_kick_prepare_split()), it kicks the host.
+
+The host may stall forever at the sequences below:
+
+         Host                        Guest
+     ------------                 -----------
+ fetch buf, send packet           receive packet ---
+         ...                          ...         |
+ fetch buf, send packet             add buf       |
+         ...                        add buf   virtnet_poll
+    buf not enough      avail idx-> add buf       |
+    read avail idx                  add buf       |
+                                    add buf      ---
+                                  receive packet ---
+    write event idx                   ...         |
+    wait for kick                   add buf   virtnet_poll
+                                      ...         |
+                                                 ---
+                                 no more packet, exit NAPI
+
+In the first loop of NAPI above, indicated in the range of
+virtnet_poll above, the host is sending packets while the
+guest is receiving packets and adding buffers.
+ step 1: The buf is not enough, for example, a big packet
+         needs 5 buf, but the available buf count is 3.
+         The host read current avail idx.
+ step 2: The guest adds some buf, then checks whether the
+         host is waiting for kick signal, not at this time.
+         The used ring is not empty, the guest continues
+         the second loop of NAPI.
+ step 3: The host writes the avail idx read from avail
+         ring to used ring as event idx via
+         virtio_queue_set_notification(q->rx_vq, 1).
+ step 4: At the end of the second loop of NAPI, recheck
+         whether kick is needed, as the event idx in the
+         used ring written by the host is beyound the
+         range of kick condition, the guest will not
+         send kick signal to the host.
+
+Fixes: 06b12970174 ("virtio-net: fix network stall under load")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Wencheng Yang <east.moutain.yang@gmail.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit f937309fbdbb48c354220a3e7110c202ae4aa7fa)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/net/virtio-net.c        | 28 ++++++++++-------
+ hw/virtio/virtio.c         | 64 +++++++++++++++++++++++++++++++++++---
+ include/hw/virtio/virtio.h | 21 +++++++++++--
+ 3 files changed, 94 insertions(+), 19 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index f48588638d..d4b979d343 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1680,24 +1680,28 @@ static bool virtio_net_can_receive(NetClientState *nc)
+ 
+ static int virtio_net_has_buffers(VirtIONetQueue *q, int bufsize)
+ {
++    int opaque;
++    unsigned int in_bytes;
+     VirtIONet *n = q->n;
+-    if (virtio_queue_empty(q->rx_vq) ||
+-        (n->mergeable_rx_bufs &&
+-         !virtqueue_avail_bytes(q->rx_vq, bufsize, 0))) {
+-        virtio_queue_set_notification(q->rx_vq, 1);
+-
+-        /* To avoid a race condition where the guest has made some buffers
+-         * available after the above check but before notification was
+-         * enabled, check for available buffers again.
+-         */
+-        if (virtio_queue_empty(q->rx_vq) ||
+-            (n->mergeable_rx_bufs &&
+-             !virtqueue_avail_bytes(q->rx_vq, bufsize, 0))) {
++
++    while (virtio_queue_empty(q->rx_vq) || n->mergeable_rx_bufs) {
++        opaque = virtqueue_get_avail_bytes(q->rx_vq, &in_bytes, NULL,
++                                           bufsize, 0);
++        /* Buffer is enough, disable notifiaction */
++        if (bufsize <= in_bytes) {
++            break;
++        }
++
++        if (virtio_queue_enable_notification_and_check(q->rx_vq, opaque)) {
++            /* Guest has added some buffers, try again */
++            continue;
++        } else {
+             return 0;
+         }
+     }
+ 
+     virtio_queue_set_notification(q->rx_vq, 0);
++
+     return 1;
+ }
+ 
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index fd2dfe3a6b..08fba6b2d8 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -743,6 +743,60 @@ int virtio_queue_empty(VirtQueue *vq)
+     }
+ }
+ 
++static bool virtio_queue_split_poll(VirtQueue *vq, unsigned shadow_idx)
++{
++    if (unlikely(!vq->vring.avail)) {
++        return false;
++    }
++
++    return (uint16_t)shadow_idx != vring_avail_idx(vq);
++}
++
++static bool virtio_queue_packed_poll(VirtQueue *vq, unsigned shadow_idx)
++{
++    VRingPackedDesc desc;
++    VRingMemoryRegionCaches *caches;
++
++    if (unlikely(!vq->vring.desc)) {
++        return false;
++    }
++
++    caches = vring_get_region_caches(vq);
++    if (!caches) {
++        return false;
++    }
++
++    vring_packed_desc_read(vq->vdev, &desc, &caches->desc,
++                           shadow_idx, true);
++
++    return is_desc_avail(desc.flags, vq->shadow_avail_wrap_counter);
++}
++
++static bool virtio_queue_poll(VirtQueue *vq, unsigned shadow_idx)
++{
++    if (virtio_device_disabled(vq->vdev)) {
++        return false;
++    }
++
++    if (virtio_vdev_has_feature(vq->vdev, VIRTIO_F_RING_PACKED)) {
++        return virtio_queue_packed_poll(vq, shadow_idx);
++    } else {
++        return virtio_queue_split_poll(vq, shadow_idx);
++    }
++}
++
++bool virtio_queue_enable_notification_and_check(VirtQueue *vq,
++                                                int opaque)
++{
++    virtio_queue_set_notification(vq, 1);
++
++    if (opaque >= 0) {
++        return virtio_queue_poll(vq, (unsigned)opaque);
++    } else {
++        return false;
++    }
++}
++
+ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem,
+                                unsigned int len)
+ {
+@@ -1330,9 +1384,9 @@ err:
+     goto done;
+ }
+ 
+-void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+-                               unsigned int *out_bytes,
+-                               unsigned max_in_bytes, unsigned max_out_bytes)
++int virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
++                              unsigned int *out_bytes, unsigned max_in_bytes,
++                              unsigned max_out_bytes)
+ {
+     uint16_t desc_size;
+     VRingMemoryRegionCaches *caches;
+@@ -1365,7 +1419,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+                                         caches);
+     }
+ 
+-    return;
++    return (int)vq->shadow_avail_idx;
+ err:
+     if (in_bytes) {
+         *in_bytes = 0;
+@@ -1373,6 +1427,8 @@ err:
+     if (out_bytes) {
+         *out_bytes = 0;
+     }
++
++    return -1;
+ }
+ 
+ int virtqueue_avail_bytes(VirtQueue *vq, unsigned int in_bytes,
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index 2eafad17b8..8b4da92889 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -271,9 +271,13 @@ void qemu_put_virtqueue_element(VirtIODevice *vdev, QEMUFile *f,
+                                 VirtQueueElement *elem);
+ int virtqueue_avail_bytes(VirtQueue *vq, unsigned int in_bytes,
+                           unsigned int out_bytes);
+-void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
+-                               unsigned int *out_bytes,
+-                               unsigned max_in_bytes, unsigned max_out_bytes);
++/**
++ * Return <0 on error or an opaque >=0 to pass to
++ * virtio_queue_enable_notification_and_check on success.
++ */
++int virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
++                              unsigned int *out_bytes, unsigned max_in_bytes,
++                              unsigned max_out_bytes);
+ 
+ void virtio_notify_irqfd(VirtIODevice *vdev, VirtQueue *vq);
+ void virtio_notify(VirtIODevice *vdev, VirtQueue *vq);
+@@ -307,6 +311,17 @@ int virtio_queue_ready(VirtQueue *vq);
+ 
+ int virtio_queue_empty(VirtQueue *vq);
+ 
++/**
++ * Enable notification and check whether guest has added some
++ * buffers since last call to virtqueue_get_avail_bytes.
++ *
++ * @opaque: value returned from virtqueue_get_avail_bytes
++ */
++bool virtio_queue_enable_notification_and_check(VirtQueue *vq,
++                                                int opaque);
++
++void virtio_queue_set_shadow_avail_idx(VirtQueue *vq, uint16_t idx);
++
+ /* Host binding interface.  */
+ 
+ uint32_t virtio_config_readb(VirtIODevice *vdev, uint32_t addr);

debian/patches/extra/0020-block-Parse-filenames-only-when-explicitly-requested.patch

