fix #4507: add patch to automatically increase NOFILE soft limit

In many configurations, e.g. multiple vNICs with multiple queues or
with many Ceph OSDs, the default soft limit of 1024 is not enough.
QEMU is supposed to work fine with file descriptors >= 1024 and does
not use select() on POSIX. Bump the soft limit to the allowed hard
limit to avoid issues with the aforementioned configurations.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>

debian/changelog

@@ -1,3 +1,37 @@
+pve-qemu-kvm (8.1.5-2) bookworm; urgency=medium
+
+  * work around for a situation where guest IO might get stuck, if the VM is
+    configure  with iothread and VirtIO block/SCSI
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Feb 2024 19:41:27 +0100
+
+pve-qemu-kvm (8.1.5-1) bookworm; urgency=medium
+
+  * update to 8.1.5 stable release, including more relevant fixes like:
+    - virtio-net: correctly copy vnet header when flushing TX
+    - hw/pflash: implement update buffer for block writes
+    - Fixes to i386 emulation and ARM emulation.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Feb 2024 19:08:13 +0100
+
+pve-qemu-kvm (8.1.2-6) bookworm; urgency=medium
+
+  * revert attempted fix to avoid rare issue with stuck guest IO when using
+    iothread, because it caused a much more common issue with iothreads
+    consuming too much CPU
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 15 Dec 2023 14:22:06 +0100
+
+pve-qemu-kvm (8.1.2-5) bookworm; urgency=medium
+
+  * backport workaround for stuck guest IO with iothread and VirtIO block/SCSI
+    in some rare edge cases
+
+  * backport fix for potential deadlock when issuing the "resize" QMP command
+    for a disk that is using iothread
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 11 Dec 2023 16:58:27 +0100
+
 pve-qemu-kvm (8.1.2-4) bookworm; urgency=medium
 
   * fix vnc clipboard in the host to guest direction

debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch

@@ -254,10 +254,10 @@ index d3cacd1708..1ff42c8af1 100644
                       errp);
      if (!job) {
 diff --git a/blockdev.c b/blockdev.c
-index e6eba61484..a8b1fd2a73 100644
+index c28462a633..a402fa4bf7 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -2848,6 +2848,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2849,6 +2849,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
                                     BlockDriverState *target,
                                     const char *replaces,
                                     enum MirrorSyncMode sync,
@@ -267,7 +267,7 @@ index e6eba61484..a8b1fd2a73 100644
                                     BlockMirrorBackingMode backing_mode,
                                     bool zero_target,
                                     bool has_speed, int64_t speed,
-@@ -2866,6 +2869,7 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2867,6 +2870,7 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
  {
      BlockDriverState *unfiltered_bs;
      int job_flags = JOB_DEFAULT;
@@ -275,7 +275,7 @@ index e6eba61484..a8b1fd2a73 100644
  
      GLOBAL_STATE_CODE();
      GRAPH_RDLOCK_GUARD_MAINLOOP();
-@@ -2920,6 +2924,29 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2921,6 +2925,29 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
          sync = MIRROR_SYNC_MODE_FULL;
      }
  
@@ -305,7 +305,7 @@ index e6eba61484..a8b1fd2a73 100644
      if (!replaces) {
          /* We want to mirror from @bs, but keep implicit filters on top */
          unfiltered_bs = bdrv_skip_implicit_filters(bs);
-@@ -2965,8 +2992,8 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2966,8 +2993,8 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
       * and will allow to check whether the node still exist at mirror completion
       */
      mirror_start(job_id, bs, target,
@@ -316,7 +316,7 @@ index e6eba61484..a8b1fd2a73 100644
                   on_source_error, on_target_error, unmap, filter_node_name,
                   copy_mode, errp);
  }
-@@ -3114,6 +3141,8 @@ void qmp_drive_mirror(DriveMirror *arg, Error **errp)
+@@ -3115,6 +3142,8 @@ void qmp_drive_mirror(DriveMirror *arg, Error **errp)
  
      blockdev_mirror_common(arg->job_id, bs, target_bs,
                             arg->replaces, arg->sync,
@@ -325,7 +325,7 @@ index e6eba61484..a8b1fd2a73 100644
                             backing_mode, zero_target,
                             arg->has_speed, arg->speed,
                             arg->has_granularity, arg->granularity,
-@@ -3135,6 +3164,8 @@ void qmp_blockdev_mirror(const char *job_id,
+@@ -3136,6 +3165,8 @@ void qmp_blockdev_mirror(const char *job_id,
                           const char *device, const char *target,
                           const char *replaces,
                           MirrorSyncMode sync,
@@ -334,7 +334,7 @@ index e6eba61484..a8b1fd2a73 100644
                           bool has_speed, int64_t speed,
                           bool has_granularity, uint32_t granularity,
                           bool has_buf_size, int64_t buf_size,
-@@ -3183,7 +3214,8 @@ void qmp_blockdev_mirror(const char *job_id,
+@@ -3184,7 +3215,8 @@ void qmp_blockdev_mirror(const char *job_id,
      }
  