@@ -1,241 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Tue, 2 Jul 2024 18:39:43 +0200
-Subject: [PATCH] block: Parse filenames only when explicitly requested
-
-When handling image filenames from legacy options such as -drive or from
-tools, these filenames are parsed for protocol prefixes, including for
-the json:{} pseudo-protocol.
-
-This behaviour is intended for filenames that come directly from the
-command line and for backing files, which may come from the image file
-itself. Higher level management tools generally take care to verify that
-untrusted images don't contain a bad (or any) backing file reference;
-'qemu-img info' is a suitable tool for this.
-
-However, for other files that can be referenced in images, such as
-qcow2 data files or VMDK extents, the string from the image file is
-usually not verified by management tools - and 'qemu-img info' wouldn't
-be suitable because in contrast to backing files, it already opens these
-other referenced files. So here the string should be interpreted as a
-literal local filename. More complex configurations need to be specified
-explicitly on the command line or in QMP.
-
-This patch changes bdrv_open_inherit() so that it only parses filenames
-if a new parameter parse_filename is true. It is set for the top level
-in bdrv_open(), for the file child and for the backing file child. All
-other callers pass false and disable filename parsing this way.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
-(picked from https://lore.kernel.org/qemu-devel/20240702163943.276618-5-kwolf@redhat.com/)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block.c | 90 ++++++++++++++++++++++++++++++++++++---------------------
- 1 file changed, 57 insertions(+), 33 deletions(-)
-
-diff --git a/block.c b/block.c
-index 468cf5e67d..50bdd197b7 100644
---- a/block.c
-+++ b/block.c
-@@ -86,6 +86,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
-                                            BlockDriverState *parent,
-                                            const BdrvChildClass *child_class,
-                                            BdrvChildRole child_role,
-+                                           bool parse_filename,
-                                            Error **errp);
- 
- static bool bdrv_recurse_has_child(BlockDriverState *bs,
-@@ -2058,7 +2059,8 @@ static void parse_json_protocol(QDict *options, const char **pfilename,
-  * block driver has been specified explicitly.
-  */
- static int bdrv_fill_options(QDict **options, const char *filename,
--                             int *flags, Error **errp)
-+                             int *flags, bool allow_parse_filename,
-+                             Error **errp)
- {
-     const char *drvname;
-     bool protocol = *flags & BDRV_O_PROTOCOL;
-@@ -2100,7 +2102,7 @@ static int bdrv_fill_options(QDict **options, const char *filename,
-     if (protocol && filename) {
-         if (!qdict_haskey(*options, "filename")) {
-             qdict_put_str(*options, "filename", filename);
--            parse_filename = true;
-+            parse_filename = allow_parse_filename;
-         } else {
-             error_setg(errp, "Can't specify 'file' and 'filename' options at "
-                              "the same time");
-@@ -3663,7 +3665,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
-     }
- 
-     backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
--                                   &child_of_bds, bdrv_backing_role(bs), errp);
-+                                   &child_of_bds, bdrv_backing_role(bs), true,
-+                                   errp);
-     if (!backing_hd) {
-         bs->open_flags |= BDRV_O_NO_BACKING;
-         error_prepend(errp, "Could not open backing file: ");
-@@ -3697,7 +3700,8 @@ free_exit:
- static BlockDriverState *
- bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
-                    BlockDriverState *parent, const BdrvChildClass *child_class,
--                   BdrvChildRole child_role, bool allow_none, Error **errp)
-+                   BdrvChildRole child_role, bool allow_none,
-+                   bool parse_filename, Error **errp)
- {
-     BlockDriverState *bs = NULL;
-     QDict *image_options;
-@@ -3728,7 +3732,8 @@ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
-     }
- 
-     bs = bdrv_open_inherit(filename, reference, image_options, 0,
--                           parent, child_class, child_role, errp);
-+                           parent, child_class, child_role, parse_filename,
-+                           errp);
-     if (!bs) {
-         goto done;
-     }
-@@ -3738,6 +3743,33 @@ done:
-     return bs;
- }
- 
-+static BdrvChild *bdrv_open_child_common(const char *filename,
-+                                         QDict *options, const char *bdref_key,
-+                                         BlockDriverState *parent,
-+                                         const BdrvChildClass *child_class,
-+                                         BdrvChildRole child_role,
-+                                         bool allow_none, bool parse_filename,
-+                                         Error **errp)
-+{
-+    BlockDriverState *bs;
-+    BdrvChild *child;
-+
-+    GLOBAL_STATE_CODE();
-+
-+    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
-+                            child_role, allow_none, parse_filename, errp);
-+    if (bs == NULL) {
-+        return NULL;
-+    }
-+
-+    bdrv_graph_wrlock();
-+    child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
-+                              errp);
-+    bdrv_graph_wrunlock();
-+
-+    return child;
-+}
-+
- /*
-  * Opens a disk image whose options are given as BlockdevRef in another block
-  * device's options.
-@@ -3761,27 +3793,15 @@ BdrvChild *bdrv_open_child(const char *filename,
-                            BdrvChildRole child_role,
-                            bool allow_none, Error **errp)
- {
--    BlockDriverState *bs;
--    BdrvChild *child;
--
--    GLOBAL_STATE_CODE();
--
--    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
--                            child_role, allow_none, errp);
--    if (bs == NULL) {
--        return NULL;
--    }
--
--    bdrv_graph_wrlock();
--    child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
--                              errp);
--    bdrv_graph_wrunlock();
--
--    return child;
-+    return bdrv_open_child_common(filename, options, bdref_key, parent,
-+                                  child_class, child_role, allow_none, false,
-+                                  errp);
- }
- 
- /*
-- * Wrapper on bdrv_open_child() for most popular case: open primary child of bs.
-+ * This does mostly the same as bdrv_open_child(), but for opening the primary
-+ * child of a node. A notable difference from bdrv_open_child() is that it
-+ * enables filename parsing for protocol names (including json:).
-  *
-  * @parent can move to a different AioContext in this function.
-  */
-@@ -3796,8 +3816,8 @@ int bdrv_open_file_child(const char *filename,
-     role = parent->drv->is_filter ?
-         (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE;
- 
--    if (!bdrv_open_child(filename, options, bdref_key, parent,
--                         &child_of_bds, role, false, errp))
-+    if (!bdrv_open_child_common(filename, options, bdref_key, parent,
-+                                &child_of_bds, role, false, true, errp))
-     {
-         return -EINVAL;
-     }
-@@ -3842,7 +3862,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
- 
-     }
- 
--    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp);
-+    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, false,
-+                           errp);
-     obj = NULL;
-     qobject_unref(obj);
-     visit_free(v);
-@@ -3932,7 +3953,7 @@ static BlockDriverState * no_coroutine_fn
- bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
-                   int flags, BlockDriverState *parent,
-                   const BdrvChildClass *child_class, BdrvChildRole child_role,
--                  Error **errp)
-+                  bool parse_filename, Error **errp)
- {
-     int ret;
-     BlockBackend *file = NULL;
-@@ -3980,9 +4001,11 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
-     }
- 
-     /* json: syntax counts as explicit options, as if in the QDict */
--    parse_json_protocol(options, &filename, &local_err);
--    if (local_err) {
--        goto fail;
-+    if (parse_filename) {
-+        parse_json_protocol(options, &filename, &local_err);
-+        if (local_err) {
-+            goto fail;
-+        }
-     }
- 
-     bs->explicit_options = qdict_clone_shallow(options);
-@@ -4007,7 +4030,8 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
-                                      parent->open_flags, parent->options);
-     }
- 
--    ret = bdrv_fill_options(&options, filename, &flags, &local_err);
-+    ret = bdrv_fill_options(&options, filename, &flags, parse_filename,
-+                            &local_err);
-     if (ret < 0) {
-         goto fail;
-     }
-@@ -4076,7 +4100,7 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
- 
-         file_bs = bdrv_open_child_bs(filename, options, "file", bs,
-                                      &child_of_bds, BDRV_CHILD_IMAGE,
--                                     true, &local_err);
-+                                     true, true, &local_err);
-         if (local_err) {
-             goto fail;
-         }
-@@ -4225,7 +4249,7 @@ BlockDriverState *bdrv_open(const char *filename, const char *reference,
-     GLOBAL_STATE_CODE();
- 
-     return bdrv_open_inherit(filename, reference, options, flags, NULL,
--                             NULL, 0, errp);
-+                             NULL, 0, true, errp);
- }
- 
- /* Return true if the NULL-terminated @list contains @str */

debian/patches/extra/0020-net-Reinstate-net-nic-model-help-output-as-documente.patch

@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Tue, 9 Jul 2024 13:34:44 +0100
+Subject: [PATCH] net: Reinstate '-net nic, model=help' output as documented in
+ man page
+
+While refactoring the NIC initialization code, I broke '-net nic,model=help'
+which no longer outputs a list of available NIC models.
+
+Fixes: 2cdeca04adab ("net: report list of available models according to platform")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 64f75f57f9d2c8c12ac6d9355fa5d3a2af5879ca)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/net.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/net/net.c b/net/net.c
+index a2f0c828bb..e6ca2529bb 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -1150,6 +1150,21 @@ NICInfo *qemu_find_nic_info(const char *typename, bool match_default,
+     return NULL;
+ }
+ 
++static bool is_nic_model_help_option(const char *model)
++{
++    if (model && is_help_option(model)) {
++        /*
++         * Trigger the help output by instantiating the hash table which
++         * will gather tha available models as they get registered.
++         */
++        if (!nic_model_help) {
++            nic_model_help = g_hash_table_new_full(g_str_hash, g_str_equal,
++                                                   g_free, NULL);
++        }
++        return true;
++    }
++    return false;
++}
+ 
+ /* "I have created a device. Please configure it if you can" */
+ bool qemu_configure_nic_device(DeviceState *dev, bool match_default,
+@@ -1733,6 +1748,12 @@ void net_check_clients(void)
+ 
+ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
+ {
++    const char *model = qemu_opt_get_del(opts, "model");
++
++    if (is_nic_model_help_option(model)) {
++        return 0;
++    }
++
+     return net_client_init(opts, false, errp);
+ }
+ 
+@@ -1789,9 +1810,7 @@ static int net_param_nic(void *dummy, QemuOpts *opts, Error **errp)
+     memset(ni, 0, sizeof(*ni));
+     ni->model = qemu_opt_get_del(opts, "model");
+ 
+-    if (!nic_model_help && !g_strcmp0(ni->model, "help")) {
+-        nic_model_help = g_hash_table_new_full(g_str_hash, g_str_equal,
+-                                               g_free, NULL);
++    if (is_nic_model_help_option(ni->model)) {
+         return 0;
+     }
+ 

debian/patches/extra/0021-net-Fix-net-nic-model-for-non-help-arguments.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Tue, 6 Aug 2024 18:21:37 +0100
+Subject: [PATCH] net: Fix '-net nic,model=' for non-help arguments
+
+Oops, don't *delete* the model option when checking for 'help'.
+
+Fixes: 64f75f57f9d2 ("net: Reinstate '-net nic, model=help' output as documented in man page")
+Reported-by: Hans <sungdgdhtryrt@gmail.com>
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit fa62cb989a9146c82f8f172715042852f5d36200)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/net.c b/net/net.c
+index e6ca2529bb..897bb936cf 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -1748,7 +1748,7 @@ void net_check_clients(void)
+ 
+ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
+ {
+-    const char *model = qemu_opt_get_del(opts, "model");
++    const char *model = qemu_opt_get(opts, "model");
+ 
+     if (is_nic_model_help_option(model)) {
+         return 0;

debian/patches/extra/0022-target-arm-Don-t-assert-for-128-bit-tile-accesses-wh.patch

@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:54 +0100
+Subject: [PATCH] target/arm: Don't assert for 128-bit tile accesses when SVL
+ is 128
+
+For an instruction which accesses a 128-bit element tile when
+the SVL is also 128 (for example MOV z0.Q, p0/M, ZA0H.Q[w0,0]),
+we will assert in get_tile_rowcol():
+
+qemu-system-aarch64: ../../tcg/tcg-op.c:926: tcg_gen_deposit_z_i32: Assertion `len > 0' failed.
+
+This happens because we calculate
+    len = ctz32(streaming_vec_reg_size(s)) - esz;$
+but if the SVL and the element size are the same len is 0, and
+the deposit operation asserts.
+
+In this case the ZA storage contains exactly one 128 bit
+element ZA tile, and the horizontal or vertical slice is just
+that tile. This means that regardless of the index value in
+the Ws register, we always access that tile. (In pseudocode terms,
+we calculate (index + offset) MOD 1, which is 0.)
+
+Special case the len == 0 case to avoid hitting the assertion
+in tcg_gen_deposit_z_i32().
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-2-peter.maydell@linaro.org
+(cherry picked from commit 56f1c0db928aae0b83fd91c89ddb226b137e2b21)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/translate-sme.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+index 185a8a917b..a50a419af2 100644
+--- a/target/arm/tcg/translate-sme.c
++++ b/target/arm/tcg/translate-sme.c
+@@ -49,7 +49,15 @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
+     /* Prepare a power-of-two modulo via extraction of @len bits. */
+     len = ctz32(streaming_vec_reg_size(s)) - esz;
+ 
+-    if (vertical) {
++    if (!len) {
++        /*
++         * SVL is 128 and the element size is 128. There is exactly
++         * one 128x128 tile in the ZA storage, and so we calculate
++         * (Rs + imm) MOD 1, which is always 0. We need to special case
++         * this because TCG doesn't allow deposit ops with len 0.
++         */
++        tcg_gen_movi_i32(tmp, 0);
++    } else if (vertical) {
+         /*
+          * Compute the byte offset of the index within the tile:
+          *     (index % (svl / size)) * size

debian/patches/extra/0023-target-arm-Fix-UMOPA-UMOPS-of-16-bit-values.patch

@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:55 +0100
+Subject: [PATCH] target/arm: Fix UMOPA/UMOPS of 16-bit values
+
+The UMOPA/UMOPS instructions are supposed to multiply unsigned 8 or
+16 bit elements and accumulate the products into a 64-bit element.
+In the Arm ARM pseudocode, this is done with the usual
+infinite-precision signed arithmetic.  However our implementation
+doesn't quite get it right, because in the DEF_IMOP_64() macro we do:
+  sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);
+
+where NTYPE and MTYPE are uint16_t or int16_t.  In the uint16_t case,
+the C usual arithmetic conversions mean the values are converted to
+"int" type and the multiply is done as a 32-bit multiply.  This means
+that if the inputs are, for example, 0xffff and 0xffff then the
+result is 0xFFFE0001 as an int, which is then promoted to uint64_t
+for the accumulation into sum; this promotion incorrectly sign
+extends the multiply.
+
+Avoid the incorrect sign extension by casting to int64_t before
+the multiply, so we do the multiply as 64-bit signed arithmetic,
+which is a type large enough that the multiply can never
+overflow into the sign bit.
+
+(The equivalent 8-bit operations in DEF_IMOP_32() are fine, because
+the 8-bit multiplies can never overflow into the sign bit of a
+32-bit integer.)
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2372
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-3-peter.maydell@linaro.org
+(cherry picked from commit ea3f5a90f036734522e9af3bffd77e69e9f47355)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/sme_helper.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index 5a6dd76489..f9001f5213 100644
+--- a/target/arm/tcg/sme_helper.c
++++ b/target/arm/tcg/sme_helper.c
+@@ -1146,10 +1146,10 @@ static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
+     uint64_t sum = 0;                                                       \
+     /* Apply P to N as a mask, making the inactive elements 0. */           \
+     n &= expand_pred_h(p);                                                  \
+-    sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                               \
+-    sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                             \
+-    sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                             \
+-    sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                             \
++    sum += (int64_t)(NTYPE)(n >> 0) * (MTYPE)(m >> 0);                      \
++    sum += (int64_t)(NTYPE)(n >> 16) * (MTYPE)(m >> 16);                    \
++    sum += (int64_t)(NTYPE)(n >> 32) * (MTYPE)(m >> 32);                    \
++    sum += (int64_t)(NTYPE)(n >> 48) * (MTYPE)(m >> 48);                    \
+     return neg ? a - sum : a + sum;                                         \
+ }
+ 

debian/patches/extra/0024-target-arm-Avoid-shifts-by-1-in-tszimm_shr-and-tszim.patch

@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:56 +0100
+Subject: [PATCH] target/arm: Avoid shifts by -1 in tszimm_shr() and
+ tszimm_shl()
+
+The function tszimm_esz() returns a shift amount, or possibly -1 in
+certain cases that correspond to unallocated encodings in the
+instruction set.  We catch these later in the trans_ functions
+(generally with an "a-esz < 0" check), but before we do the
+decodetree-generated code will also call tszimm_shr() or tszimm_sl(),
+which will use the tszimm_esz() return value as a shift count without
+checking that it is not negative, which is undefined behaviour.
+
+Avoid the UB by checking the return value in tszimm_shr() and
+tszimm_shl().
+
+Cc: qemu-stable@nongnu.org
+Resolves: Coverity CID 1547617, 1547694
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-4-peter.maydell@linaro.org
+(cherry picked from commit 76916dfa89e8900639c1055c07a295c06628a0bc)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/translate-sve.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
+index ada05aa530..466a19c25a 100644
+--- a/target/arm/tcg/translate-sve.c
++++ b/target/arm/tcg/translate-sve.c
+@@ -50,13 +50,27 @@ static int tszimm_esz(DisasContext *s, int x)
+ 
+ static int tszimm_shr(DisasContext *s, int x)
+ {
+-    return (16 << tszimm_esz(s, x)) - x;
++    /*
++     * We won't use the tszimm_shr() value if tszimm_esz() returns -1 (the
++     * trans function will check for esz < 0), so we can return any
++     * value we like from here in that case as long as we avoid UB.
++     */
++    int esz = tszimm_esz(s, x);
++    if (esz < 0) {
++        return esz;
++    }
++    return (16 << esz) - x;
+ }
+ 
+ /* See e.g. LSL (immediate, predicated).  */
+ static int tszimm_shl(DisasContext *s, int x)
+ {
+-    return x - (8 << tszimm_esz(s, x));
++    /* As with tszimm_shr(), value will be unused if esz < 0 */
++    int esz = tszimm_esz(s, x);
++    if (esz < 0) {
++        return esz;
++    }
++    return x - (8 << esz);
+ }
+ 
+ /* The SH bit is in bit 8.  Extract the low 8 and shift.  */

debian/patches/extra/0025-target-arm-Ignore-SMCR_EL2.LEN-and-SVCR_EL2.LEN-if-E.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 22 Jul 2024 18:29:57 +0100
+Subject: [PATCH] target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is
+ not enabled
+
+When determining the current vector length, the SMCR_EL2.LEN and
+SVCR_EL2.LEN settings should only be considered if EL2 is enabled
+(compare the pseudocode CurrentSVL and CurrentNSVL which call
+EL2Enabled()).
+
+We were checking against ARM_FEATURE_EL2 rather than calling
+arm_is_el2_enabled(), which meant that we would look at
+SMCR_EL2/SVCR_EL2 when in Secure EL1 or Secure EL0 even if Secure EL2
+was not enabled.
+
+Use the correct check in sve_vqm1_for_el_sm().
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20240722172957.1041231-5-peter.maydell@linaro.org
+(cherry picked from commit f573ac059ed060234fcef4299fae9e500d357c33)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index a620481d7c..42044ae14b 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -7191,7 +7191,7 @@ uint32_t sve_vqm1_for_el_sm(CPUARMState *env, int el, bool sm)
+     if (el <= 1 && !el_is_in_host(env, el)) {
+         len = MIN(len, 0xf & (uint32_t)cr[1]);
+     }
+-    if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
++    if (el <= 2 && arm_is_el2_enabled(env)) {
+         len = MIN(len, 0xf & (uint32_t)cr[2]);
+     }
+     if (arm_feature(env, ARM_FEATURE_EL3)) {

debian/patches/extra/0026-target-arm-Handle-denormals-correctly-for-FMOPA-wide.patch

@@ -0,0 +1,164 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Thu, 1 Aug 2024 10:15:03 +0100
+Subject: [PATCH] target/arm: Handle denormals correctly for FMOPA (widening)
+
+The FMOPA (widening) SME instruction takes pairs of half-precision
+floating point values, widens them to single-precision, does a
+two-way dot product and accumulates the results into a
+single-precision destination.  We don't quite correctly handle the
+FPCR bits FZ and FZ16 which control flushing of denormal inputs and
+outputs.  This is because at the moment we pass a single float_status
+value to the helper function, which then uses that configuration for
+all the fp operations it does.  However, because the inputs to this
+operation are float16 and the outputs are float32 we need to use the
+fp_status_f16 for the float16 input widening but the normal fp_status
+for everything else.  Otherwise we will apply the flushing control
+FPCR.FZ16 to the 32-bit output rather than the FPCR.FZ control, and
+incorrectly flush a denormal output to zero when we should not (or
+vice-versa).
+
+(In commit 207d30b5fdb5b we tried to fix the FZ handling but
+didn't get it right, switching from "use FPCR.FZ for everything" to
+"use FPCR.FZ16 for everything".)
+
+Pass the CPU env to the sme_fmopa_h helper instead of an fp_status
+pointer, and have the helper pass an extra fp_status into the
+f16_dotadd() function so that we can use the right status for the
+right parts of this operation.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 207d30b5fdb5 ("target/arm: Use FPST_F16 for SME FMOPA (widening)")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2373
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+(cherry picked from commit 55f9f4ee018c5ccea81d8c8c586756d7711ae46f)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/helper-sme.h    |  2 +-
+ target/arm/tcg/sme_helper.c    | 39 +++++++++++++++++++++++-----------
+ target/arm/tcg/translate-sme.c | 25 ++++++++++++++++++++--
+ 3 files changed, 51 insertions(+), 15 deletions(-)
+
+diff --git a/target/arm/tcg/helper-sme.h b/target/arm/tcg/helper-sme.h
+index 27eef49a11..d22bf9d21b 100644
+--- a/target/arm/tcg/helper-sme.h
++++ b/target/arm/tcg/helper-sme.h
+@@ -121,7 +121,7 @@ DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+ 
+ DEF_HELPER_FLAGS_7(sme_fmopa_h, TCG_CALL_NO_RWG,
+-                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
++                   void, ptr, ptr, ptr, ptr, ptr, env, i32)
+ DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+index f9001f5213..3906bb51c0 100644
+--- a/target/arm/tcg/sme_helper.c
++++ b/target/arm/tcg/sme_helper.c
+@@ -976,12 +976,23 @@ static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
+ }
+ 
+ static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
+-                          float_status *s_std, float_status *s_odd)
++                          float_status *s_f16, float_status *s_std,
++                          float_status *s_odd)
+ {
+-    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_std);
+-    float64 e1c = float16_to_float64(e1 >> 16, true, s_std);
+-    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_std);
+-    float64 e2c = float16_to_float64(e2 >> 16, true, s_std);
++    /*
++     * We need three different float_status for different parts of this
++     * operation:
++     *  - the input conversion of the float16 values must use the
++     *    f16-specific float_status, so that the FPCR.FZ16 control is applied
++     *  - operations on float32 including the final accumulation must use
++     *    the normal float_status, so that FPCR.FZ is applied
++     *  - we have pre-set-up copy of s_std which is set to round-to-odd,
++     *    for the multiply (see below)
++     */
++    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_f16);
++    float64 e1c = float16_to_float64(e1 >> 16, true, s_f16);
++    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_f16);
++    float64 e2c = float16_to_float64(e2 >> 16, true, s_f16);
+     float64 t64;
+     float32 t32;
+ 
+@@ -1003,20 +1014,23 @@ static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
+ }
+ 
+ void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
+-                         void *vpm, void *vst, uint32_t desc)
++                         void *vpm, CPUARMState *env, uint32_t desc)
+ {
+     intptr_t row, col, oprsz = simd_maxsz(desc);
+     uint32_t neg = simd_data(desc) * 0x80008000u;
+     uint16_t *pn = vpn, *pm = vpm;
+-    float_status fpst_odd, fpst_std;
++    float_status fpst_odd, fpst_std, fpst_f16;
+ 
+     /*
+-     * Make a copy of float_status because this operation does not
+-     * update the cumulative fp exception status.  It also produces
+-     * default nans.  Make a second copy with round-to-odd -- see above.
++     * Make copies of fp_status and fp_status_f16, because this operation
++     * does not update the cumulative fp exception status.  It also
++     * produces default NaNs. We also need a second copy of fp_status with
++     * round-to-odd -- see above.
+      */
+-    fpst_std = *(float_status *)vst;
++    fpst_f16 = env->vfp.fp_status_f16;
++    fpst_std = env->vfp.fp_status;
+     set_default_nan_mode(true, &fpst_std);
++    set_default_nan_mode(true, &fpst_f16);
+     fpst_odd = fpst_std;
+     set_float_rounding_mode(float_round_to_odd, &fpst_odd);
+ 
+@@ -1036,7 +1050,8 @@ void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
+                         uint32_t m = *(uint32_t *)(vzm + H1_4(col));
+ 
+                         m = f16mop_adj_pair(m, pcol, 0);
+-                        *a = f16_dotadd(*a, n, m, &fpst_std, &fpst_odd);
++                        *a = f16_dotadd(*a, n, m,
++                                        &fpst_f16, &fpst_std, &fpst_odd);
+                     }
+                     col += 4;
+                     pcol >>= 4;
+diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+index a50a419af2..ae42ddef7b 100644
+--- a/target/arm/tcg/translate-sme.c
++++ b/target/arm/tcg/translate-sme.c
+@@ -334,8 +334,29 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+     return true;
+ }
+ 
+-TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a,
+-           MO_32, FPST_FPCR_F16, gen_helper_sme_fmopa_h)
++static bool do_outprod_env(DisasContext *s, arg_op *a, MemOp esz,
++                           gen_helper_gvec_5_ptr *fn)
++{
++    int svl = streaming_vec_reg_size(s);
++    uint32_t desc = simd_desc(svl, svl, a->sub);
++    TCGv_ptr za, zn, zm, pn, pm;
++
++    if (!sme_smza_enabled_check(s)) {
++        return true;
++    }
++
++    za = get_tile(s, esz, a->zad);
++    zn = vec_full_reg_ptr(s, a->zn);
++    zm = vec_full_reg_ptr(s, a->zm);
++    pn = pred_full_reg_ptr(s, a->pn);
++    pm = pred_full_reg_ptr(s, a->pm);
++
++    fn(za, zn, zm, pn, pm, tcg_env, tcg_constant_i32(desc));
++    return true;
++}
++
++TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_env, a,
++           MO_32, gen_helper_sme_fmopa_h)
+ TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a,
+            MO_32, FPST_FPCR, gen_helper_sme_fmopa_s)
+ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a,