      blockdev_mirror_common(job_id, bs, target_bs,
@@ -360,7 +360,7 @@ index da5fb31089..32f0f9858a 100644
                    BlockdevOnError on_source_error,
                    BlockdevOnError on_target_error,
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 2b1d493d6e..903392cb8f 100644
+index bca1a0c372..a5cea82139 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -2145,6 +2145,15 @@

debian/patches/bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch

@@ -16,10 +16,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/blockdev.c b/blockdev.c
-index a8b1fd2a73..83d5cc1e49 100644
+index a402fa4bf7..01b0ab0549 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -2945,6 +2945,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2946,6 +2946,9 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
          if (bdrv_dirty_bitmap_check(bitmap, BDRV_BITMAP_ALLOW_RO, errp)) {
              return;
          }

debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch

@@ -62,10 +62,10 @@ index 00f2665ca4..60cf574de5 100644
  
          if (bitmap_mode != BITMAP_SYNC_MODE_NEVER) {
 diff --git a/blockdev.c b/blockdev.c
-index 83d5cc1e49..060d86a65f 100644
+index 01b0ab0549..cd5f205ad1 100644
 --- a/blockdev.c
 +++ b/blockdev.c
-@@ -2924,7 +2924,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
+@@ -2925,7 +2925,36 @@ static void blockdev_mirror_common(const char *job_id, BlockDriverState *bs,
          sync = MIRROR_SYNC_MODE_FULL;
      }
  

debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch

@@ -104,7 +104,7 @@ index dc352f9e9d..56e1307014 100644
   * Is @mon is using readline?
   * Note: not all HMP monitors use readline, e.g., gdbserver has a
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index 6eee450fe4..c15bf1e1fc 100644
+index a239945e8d..589c9524f8 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
 @@ -165,6 +165,8 @@ static void monitor_qmp_dispatch(MonitorQMP *mon, QObject *req)
@@ -135,7 +135,7 @@ index 6eee450fe4..c15bf1e1fc 100644
      qobject_unref(rsp);
  }
  
-@@ -478,6 +490,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
+@@ -461,6 +473,7 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
  
      switch (event) {
      case CHR_EVENT_OPENED:
@@ -144,7 +144,7 @@ index 6eee450fe4..c15bf1e1fc 100644
          monitor_qmp_caps_reset(mon);
          data = qmp_greeting(mon);
 diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index 555528b6bb..3baa508b4b 100644
+index 176b549473..790bb7d1da 100644
 --- a/qapi/qmp-dispatch.c
 +++ b/qapi/qmp-dispatch.c
 @@ -117,16 +117,28 @@ typedef struct QmpDispatchBH {
@@ -180,13 +180,13 @@ index 555528b6bb..3baa508b4b 100644
      aio_co_wake(data->co);
  }
  
-@@ -231,6 +243,7 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+@@ -253,6 +265,7 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
              .ret        = &ret,
              .errp       = &err,
              .co         = qemu_coroutine_self(),
 +            .conn_nr    = monitor_get_connection_nr(cur_mon),
          };
-         aio_bh_schedule_oneshot(qemu_get_aio_context(), do_qmp_dispatch_bh,
+         aio_bh_schedule_oneshot(iohandler_get_aio_context(), do_qmp_dispatch_bh,
                                  &data);
 diff --git a/stubs/monitor-core.c b/stubs/monitor-core.c
 index afa477aae6..d3ff124bf3 100644

debian/patches/extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch

@@ -55,7 +55,7 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 6 insertions(+), 6 deletions(-)
 
 diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 07971c0218..6a74afe564 100644
+index c3508acbb1..289347af58 100644
 --- a/hw/ide/core.c
 +++ b/hw/ide/core.c
 @@ -444,7 +444,7 @@ static void ide_trim_bh_cb(void *opaque)

debian/patches/extra/0005-hw-ide-reset-cancel-async-DMA-operation-before-reset.patch