debian/patches/extra/0027-intel_iommu-fix-FRCD-construction-macro.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cl=C3=A9ment=20Mathieu--Drif?=
+ <clement.mathieu--drif@eviden.com>
+Date: Tue, 9 Jul 2024 14:26:08 +0000
+Subject: [PATCH] intel_iommu: fix FRCD construction macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The constant must be unsigned, otherwise the two's complement
+overrides the other fields when a PASID is present.
+
+Fixes: 1b2b12376c8a ("intel-iommu: PASID support")
+Signed-off-by: Clément Mathieu--Drif <clement.mathieu--drif@eviden.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
+Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
+Message-Id: <20240709142557.317271-2-clement.mathieu--drif@eviden.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit a3c8d7e38550c3d5a46e6fa94ffadfa625a4861d)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/i386/intel_iommu_internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
+index f8cf99bddf..cbc4030031 100644
+--- a/hw/i386/intel_iommu_internal.h
++++ b/hw/i386/intel_iommu_internal.h
+@@ -267,7 +267,7 @@
+ /* For the low 64-bit of 128-bit */
+ #define VTD_FRCD_FI(val)        ((val) & ~0xfffULL)
+ #define VTD_FRCD_PV(val)        (((val) & 0xffffULL) << 40)
+-#define VTD_FRCD_PP(val)        (((val) & 0x1) << 31)
++#define VTD_FRCD_PP(val)        (((val) & 0x1ULL) << 31)
+ #define VTD_FRCD_IR_IDX(val)    (((val) & 0xffffULL) << 48)
+ 
+ /* DMA Remapping Fault Conditions */

debian/patches/extra/0028-target-i386-Do-not-apply-REX-to-MMX-operands.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Mon, 12 Aug 2024 12:58:42 +1000
+Subject: [PATCH] target/i386: Do not apply REX to MMX operands
+
+Cc: qemu-stable@nongnu.org
+Fixes: b3e22b2318a ("target/i386: add core of new i386 decoder")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2495
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Link: https://lore.kernel.org/r/20240812025844.58956-2-richard.henderson@linaro.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 416f2b16c02c618c0f233372ebfe343f9ee667d4)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/decode-new.c.inc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
+index 4209d59ca8..09b8d2314a 100644
+--- a/target/i386/tcg/decode-new.c.inc
++++ b/target/i386/tcg/decode-new.c.inc
+@@ -1271,7 +1271,10 @@ static bool decode_op(DisasContext *s, CPUX86State *env, X86DecodedInsn *decode,
+             op->unit = X86_OP_SSE;
+         }
+     get_reg:
+-        op->n = ((get_modrm(s, env) >> 3) & 7) | REX_R(s);
++        op->n = ((get_modrm(s, env) >> 3) & 7);
++        if (op->unit != X86_OP_MMX) {
++            op->n |= REX_R(s);
++        }
+         break;
+ 
+     case X86_TYPE_E:  /* ALU modrm operand */

debian/patches/extra/0029-module-Prevent-crash-by-resetting-local_err-in-modul.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Date: Fri, 9 Aug 2024 14:13:40 +0200
+Subject: [PATCH] module: Prevent crash by resetting local_err in
+ module_load_qom_all()
+
+Set local_err to NULL after it has been freed in error_report_err(). This
+avoids triggering assert(*errp == NULL) failure in error_setv() when
+local_err is reused in the loop.
+
+Signed-off-by: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Reviewed-by: Claudio Fontana <cfontana@suse.de>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
+Link: https://lore.kernel.org/r/20240809121340.992049-2-alexander.ivanov@virtuozzo.com
+[Do the same by moving the declaration instead. - Paolo]
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 940d802b24e63650e0eacad3714e2ce171cba17c)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ util/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/module.c b/util/module.c
+index 32e263163c..3eb0f06df1 100644
+--- a/util/module.c
++++ b/util/module.c
+@@ -354,13 +354,13 @@ int module_load_qom(const char *type, Error **errp)
+ void module_load_qom_all(void)
+ {
+     const QemuModinfo *modinfo;
+-    Error *local_err = NULL;
+ 
+     if (module_loaded_qom_all) {
+         return;
+     }
+ 
+     for (modinfo = module_info; modinfo->name != NULL; modinfo++) {
++        Error *local_err = NULL;
+         if (!modinfo->objs) {
+             continue;
+         }

debian/patches/extra/0030-nbd-server-Plumb-in-new-args-to-nbd_client_add.patch

@@ -0,0 +1,164 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 7 Aug 2024 08:50:01 -0500
+Subject: [PATCH] nbd/server: Plumb in new args to nbd_client_add()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upcoming patches to fix a CVE need to track an opaque pointer passed
+in by the owner of a client object, as well as request for a time
+limit on how fast negotiation must complete.  Prepare for that by
+changing the signature of nbd_client_new() and adding an accessor to
+get at the opaque pointer, although for now the two servers
+(qemu-nbd.c and blockdev-nbd.c) do not change behavior even though
+they pass in a new default timeout value.
+
+Suggested-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-11-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[eblake: s/LIMIT/MAX_SECS/ as suggested by Dan]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit fb1c2aaa981e0a2fa6362c9985f1296b74f055ac)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ blockdev-nbd.c      |  6 ++++--
+ include/block/nbd.h | 11 ++++++++++-
+ nbd/server.c        | 20 +++++++++++++++++---
+ qemu-nbd.c          |  4 +++-
+ 4 files changed, 34 insertions(+), 7 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 213012435f..267a1de903 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -64,8 +64,10 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+     nbd_update_server_watch(nbd_server);
+ 
+     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
+-    nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz,
+-                   nbd_blockdev_client_closed);
++    /* TODO - expose handshake timeout as QMP option */
++    nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
++                   nbd_server->tlscreds, nbd_server->tlsauthz,
++                   nbd_blockdev_client_closed, NULL);
+ }
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+diff --git a/include/block/nbd.h b/include/block/nbd.h
+index 4e7bd6342f..1d4d65922d 100644
+--- a/include/block/nbd.h
++++ b/include/block/nbd.h
+@@ -33,6 +33,12 @@ typedef struct NBDMetaContexts NBDMetaContexts;
+ 
+ extern const BlockExportDriver blk_exp_nbd;
+ 
++/*
++ * NBD_DEFAULT_HANDSHAKE_MAX_SECS: Number of seconds in which client must
++ * succeed at NBD_OPT_GO before being forcefully dropped as too slow.
++ */
++#define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
++
+ /* Handshake phase structs - this struct is passed on the wire */
+ 
+ typedef struct NBDOption {
+@@ -403,9 +409,12 @@ AioContext *nbd_export_aio_context(NBDExport *exp);
+ NBDExport *nbd_export_find(const char *name);
+ 
+ void nbd_client_new(QIOChannelSocket *sioc,
++                    uint32_t handshake_max_secs,
+                     QCryptoTLSCreds *tlscreds,
+                     const char *tlsauthz,
+-                    void (*close_fn)(NBDClient *, bool));
++                    void (*close_fn)(NBDClient *, bool),
++                    void *owner);
++void *nbd_client_owner(NBDClient *client);
+ void nbd_client_get(NBDClient *client);
+ void nbd_client_put(NBDClient *client);
+ 
+diff --git a/nbd/server.c b/nbd/server.c
+index 892797bb11..e50012499f 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -124,12 +124,14 @@ struct NBDMetaContexts {
+ struct NBDClient {
+     int refcount; /* atomic */
+     void (*close_fn)(NBDClient *client, bool negotiated);
++    void *owner;
+ 
+     QemuMutex lock;
+ 
+     NBDExport *exp;
+     QCryptoTLSCreds *tlscreds;
+     char *tlsauthz;
++    uint32_t handshake_max_secs;
+     QIOChannelSocket *sioc; /* The underlying data channel */
+     QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
+ 
+@@ -3191,6 +3193,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
+ 
+     qemu_co_mutex_init(&client->send_lock);
+ 
++    /* TODO - utilize client->handshake_max_secs */
+     if (nbd_negotiate(client, &local_err)) {
+         if (local_err) {
+             error_report_err(local_err);
+@@ -3205,14 +3208,17 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
+ }
+ 
+ /*
+- * Create a new client listener using the given channel @sioc.
++ * Create a new client listener using the given channel @sioc and @owner.
+  * Begin servicing it in a coroutine.  When the connection closes, call
+- * @close_fn with an indication of whether the client completed negotiation.
++ * @close_fn with an indication of whether the client completed negotiation
++ * within @handshake_max_secs seconds (0 for unbounded).
+  */
+ void nbd_client_new(QIOChannelSocket *sioc,
++                    uint32_t handshake_max_secs,
+                     QCryptoTLSCreds *tlscreds,
+                     const char *tlsauthz,
+-                    void (*close_fn)(NBDClient *, bool))
++                    void (*close_fn)(NBDClient *, bool),
++                    void *owner)
+ {
+     NBDClient *client;
+     Coroutine *co;
+@@ -3225,13 +3231,21 @@ void nbd_client_new(QIOChannelSocket *sioc,
+         object_ref(OBJECT(client->tlscreds));
+     }
+     client->tlsauthz = g_strdup(tlsauthz);
++    client->handshake_max_secs = handshake_max_secs;
+     client->sioc = sioc;
+     qio_channel_set_delay(QIO_CHANNEL(sioc), false);
+     object_ref(OBJECT(client->sioc));
+     client->ioc = QIO_CHANNEL(sioc);
+     object_ref(OBJECT(client->ioc));
+     client->close_fn = close_fn;
++    client->owner = owner;
+ 
+     co = qemu_coroutine_create(nbd_co_client_start, client);
+     qemu_coroutine_enter(co);
+ }
++
++void *
++nbd_client_owner(NBDClient *client)
++{
++    return client->owner;
++}
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index d7b3ccab21..48e2fa5858 100644
+--- a/qemu-nbd.c
++++ b/qemu-nbd.c
+@@ -390,7 +390,9 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+ 
+     nb_fds++;
+     nbd_update_server_watch();
+-    nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed);
++    /* TODO - expose handshake timeout as command line option */
++    nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
++                   tlscreds, tlsauthz, nbd_client_closed, NULL);
+ }
+ 
+ static void nbd_update_server_watch(void)

debian/patches/extra/0031-nbd-server-CVE-2024-7409-Cap-default-max-connections.patch