@@ -1,100 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Thu, 24 Aug 2023 11:22:21 +0200
-Subject: [PATCH] hw/ide: reset: cancel async DMA operation before reseting
- state
-
-If there is a pending DMA operation during ide_bus_reset(), the fact
-that the IDEstate is already reset before the operation is canceled
-can be problematic. In particular, ide_dma_cb() might be called and
-then use the reset IDEstate which contains the signature after the
-reset. When used to construct the IO operation this leads to
-ide_get_sector() returning 0 and nsector being 1. This is particularly
-bad, because a write command will thus destroy the first sector which
-often contains a partition table or similar.
-
-Traces showing the unsolicited write happening with IDEstate
-0x5595af6949d0 being used after reset:
-
-> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300
-> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port
-> ide_reset IDEstate 0x5595af6949d0
-> ide_reset IDEstate 0x5595af694da8
-> ide_bus_reset_aio aio_cancel
-> dma_aio_cancel dbs=0x7f64600089a0
-> dma_blk_cb dbs=0x7f64600089a0 ret=0
-> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30
-> ahci_populate_sglist ahci(0x5595af6923f0)[0]
-> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512
-> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE
-> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1
-> dma_blk_cb dbs=0x7f6420802010 ret=0
-
-> (gdb) p *qiov
-> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0,
->       iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000",
->       size = 512}}}
-> (gdb) bt
-> #0  blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0,
->     cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010)
->     at ../block/block-backend.c:1682
-> #1  0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>)
->     at ../softmmu/dma-helpers.c:179
-> #2  0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0,
->     sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
->     io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>,
->     io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30,
->     cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0,
->     dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244
-> #3  0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30,
->     sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
->     cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0)
->     at ../softmmu/dma-helpers.c:280
-> #4  0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>)
->     at ../hw/ide/core.c:953
-> #5  0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0)
->     at ../softmmu/dma-helpers.c:107
-> #6  dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127
-> #7  0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10)
->     at ../block/block-backend.c:1527
-> #8  blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524
-> #9  blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594
-> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>,
->     i1=<optimized out>) at ../util/coroutine-ucontext.c:177
-
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/ide/core.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 6a74afe564..289347af58 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s)
- 
- void ide_bus_reset(IDEBus *bus)
- {
--    bus->unit = 0;
--    bus->cmd = 0;
--    ide_reset(&bus->ifs[0]);
--    ide_reset(&bus->ifs[1]);
--    ide_clear_hob(bus);
--
--    /* pending async DMA */
-+    /* pending async DMA - needs the IDEState before it is reset */
-     if (bus->dma->aiocb) {
-         trace_ide_bus_reset_aio();
-         blk_aio_cancel(bus->dma->aiocb);
-         bus->dma->aiocb = NULL;
-     }
- 
-+    bus->unit = 0;
-+    bus->cmd = 0;
-+    ide_reset(&bus->ifs[0]);
-+    ide_reset(&bus->ifs[1]);
-+    ide_clear_hob(bus);
-+
-     /* reset dma provider too */
-     if (bus->dma->ops->reset) {
-         bus->dma->ops->reset(bus->dma);

debian/patches/extra/0008-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Feb 2022 20:09:41 +0100
+Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The sgx_epc_get_section stub is reachable from cpu_x86_cpuid.  It
+should not assert, instead it should just return true just like
+the "real" sgx_epc_get_section does when SGX is disabled.
+
+Reported-by: Vladimír Beneš <vbenes@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20220201190941.106001-1-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry-picked from commit 219615740425d9683588207b40a365e6741691a6)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/i386/sgx-stub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
+index 26833eb233..16b1dfd90b 100644
+--- a/hw/i386/sgx-stub.c
++++ b/hw/i386/sgx-stub.c
+@@ -34,5 +34,5 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
+ 
+ bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
+ {
+-    g_assert_not_reached();
++    return true;
+ }