@@ -0,0 +1,172 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 6 Aug 2024 13:53:00 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Cap default max-connections to 100
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Allowing an unlimited number of clients to any web service is a recipe
+for a rudimentary denial of service attack: the client merely needs to
+open lots of sockets without closing them, until qemu no longer has
+any more fds available to allocate.
+
+For qemu-nbd, we default to allowing only 1 connection unless more are
+explicitly asked for (-e or --shared); this was historically picked as
+a nice default (without an explicit -t, a non-persistent qemu-nbd goes
+away after a client disconnects, without needing any additional
+follow-up commands), and we are not going to change that interface now
+(besides, someday we want to point people towards qemu-storage-daemon
+instead of qemu-nbd).
+
+But for qemu proper, and the newer qemu-storage-daemon, the QMP
+nbd-server-start command has historically had a default of unlimited
+number of connections, in part because unlike qemu-nbd it is
+inherently persistent until nbd-server-stop.  Allowing multiple client
+sockets is particularly useful for clients that can take advantage of
+MULTI_CONN (creating parallel sockets to increase throughput),
+although known clients that do so (such as libnbd's nbdcopy) typically
+use only 8 or 16 connections (the benefits of scaling diminish once
+more sockets are competing for kernel attention).  Picking a number
+large enough for typical use cases, but not unlimited, makes it
+slightly harder for a malicious client to perform a denial of service
+merely by opening lots of connections withot progressing through the
+handshake.
+
+This change does not eliminate CVE-2024-7409 on its own, but reduces
+the chance for fd exhaustion or unlimited memory usage as an attack
+surface.  On the other hand, by itself, it makes it more obvious that
+with a finite limit, we have the problem of an unauthenticated client
+holding 100 fds opened as a way to block out a legitimate client from
+being able to connect; thus, later patches will further add timeouts
+to reject clients that are not making progress.
+
+This is an INTENTIONAL change in behavior, and will break any client
+of nbd-server-start that was not passing an explicit max-connections
+parameter, yet expects more than 100 simultaneous connections.  We are
+not aware of any such client (as stated above, most clients aware of
+MULTI_CONN get by just fine on 8 or 16 connections, and probably cope
+with later connections failing by relying on the earlier connections;
+libvirt has not yet been passing max-connections, but generally
+creates NBD servers with the intent for a single client for the sake
+of live storage migration; meanwhile, the KubeSAN project anticipates
+a large cluster sharing multiple clients [up to 8 per node, and up to
+100 nodes in a cluster], but it currently uses qemu-nbd with an
+explicit --shared=0 rather than qemu-storage-daemon with
+nbd-server-start).
+
+We considered using a deprecation period (declare that omitting
+max-parameters is deprecated, and make it mandatory in 3 releases -
+then we don't need to pick an arbitrary default); that has zero risk
+of breaking any apps that accidentally depended on more than 100
+connections, and where such breakage might not be noticed under unit
+testing but only under the larger loads of production usage.  But it
+does not close the denial-of-service hole until far into the future,
+and requires all apps to change to add the parameter even if 100 was
+good enough.  It also has a drawback that any app (like libvirt) that
+is accidentally relying on an unlimited default should seriously
+consider their own CVE now, at which point they are going to change to
+pass explicit max-connections sooner than waiting for 3 qemu releases.
+Finally, if our changed default breaks an app, that app can always
+pass in an explicit max-parameters with a larger value.
+
+It is also intentional that the HMP interface to nbd-server-start is
+not changed to expose max-connections (any client needing to fine-tune
+things should be using QMP).
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-12-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[ericb: Expand commit message to summarize Dan's argument for why we
+break corner-case back-compat behavior without a deprecation period]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit c8a76dbd90c2f48df89b75bef74917f90a59b623)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ block/monitor/block-hmp-cmds.c | 3 ++-
+ blockdev-nbd.c                 | 8 ++++++++
+ include/block/nbd.h            | 7 +++++++
+ qapi/block-export.json         | 4 ++--
+ 4 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
+index d954bec6f1..bdf2eb50b6 100644
+--- a/block/monitor/block-hmp-cmds.c
++++ b/block/monitor/block-hmp-cmds.c
+@@ -402,7 +402,8 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
+         goto exit;
+     }
+ 
+-    nbd_server_start(addr, NULL, NULL, 0, &local_err);
++    nbd_server_start(addr, NULL, NULL, NBD_DEFAULT_MAX_CONNECTIONS,
++                     &local_err);
+     qapi_free_SocketAddress(addr);
+     if (local_err != NULL) {
+         goto exit;
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 267a1de903..24ba5382db 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -170,6 +170,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
+ 
+ void nbd_server_start_options(NbdServerOptions *arg, Error **errp)
+ {
++    if (!arg->has_max_connections) {
++        arg->max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
++    }
++
+     nbd_server_start(arg->addr, arg->tls_creds, arg->tls_authz,
+                      arg->max_connections, errp);
+ }
+@@ -182,6 +186,10 @@ void qmp_nbd_server_start(SocketAddressLegacy *addr,
+ {
+     SocketAddress *addr_flat = socket_address_flatten(addr);
+ 
++    if (!has_max_connections) {
++        max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
++    }
++
+     nbd_server_start(addr_flat, tls_creds, tls_authz, max_connections, errp);
+     qapi_free_SocketAddress(addr_flat);
+ }
+diff --git a/include/block/nbd.h b/include/block/nbd.h
+index 1d4d65922d..d4f8b21aec 100644
+--- a/include/block/nbd.h
++++ b/include/block/nbd.h
+@@ -39,6 +39,13 @@ extern const BlockExportDriver blk_exp_nbd;
+  */
+ #define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
+ 
++/*
++ * NBD_DEFAULT_MAX_CONNECTIONS: Number of client sockets to allow at
++ * once; must be large enough to allow a MULTI_CONN-aware client like
++ * nbdcopy to create its typical number of 8-16 sockets.
++ */
++#define NBD_DEFAULT_MAX_CONNECTIONS 100
++
+ /* Handshake phase structs - this struct is passed on the wire */
+ 
+ typedef struct NBDOption {
+diff --git a/qapi/block-export.json b/qapi/block-export.json
+index 3919a2d5b9..f45e4fd481 100644
+--- a/qapi/block-export.json
++++ b/qapi/block-export.json
+@@ -28,7 +28,7 @@
+ # @max-connections: The maximum number of connections to allow at the
+ #     same time, 0 for unlimited.  Setting this to 1 also stops the
+ #     server from advertising multiple client support (since 5.2;
+-#     default: 0)
++#     default: 100)
+ #
+ # Since: 4.2
+ ##
+@@ -63,7 +63,7 @@
+ # @max-connections: The maximum number of connections to allow at the
+ #     same time, 0 for unlimited.  Setting this to 1 also stops the
+ #     server from advertising multiple client support (since 5.2;
+-#     default: 0).
++#     default: 100).
+ #
+ # Errors:
+ #     - if the server is already running

debian/patches/extra/0032-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 8 Aug 2024 16:05:08 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Drop non-negotiating clients
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A client that opens a socket but does not negotiate is merely hogging
+qemu's resources (an open fd and a small amount of memory); and a
+malicious client that can access the port where NBD is listening can
+attempt a denial of service attack by intentionally opening and
+abandoning lots of unfinished connections.  The previous patch put a
+default bound on the number of such ongoing connections, but once that
+limit is hit, no more clients can connect (including legitimate ones).
+The solution is to insist that clients complete handshake within a
+reasonable time limit, defaulting to 10 seconds.  A client that has
+not successfully completed NBD_OPT_GO by then (including the case of
+where the client didn't know TLS credentials to even reach the point
+of NBD_OPT_GO) is wasting our time and does not deserve to stay
+connected.  Later patches will allow fine-tuning the limit away from
+the default value (including disabling it for doing integration
+testing of the handshake process itself).
+
+Note that this patch in isolation actually makes it more likely to see
+qemu SEGV after nbd-server-stop, as any client socket still connected
+when the server shuts down will now be closed after 10 seconds rather
+than at the client's whims.  That will be addressed in the next patch.
+
+For a demo of this patch in action:
+$ qemu-nbd -f raw -r -t -e 10 file &
+$ nbdsh --opt-mode -c '
+H = list()
+for i in range(20):
+  print(i)
+  H.insert(i, nbd.NBD())
+  H[i].set_opt_mode(True)
+  H[i].connect_uri("nbd://localhost")
+'
+$ kill $!
+
+where later connections get to start progressing once earlier ones are
+forcefully dropped for taking too long, rather than hanging.
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-13-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[eblake: rebase to changes earlier in series, reduce scope of timer]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ nbd/server.c     | 28 +++++++++++++++++++++++++++-
+ nbd/trace-events |  1 +
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index e50012499f..39285cc971 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -3186,22 +3186,48 @@ static void nbd_client_receive_next_request(NBDClient *client)
+     }
+ }
+ 
++static void nbd_handshake_timer_cb(void *opaque)
++{
++    QIOChannel *ioc = opaque;
++
++    trace_nbd_handshake_timer_cb();
++    qio_channel_shutdown(ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);
++}
++
+ static coroutine_fn void nbd_co_client_start(void *opaque)
+ {
+     NBDClient *client = opaque;
+     Error *local_err = NULL;
++    QEMUTimer *handshake_timer = NULL;
+ 
+     qemu_co_mutex_init(&client->send_lock);
+ 
+-    /* TODO - utilize client->handshake_max_secs */
++    /*
++     * Create a timer to bound the time spent in negotiation. If the
++     * timer expires, it is likely nbd_negotiate will fail because the
++     * socket was shutdown.
++     */
++    if (client->handshake_max_secs > 0) {
++        handshake_timer = aio_timer_new(qemu_get_aio_context(),
++                                        QEMU_CLOCK_REALTIME,
++                                        SCALE_NS,
++                                        nbd_handshake_timer_cb,
++                                        client->sioc);
++        timer_mod(handshake_timer,
++                  qemu_clock_get_ns(QEMU_CLOCK_REALTIME) +
++                  client->handshake_max_secs * NANOSECONDS_PER_SECOND);
++    }
++
+     if (nbd_negotiate(client, &local_err)) {
+         if (local_err) {
+             error_report_err(local_err);
+         }
++        timer_free(handshake_timer);
+         client_close(client, false);
+         return;
+     }
+ 
++    timer_free(handshake_timer);
+     WITH_QEMU_LOCK_GUARD(&client->lock) {
+         nbd_client_receive_next_request(client);
+     }
+diff --git a/nbd/trace-events b/nbd/trace-events
+index 00ae3216a1..cbd0a4ab7e 100644
+--- a/nbd/trace-events
++++ b/nbd/trace-events
+@@ -76,6 +76,7 @@ nbd_co_receive_request_payload_received(uint64_t cookie, uint64_t len) "Payload
+ nbd_co_receive_ext_payload_compliance(uint64_t from, uint64_t len) "client sent non-compliant write without payload flag: from=0x%" PRIx64 ", len=0x%" PRIx64
+ nbd_co_receive_align_compliance(const char *op, uint64_t from, uint64_t len, uint32_t align) "client sent non-compliant unaligned %s request: from=0x%" PRIx64 ", len=0x%" PRIx64 ", align=0x%" PRIx32
+ nbd_trip(void) "Reading request"
++nbd_handshake_timer_cb(void) "client took too long to negotiate"
+ 
+ # client-connection.c
+ nbd_connect_thread_sleep(uint64_t timeout) "timeout %" PRIu64

debian/patches/extra/0033-nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch

@@ -0,0 +1,161 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 7 Aug 2024 12:23:13 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Close stray clients at server-stop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A malicious client can attempt to connect to an NBD server, and then
+intentionally delay progress in the handshake, including if it does
+not know the TLS secrets.  Although the previous two patches reduce
+this behavior by capping the default max-connections parameter and
+killing slow clients, they did not eliminate the possibility of a
+client waiting to close the socket until after the QMP nbd-server-stop
+command is executed, at which point qemu would SEGV when trying to
+dereference the NULL nbd_server global which is no longer present.
+This amounts to a denial of service attack.  Worse, if another NBD
+server is started before the malicious client disconnects, I cannot
+rule out additional adverse effects when the old client interferes
+with the connection count of the new server (although the most likely
+is a crash due to an assertion failure when checking
+nbd_server->connections > 0).
+
+For environments without this patch, the CVE can be mitigated by
+ensuring (such as via a firewall) that only trusted clients can
+connect to an NBD server.  Note that using frameworks like libvirt
+that ensure that TLS is used and that nbd-server-stop is not executed
+while any trusted clients are still connected will only help if there
+is also no possibility for an untrusted client to open a connection
+but then stall on the NBD handshake.
+
+Given the previous patches, it would be possible to guarantee that no
+clients remain connected by having nbd-server-stop sleep for longer
+than the default handshake deadline before finally freeing the global
+nbd_server object, but that could make QMP non-responsive for a long
+time.  So intead, this patch fixes the problem by tracking all client
+sockets opened while the server is running, and forcefully closing any
+such sockets remaining without a completed handshake at the time of
+nbd-server-stop, then waiting until the coroutines servicing those
+sockets notice the state change.  nbd-server-stop now has a second
+AIO_WAIT_WHILE_UNLOCKED (the first is indirectly through the
+blk_exp_close_all_type() that disconnects all clients that completed
+handshakes), but forced socket shutdown is enough to progress the
+coroutines and quickly tear down all clients before the server is
+freed, thus finally fixing the CVE.
+
+This patch relies heavily on the fact that nbd/server.c guarantees
+that it only calls nbd_blockdev_client_closed() from the main loop
+(see the assertion in nbd_client_put() and the hoops used in
+nbd_client_put_nonzero() to achieve that); if we did not have that
+guarantee, we would also need a mutex protecting our accesses of the
+list of connections to survive re-entrancy from independent iothreads.
+
+Although I did not actually try to test old builds, it looks like this
+problem has existed since at least commit 862172f45c (v2.12.0, 2017) -
+even back when that patch started using a QIONetListener to handle
+listening on multiple sockets, nbd_server_free() was already unaware
+that the nbd_blockdev_client_closed callback can be reached later by a
+client thread that has not completed handshakes (and therefore the
+client's socket never got added to the list closed in
+nbd_export_close_all), despite that patch intentionally tearing down
+the QIONetListener to prevent new clients.
+
+Reported-by: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Fixes: CVE-2024-7409
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-14-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 3e7ef738c8462c45043a1d39f702a0990406a3b3)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ blockdev-nbd.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 24ba5382db..f73409ae49 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -21,12 +21,18 @@
+ #include "io/channel-socket.h"
+ #include "io/net-listener.h"
+ 
++typedef struct NBDConn {
++    QIOChannelSocket *cioc;
++    QLIST_ENTRY(NBDConn) next;
++} NBDConn;
++
+ typedef struct NBDServerData {
+     QIONetListener *listener;
+     QCryptoTLSCreds *tlscreds;
+     char *tlsauthz;
+     uint32_t max_connections;
+     uint32_t connections;
++    QLIST_HEAD(, NBDConn) conns;
+ } NBDServerData;
+ 
+ static NBDServerData *nbd_server;
+@@ -51,6 +57,14 @@ int nbd_server_max_connections(void)
+ 
+ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
+ {
++    NBDConn *conn = nbd_client_owner(client);
++
++    assert(qemu_in_main_thread() && nbd_server);
++
++    object_unref(OBJECT(conn->cioc));
++    QLIST_REMOVE(conn, next);
++    g_free(conn);
++
+     nbd_client_put(client);
+     assert(nbd_server->connections > 0);
+     nbd_server->connections--;
+@@ -60,14 +74,20 @@ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
+ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+                        gpointer opaque)
+ {
++    NBDConn *conn = g_new0(NBDConn, 1);
++
++    assert(qemu_in_main_thread() && nbd_server);
+     nbd_server->connections++;
++    object_ref(OBJECT(cioc));
++    conn->cioc = cioc;
++    QLIST_INSERT_HEAD(&nbd_server->conns, conn, next);
+     nbd_update_server_watch(nbd_server);
+ 
+     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
+     /* TODO - expose handshake timeout as QMP option */
+     nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
+                    nbd_server->tlscreds, nbd_server->tlsauthz,
+-                   nbd_blockdev_client_closed, NULL);
++                   nbd_blockdev_client_closed, conn);
+ }
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+@@ -81,12 +101,25 @@ static void nbd_update_server_watch(NBDServerData *s)
+ 
+ static void nbd_server_free(NBDServerData *server)
+ {
++    NBDConn *conn, *tmp;
++
+     if (!server) {
+         return;
+     }
+ 
++    /*
++     * Forcefully close the listener socket, and any clients that have
++     * not yet disconnected on their own.
++     */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
++    QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
++        qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
++                             NULL);
++    }
++
++    AIO_WAIT_WHILE_UNLOCKED(NULL, server->connections > 0);
++
+     if (server->tlscreds) {
+         object_unref(OBJECT(server->tlscreds));
+     }

debian/patches/extra/0034-vnc-fix-crash-when-no-console-attached.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Tue, 20 Aug 2024 17:11:12 +0400
+Subject: [PATCH] vnc: fix crash when no console attached
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since commit e99441a3793b5 ("ui/curses: Do not use console_select()")
+qemu_text_console_put_keysym() no longer checks for NULL console
+argument, which leads to a later crash:
+
+Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
+0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332
+332	        } else if (s->echo && (keysym == '\r' || keysym == '\n')) {
+(gdb) bt
+ #0  0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332
+ #1  0x00005555559e18e5 in qemu_text_console_put_keysym (s=<optimized out>, keysym=<optimized out>) at ../ui/console.c:303
+ #2  0x00005555559f2e88 in do_key_event (vs=vs@entry=0x5555579045c0, down=down@entry=1, keycode=keycode@entry=60, sym=sym@entry=65471) at ../ui/vnc.c:2034
+ #3  0x00005555559f845c in ext_key_event (vs=0x5555579045c0, down=1, sym=65471, keycode=<optimized out>) at ../ui/vnc.c:2070
+ #4  protocol_client_msg (vs=0x5555579045c0, data=<optimized out>, len=<optimized out>) at ../ui/vnc.c:2514
+ #5  0x00005555559f515c in vnc_client_read (vs=0x5555579045c0) at ../ui/vnc.c:1607
+
+Fixes: e99441a3793b5 ("ui/curses: Do not use console_select()")
+Fixes: https://issues.redhat.com/browse/RHEL-50529
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+(picked from https://lore.kernel.org/qemu-devel/20240820131112.1267954-1-marcandre.lureau@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ ui/vnc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index b3fd78022b..953ea38318 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -1935,7 +1935,7 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
+     }
+ 
+     qkbd_state_key_event(vs->vd->kbd, qcode, down);
+-    if (!qemu_console_is_graphic(vs->vd->dcl.con)) {
++    if (QEMU_IS_TEXT_CONSOLE(vs->vd->dcl.con)) {
+         QemuTextConsole *con = QEMU_TEXT_CONSOLE(vs->vd->dcl.con);
+         bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
+         bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);

debian/patches/extra/0035-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch

@@ -0,0 +1,89 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 22 Aug 2024 09:35:29 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Avoid use-after-free when closing
+ server
+
+Commit 3e7ef738 plugged the use-after-free of the global nbd_server
+object, but overlooked a use-after-free of nbd_server->listener.
+Although this race is harder to hit, notice that our shutdown path
+first drops the reference count of nbd_server->listener, then triggers
+actions that can result in a pending client reaching the
+nbd_blockdev_client_closed() callback, which in turn calls
+qio_net_listener_set_client_func on a potentially stale object.
+
+If we know we don't want any more clients to connect, and have already
+told the listener socket to shut down, then we should not be trying to
+update the listener socket's associated function.
+
+Reproducer:
+
+> #!/usr/bin/python3
+>
+> import os
+> from threading import Thread
+>
+> def start_stop():
+>     while 1:
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
++"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
+>
+> def nbd_list():
+>     while 1:
+>         os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
+>
+> def test():
+>     sst = Thread(target=start_stop)
+>     sst.start()
+>     nlt = Thread(target=nbd_list)
+>     nlt.start()
+>
+>     sst.join()
+>     nlt.join()
+>
+> test()
+
+Fixes: CVE-2024-7409
+Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
+CC: qemu-stable@nongnu.org
+Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240822143617.800419-2-eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 3874f5f73c441c52f1c699c848d463b0eda01e4c)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ blockdev-nbd.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index f73409ae49..b36f41b7c5 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -92,10 +92,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+ {
+-    if (!s->max_connections || s->connections < s->max_connections) {
+-        qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
+-    } else {
+-        qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
++    if (s->listener) {
++        if (!s->max_connections || s->connections < s->max_connections) {
++            qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
++                                             NULL);
++        } else {
++            qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
++        }
+     }
+ }
+ 
+@@ -113,6 +116,7 @@ static void nbd_server_free(NBDServerData *server)
+      */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
++    server->listener = NULL;
+     QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
+         qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
+                              NULL);

debian/patches/extra/0036-softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch

@@ -0,0 +1,134 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 28 Aug 2024 11:07:43 +0200
+Subject: [PATCH] softmmu/physmem: fix memory leak in dirty_memory_extend()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As reported by Peter, we might be leaking memory when removing the
+highest RAMBlock (in the weird ram_addr_t space), and adding a new one.
+
+We will fail to realize that we already allocated bitmaps for more
+dirty memory blocks, and effectively discard the pointers to them.
+
+Fix it by getting rid of last_ram_page() and by remembering the number
+of dirty memory blocks that have been allocated already.
+
+While at it, let's use "unsigned int" for the number of blocks, which
+should be sufficient until we reach ~32 exabytes.
+
+Looks like this leak was introduced as we switched from using a single
+bitmap_zero_extend() to allocating multiple bitmaps:
+bitmap_zero_extend() relies on g_renew() which should have taken care of
+this.
+
+Resolves: https://lkml.kernel.org/r/CAFEAcA-k7a+VObGAfCFNygQNfCKL=AfX6A4kScq=VSSK0peqPg@mail.gmail.com
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Fixes: 5b82b703b69a ("memory: RCU ram_list.dirty_memory[] for safe RAM hotplug")
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Tested-by: Peter Maydell <peter.maydell@linaro.org>
+Cc: qemu-stable@nongnu.org
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+(picked from https://lore.kernel.org/qemu-devel/20240828090743.128647-1-david@redhat.com/)
+[FE: backport - remove not-yet-existing variable in context of hunk touching ram_block_add()]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ include/exec/ramlist.h |  1 +
+ system/physmem.c       | 35 +++++++++--------------------------
+ 2 files changed, 10 insertions(+), 26 deletions(-)
+
+diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
+index 2ad2a81acc..d9cfe530be 100644
+--- a/include/exec/ramlist.h
++++ b/include/exec/ramlist.h
+@@ -50,6 +50,7 @@ typedef struct RAMList {
+     /* RCU-enabled, writes protected by the ramlist lock. */
+     QLIST_HEAD(, RAMBlock) blocks;
+     DirtyMemoryBlocks *dirty_memory[DIRTY_MEMORY_NUM];
++    unsigned int num_dirty_blocks;
+     uint32_t version;
+     QLIST_HEAD(, RAMBlockNotifier) ramblock_notifiers;
+ } RAMList;
+diff --git a/system/physmem.c b/system/physmem.c
+index a4fe3d2bf8..78f7db1121 100644
+--- a/system/physmem.c
++++ b/system/physmem.c
+@@ -1497,18 +1497,6 @@ static ram_addr_t find_ram_offset(ram_addr_t size)
+     return offset;
+ }
+ 
+-static unsigned long last_ram_page(void)
+-{
+-    RAMBlock *block;
+-    ram_addr_t last = 0;
+-
+-    RCU_READ_LOCK_GUARD();
+-    RAMBLOCK_FOREACH(block) {
+-        last = MAX(last, block->offset + block->max_length);
+-    }
+-    return last >> TARGET_PAGE_BITS;
+-}
+-
+ static void qemu_ram_setup_dump(void *addr, ram_addr_t size)
+ {
+     int ret;
+@@ -1762,13 +1750,11 @@ void qemu_ram_msync(RAMBlock *block, ram_addr_t start, ram_addr_t length)
+ }
+ 
+ /* Called with ram_list.mutex held */
+-static void dirty_memory_extend(ram_addr_t old_ram_size,
+-                                ram_addr_t new_ram_size)
++static void dirty_memory_extend(ram_addr_t new_ram_size)
+ {
+-    ram_addr_t old_num_blocks = DIV_ROUND_UP(old_ram_size,
+-                                             DIRTY_MEMORY_BLOCK_SIZE);
+-    ram_addr_t new_num_blocks = DIV_ROUND_UP(new_ram_size,
+-                                             DIRTY_MEMORY_BLOCK_SIZE);
++    unsigned int old_num_blocks = ram_list.num_dirty_blocks;
++    unsigned int new_num_blocks = DIV_ROUND_UP(new_ram_size,
++                                               DIRTY_MEMORY_BLOCK_SIZE);
+     int i;
+ 
+     /* Only need to extend if block count increased */
+@@ -1800,6 +1786,8 @@ static void dirty_memory_extend(ram_addr_t old_ram_size,
+             g_free_rcu(old_blocks, rcu);
+         }
+     }
++
++    ram_list.num_dirty_blocks = new_num_blocks;
+ }
+ 
+ static void ram_block_add(RAMBlock *new_block, Error **errp)
+@@ -1808,11 +1796,9 @@ static void ram_block_add(RAMBlock *new_block, Error **errp)
+     const bool shared = qemu_ram_is_shared(new_block);
+     RAMBlock *block;
+     RAMBlock *last_block = NULL;
+-    ram_addr_t old_ram_size, new_ram_size;
++    ram_addr_t ram_size;
+     Error *err = NULL;
+ 
+-    old_ram_size = last_ram_page();
+-
+     qemu_mutex_lock_ramlist();
+     new_block->offset = find_ram_offset(new_block->max_length);
+ 
+@@ -1840,11 +1826,8 @@ static void ram_block_add(RAMBlock *new_block, Error **errp)
+         }
+     }
+ 
+-    new_ram_size = MAX(old_ram_size,
+-              (new_block->offset + new_block->max_length) >> TARGET_PAGE_BITS);
+-    if (new_ram_size > old_ram_size) {
+-        dirty_memory_extend(old_ram_size, new_ram_size);
+-    }
++    ram_size = (new_block->offset + new_block->max_length) >> TARGET_PAGE_BITS;
++    dirty_memory_extend(ram_size);
+     /* Keep the list sorted from biggest to smallest block.  Unlike QTAILQ,
+      * QLIST (which has an RCU-friendly variant) does not have insertion at
+      * tail, so save the last element in last_block.

debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch

@@ -28,7 +28,8 @@ Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
      adapt to removal of QEMUFileOps
      improve condition for entering final stage
      adapt to QAPI and other changes for 8.2
-     make sure to not call vm_start() from coroutine]
+     make sure to not call vm_start() from coroutine
+     stop CPU throttling after finishing]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  hmp-commands-info.hx         |  13 +
@@ -36,13 +37,13 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  include/migration/snapshot.h |   2 +
  include/monitor/hmp.h        |   3 +
  migration/meson.build        |   1 +
- migration/savevm-async.c     | 538 +++++++++++++++++++++++++++++++++++
+ migration/savevm-async.c     | 545 +++++++++++++++++++++++++++++++++++
  monitor/hmp-cmds.c           |  38 +++
  qapi/migration.json          |  34 +++
  qapi/misc.json               |  18 ++
  qemu-options.hx              |  12 +
  system/vl.c                  |  10 +
- 11 files changed, 686 insertions(+)
+ 11 files changed, 693 insertions(+)
  create mode 100644 migration/savevm-async.c
 
 diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
@@ -140,10 +141,10 @@ index 95d1cf2250..800f12a60d 100644
    'threadinfo.c',
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
 new file mode 100644
-index 0000000000..72cf6588c2
+index 0000000000..1af32604c7
 --- /dev/null
 +++ b/migration/savevm-async.c
-@@ -0,0 +1,538 @@
+@@ -0,0 +1,545 @@
 +#include "qemu/osdep.h"
 +#include "migration/channel-savevm-async.h"
 +#include "migration/migration.h"
@@ -154,6 +155,7 @@ index 0000000000..72cf6588c2
 +#include "migration/global_state.h"
 +#include "migration/ram.h"
 +#include "migration/qemu-file.h"
++#include "sysemu/cpu-throttle.h"
 +#include "sysemu/sysemu.h"
 +#include "sysemu/runstate.h"
 +#include "block/block.h"
@@ -342,6 +344,12 @@ index 0000000000..72cf6588c2
 +        ret || aborted ? MIGRATION_STATUS_FAILED : MIGRATION_STATUS_COMPLETED);
 +    ms->to_dst_file = NULL;
 +
++    /*
++     * Same as in migration_iteration_finish(): saving RAM might've turned on CPU throttling for
++     * auto-converge, make sure to disable it.
++     */
++    cpu_throttle_stop();
++
 +    qemu_savevm_state_cleanup();
 +
 +    ret = save_snapshot_cleanup();

debian/patches/pve/0018-PVE-add-optional-buffer-size-to-QEMUFile.patch

@@ -193,10 +193,10 @@ index 32fd4a34fd..36a0cd8cc8 100644
  
  /*
 diff --git a/migration/savevm-async.c b/migration/savevm-async.c
-index 72cf6588c2..fb4e8ea689 100644
+index 1af32604c7..be2035cd2e 100644
 --- a/migration/savevm-async.c
 +++ b/migration/savevm-async.c
-@@ -379,7 +379,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
+@@ -386,7 +386,7 @@ void qmp_savevm_start(const char *statefile, Error **errp)
  
      QIOChannel *ioc = QIO_CHANNEL(qio_channel_savevm_async_new(snap_state.target,
                                                                 &snap_state.bs_pos));
@@ -205,7 +205,7 @@ index 72cf6588c2..fb4e8ea689 100644
  
      if (!snap_state.file) {
          error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
-@@ -503,7 +503,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
+@@ -510,7 +510,8 @@ int load_snapshot_from_blockdev(const char *filename, Error **errp)
      blk_op_block_all(be, blocker);
  
      /* restore the VM state */

debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch

@@ -5,12 +5,13 @@ Subject: [PATCH] PVE: block: add the zeroinit block driver filter
 
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 [FE: adapt to changed function signatures
-     adhere to block graph lock requirements]
+     adhere to block graph lock requirements
+     use dedicated function to open file child]
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
  block/meson.build |   1 +
- block/zeroinit.c  | 214 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 215 insertions(+)
+ block/zeroinit.c  | 207 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 208 insertions(+)
  create mode 100644 block/zeroinit.c
 
 diff --git a/block/meson.build b/block/meson.build
@@ -27,10 +28,10 @@ index e1f03fd773..b530e117b5 100644
  system_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
 diff --git a/block/zeroinit.c b/block/zeroinit.c
 new file mode 100644
-index 0000000000..696558d8d6
+index 0000000000..7998c9332d
 --- /dev/null
 +++ b/block/zeroinit.c
-@@ -0,0 +1,214 @@
+@@ -0,0 +1,207 @@
 +/*
 + * Filter to fake a zero-initialized block device.
 + *
@@ -96,7 +97,6 @@ index 0000000000..696558d8d6
 +                          Error **errp)
 +{
 +    BDRVZeroinitState *s = bs->opaque;
-+    BdrvChild *file = NULL;
 +    QemuOpts *opts;
 +    Error *local_err = NULL;
 +    int ret;
@@ -112,15 +112,9 @@ index 0000000000..696558d8d6
 +    }
 +
 +    /* Open the raw file */
-+    file = bdrv_open_child(qemu_opt_get(opts, "x-next"), options, "next", bs,
-+                           &child_of_bds,
-+                           BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY, false,
-+                           &local_err);
-+    bdrv_graph_wrlock();
-+    bs->file = file;
-+    bdrv_graph_wrunlock();
-+    if (local_err) {
-+        ret = -EINVAL;
++    ret = bdrv_open_file_child(qemu_opt_get(opts, "x-next"), options, "next",
++                               bs, &local_err);
++    if (ret < 0) {
 +        error_propagate(errp, local_err);
 +        goto fail;
 +    }

debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch

@@ -119,7 +119,7 @@ index 43bc0bd520..60e98c87f1 100644
      };
      return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 45ab548dfe..f7c2b63c5d 100644
+index 905da8be72..3db587a6e4 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -4956,6 +4956,10 @@

debian/patches/pve/0026-block-backup-move-bcs-bitmap-initialization-to-job-c.patch

@@ -25,7 +25,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/block/backup.c b/block/backup.c
-index ec29d6b810..270957c0cd 100644
+index 3dd2e229d2..eba5b11493 100644
 --- a/block/backup.c
 +++ b/block/backup.c
 @@ -237,8 +237,8 @@ static void backup_init_bcs_bitmap(BackupBlockJob *job)
@@ -48,7 +48,7 @@ index ec29d6b810..270957c0cd 100644
      if (s->sync_mode == MIRROR_SYNC_MODE_TOP) {
          int64_t offset = 0;
          int64_t count;
-@@ -501,6 +499,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -502,6 +500,8 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
                         &error_abort);
      bdrv_graph_wrunlock();
  

debian/patches/pve/0028-PVE-Backup-add-backup-dump-block-driver.patch

@@ -199,7 +199,7 @@ index 0000000000..e46abf1070
 +    return bs;
 +}
 diff --git a/block/backup.c b/block/backup.c
-index 270957c0cd..16d611c4ca 100644
+index eba5b11493..1963e47ab9 100644
 --- a/block/backup.c
 +++ b/block/backup.c
 @@ -29,28 +29,6 @@
@@ -231,7 +231,7 @@ index 270957c0cd..16d611c4ca 100644
  static const BlockJobDriver backup_job_driver;
  
  static void backup_cleanup_sync_bitmap(BackupBlockJob *job, int ret)
-@@ -461,6 +439,14 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+@@ -462,6 +440,14 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
      }
  
      cluster_size = block_copy_cluster_size(bcs);

debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch

@@ -120,10 +120,10 @@ index e99914eaa4..6bba803f94 100644
  system_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
  system_ss.add(files('block-ram-registrar.c'))
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index d954bec6f1..5000c084c5 100644
+index bdf2eb50b6..439a7a14c8 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1008,3 +1008,42 @@ void hmp_change_medium(Monitor *mon, const char *device, const char *target,
+@@ -1009,3 +1009,42 @@ void hmp_change_medium(Monitor *mon, const char *device, const char *target,
      qmp_blockdev_change_medium(device, NULL, target, arg, true, force,
                                 !!read_only, read_only_mode, errp);
  }
@@ -167,7 +167,7 @@ index d954bec6f1..5000c084c5 100644
 +    hmp_handle_error(mon, error);
 +}
 diff --git a/blockdev.c b/blockdev.c
-index d27d8c38ec..5e5dbc1da9 100644
+index ed8198f351..1054a69279 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -37,6 +37,7 @@
@@ -1683,7 +1683,7 @@ index 0000000000..c755bf302b
 +    return ret;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index f7c2b63c5d..e49c7b5bc9 100644
+index 3db587a6e4..d05fffce1d 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -851,6 +851,239 @@

debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch

@@ -368,7 +368,7 @@ index 6de51c34cb..3bc039f60f 100644
  summary_info += {'libdaxctl support': libdaxctl}
  summary_info += {'libudev':           libudev}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index e49c7b5bc9..fc32ff9957 100644
+index d05fffce1d..e7cf3d94f3 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3457,6 +3457,7 @@

debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch

@@ -186,7 +186,7 @@ index c755bf302b..5ebb6a3947 100644
      ret->pbs_masterkey = true;
      ret->backup_max_workers = true;
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index fc32ff9957..f516d8e95a 100644
+index e7cf3d94f3..282e2e8a8c 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1004,6 +1004,11 @@

debian/patches/pve/0044-copy-before-write-allow-specifying-minimum-cluster-s.patch

@@ -25,7 +25,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  4 files changed, 23 insertions(+), 6 deletions(-)
 
 diff --git a/block/block-copy.c b/block/block-copy.c
-index 7e3b378528..adb1cbb440 100644
+index cc618e4561..12d662e9d4 100644
 --- a/block/block-copy.c
 +++ b/block/block-copy.c
 @@ -310,6 +310,7 @@ void block_copy_set_copy_opts(BlockCopyState *s, bool use_copy_range,
@@ -108,10 +108,10 @@ index bdc703bacd..77857c6c68 100644
  
  /* Function should be called prior any actual copy request */
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index d796d49abb..edbf6e78b9 100644
+index 282e2e8a8c..9caf04cbe9 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -4930,12 +4930,18 @@
+@@ -4926,12 +4926,18 @@
  #     @on-cbw-error parameter will decide how this failure is handled.
  #     Default 0.  (Since 7.1)
  #

debian/patches/pve/0045-backup-add-minimum-cluster-size-to-performance-optio.patch

@@ -82,7 +82,7 @@ index 1054a69279..cbe224387b 100644
  
      if ((backup->sync == MIRROR_SYNC_MODE_BITMAP) ||
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index edbf6e78b9..6e7ee87633 100644
+index 9caf04cbe9..df934647ed 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -1790,11 +1790,16 @@

debian/patches/pve/0046-PVE-backup-add-fleecing-option.patch

@@ -68,10 +68,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 142 insertions(+), 4 deletions(-)
 
 diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
-index 5000c084c5..70b3de4c7e 100644
+index 439a7a14c8..d0e7771dcc 100644
 --- a/block/monitor/block-hmp-cmds.c
 +++ b/block/monitor/block-hmp-cmds.c
-@@ -1043,6 +1043,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1044,6 +1044,7 @@ void coroutine_fn hmp_backup(Monitor *mon, const QDict *qdict)
          NULL, NULL,
          devlist, qdict_haskey(qdict, "speed"), speed,
          false, 0, // BackupPerf max-workers
@@ -294,7 +294,7 @@ index 5ebb6a3947..a747d12d3d 100644
      return ret;
  }
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 6e7ee87633..dc5f75cd39 100644
+index df934647ed..ff441d4258 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -948,6 +948,10 @@

debian/patches/series

@@ -3,21 +3,37 @@ extra/0002-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
 extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 extra/0004-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
 extra/0005-block-copy-before-write-use-uint64_t-for-timeout-in-.patch
-extra/0006-virtio-gpu-fix-v2-migration.patch
-extra/0007-hw-pflash-fix-block-write-start.patch
-extra/0008-target-i386-fix-operand-size-for-DATA16-REX.W-POPCNT.patch
-extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch
-extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch
-extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch
-extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch
-extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
-extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
-extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
-extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
-extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
-extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
-extra/0019-qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO.patch
-extra/0020-block-Parse-filenames-only-when-explicitly-requested.patch
+extra/0006-block-copy-before-write-fix-permission.patch
+extra/0007-block-copy-before-write-support-unligned-snapshot-di.patch
+extra/0008-block-copy-before-write-create-block_copy-bitmap-in-.patch
+extra/0009-qapi-blockdev-backup-add-discard-source-parameter.patch
+extra/0010-hw-virtio-Fix-the-de-initialization-of-vhost-user-de.patch
+extra/0011-target-arm-Use-float_status-copy-in-sme_fmopa_s.patch
+extra/0012-target-arm-Use-FPST_F16-for-SME-FMOPA-widening.patch
+extra/0013-scsi-fix-regression-and-honor-bootindex-again-for-le.patch
+extra/0014-hw-scsi-lsi53c895a-bump-instruction-limit-in-scripts.patch
+extra/0015-block-copy-Fix-missing-graph-lock.patch
+extra/0016-Revert-qemu-char-do-not-operate-on-sources-from-fina.patch
+extra/0017-virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch
+extra/0018-virtio-net-Ensure-queue-index-fits-with-RSS.patch
+extra/0019-virtio-net-Fix-network-stall-at-the-host-side-waitin.patch
+extra/0020-net-Reinstate-net-nic-model-help-output-as-documente.patch
+extra/0021-net-Fix-net-nic-model-for-non-help-arguments.patch
+extra/0022-target-arm-Don-t-assert-for-128-bit-tile-accesses-wh.patch
+extra/0023-target-arm-Fix-UMOPA-UMOPS-of-16-bit-values.patch
+extra/0024-target-arm-Avoid-shifts-by-1-in-tszimm_shr-and-tszim.patch
+extra/0025-target-arm-Ignore-SMCR_EL2.LEN-and-SVCR_EL2.LEN-if-E.patch
+extra/0026-target-arm-Handle-denormals-correctly-for-FMOPA-wide.patch
+extra/0027-intel_iommu-fix-FRCD-construction-macro.patch
+extra/0028-target-i386-Do-not-apply-REX-to-MMX-operands.patch
+extra/0029-module-Prevent-crash-by-resetting-local_err-in-modul.patch
+extra/0030-nbd-server-Plumb-in-new-args-to-nbd_client_add.patch
+extra/0031-nbd-server-CVE-2024-7409-Cap-default-max-connections.patch
+extra/0032-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
+extra/0033-nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
+extra/0034-vnc-fix-crash-when-no-console-attached.patch
+extra/0035-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
+extra/0036-softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
@@ -67,11 +83,8 @@ pve/0040-Revert-block-rbd-fix-handling-of-holes-in-.bdrv_co_b.patch
 pve/0041-Revert-block-rbd-implement-bdrv_co_block_status.patch
 pve/0042-alloc-track-error-out-when-auto-remove-is-not-set.patch
 pve/0043-alloc-track-avoid-seemingly-superfluous-child-permis.patch
-pve/0044-block-copy-before-write-fix-permission.patch
-pve/0045-block-copy-before-write-support-unligned-snapshot-di.patch
-pve/0046-block-copy-before-write-create-block_copy-bitmap-in-.patch
-pve/0047-qapi-blockdev-backup-add-discard-source-parameter.patch
-pve/0048-copy-before-write-allow-specifying-minimum-cluster-s.patch
-pve/0049-backup-add-minimum-cluster-size-to-performance-optio.patch
-pve/0050-PVE-backup-add-fleecing-option.patch
-pve/0051-PVE-backup-improve-error-when-copy-before-write-fail.patch
+pve/0044-copy-before-write-allow-specifying-minimum-cluster-s.patch
+pve/0045-backup-add-minimum-cluster-size-to-performance-optio.patch
+pve/0046-PVE-backup-add-fleecing-option.patch
+pve/0047-PVE-backup-improve-error-when-copy-before-write-fail.patch
+pve-qemu-9.0-vitastor.patch