debian/patches/extra/0009-hw-ide-ahci-fix-legacy-software-reset.patch

@@ -1,107 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Niklas Cassel <niklas.cassel@wdc.com>
-Date: Wed, 8 Nov 2023 23:26:57 +0100
-Subject: [PATCH] hw/ide/ahci: fix legacy software reset
-
-Legacy software contains a standard mechanism for generating a reset to a
-Serial ATA device - setting the SRST (software reset) bit in the Device
-Control register.
-
-Serial ATA has a more robust mechanism called COMRESET, also referred to
-as port reset. A port reset is the preferred mechanism for error
-recovery and should be used in place of software reset.
-
-Commit e2a5d9b3d9c3 ("hw/ide/ahci: simplify and document PxCI handling")
-improved the handling of PxCI, such that PxCI gets cleared after handling
-a non-NCQ, or NCQ command (instead of incorrectly clearing PxCI after
-receiving anything - even a FIS that failed to parse, which should NOT
-clear PxCI, so that you can see which command slot that caused an error).
-
-However, simply clearing PxCI after a non-NCQ, or NCQ command, is not
-enough, we also need to clear PxCI when receiving a SRST in the Device
-Control register.
-
-A legacy software reset is performed by the host sending two H2D FISes,
-the first H2D FIS asserts SRST, and the second H2D FIS deasserts SRST.
-
-The first H2D FIS will not get a D2H reply, and requires the FIS to have
-the C bit set to one, such that the HBA itself will clear the bit in PxCI.
-
-The second H2D FIS will get a D2H reply once the diagnostic is completed.
-The clearing of the bit in PxCI for this command should ideally be done
-in ahci_init_d2h() (if it was a legacy software reset that caused the
-reset (a COMRESET does not use a command slot)). However, since the reset
-value for PxCI is 0, modify ahci_reset_port() to actually clear PxCI to 0,
-that way we can avoid complex logic in ahci_init_d2h().
-
-This fixes an issue for FreeBSD where the device would fail to reset.
-The problem was not noticed in Linux, because Linux uses a COMRESET
-instead of a legacy software reset by default.
-
-Fixes: e2a5d9b3d9c3 ("hw/ide/ahci: simplify and document PxCI handling")
-Reported-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
-(picked from https://lists.nongnu.org/archive/html/qemu-devel/2023-11/msg02277.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/ide/ahci.c | 27 ++++++++++++++++++++++++++-
- 1 file changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
-index d0a774bc17..1718b7e902 100644
---- a/hw/ide/ahci.c
-+++ b/hw/ide/ahci.c
-@@ -623,9 +623,13 @@ static void ahci_init_d2h(AHCIDevice *ad)
-         return;
-     }
- 
-+    /*
-+     * For simplicity, do not call ahci_clear_cmd_issue() for this
-+     * ahci_write_fis_d2h(). (The reset value for PxCI is 0.)
-+     */
-     if (ahci_write_fis_d2h(ad, true)) {
-         ad->init_d2h_sent = true;
--        /* We're emulating receiving the first Reg H2D Fis from the device;
-+        /* We're emulating receiving the first Reg D2H FIS from the device;
-          * Update the SIG register, but otherwise proceed as normal. */
-         pr->sig = ((uint32_t)ide_state->hcyl << 24) |
-             (ide_state->lcyl << 16) |
-@@ -663,6 +667,7 @@ static void ahci_reset_port(AHCIState *s, int port)
-     pr->scr_act = 0;
-     pr->tfdata = 0x7F;
-     pr->sig = 0xFFFFFFFF;
-+    pr->cmd_issue = 0;
-     d->busy_slot = -1;
-     d->init_d2h_sent = false;
- 
-@@ -1243,10 +1248,30 @@ static void handle_reg_h2d_fis(AHCIState *s, int port,
-         case STATE_RUN:
-             if (cmd_fis[15] & ATA_SRST) {
-                 s->dev[port].port_state = STATE_RESET;
-+                /*
-+                 * When setting SRST in the first H2D FIS in the reset sequence,
-+                 * the device does not send a D2H FIS. Host software thus has to
-+                 * set the "Clear Busy upon R_OK" bit such that PxCI (and BUSY)
-+                 * gets cleared. See AHCI 1.3.1, section 10.4.1 Software Reset.
-+                 */
-+                if (opts & AHCI_CMD_CLR_BUSY) {
-+                    ahci_clear_cmd_issue(ad, slot);
-+                }
-             }
-             break;
-         case STATE_RESET:
-             if (!(cmd_fis[15] & ATA_SRST)) {
-+                /*
-+                 * When clearing SRST in the second H2D FIS in the reset
-+                 * sequence, the device will execute diagnostics. When this is
-+                 * done, the device will send a D2H FIS with the good status.
-+                 * See SATA 3.5a Gold, section 11.4 Software reset protocol.
-+                 *
-+                 * This D2H FIS is the first D2H FIS received from the device,
-+                 * and is received regardless if the reset was performed by a
-+                 * COMRESET or by setting and clearing the SRST bit. Therefore,
-+                 * the logic for this is found in ahci_init_d2h() and not here.
-+                 */
-                 ahci_reset_port(s, port);
-             }
-             break;

debian/patches/extra/0009-ui-clipboard-mark-type-as-not-available-when-there-i.patch

@@ -0,0 +1,86 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Wed, 24 Jan 2024 11:57:48 +0100
+Subject: [PATCH] ui/clipboard: mark type as not available when there is no
+ data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
+message with len=0. In qemu_clipboard_set_data(), the clipboard info
+will be updated setting data to NULL (because g_memdup(data, size)
+returns NULL when size is 0). If the client does not set the
+VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
+the 'request' callback for the clipboard peer is not initialized.
+Later, because data is NULL, qemu_clipboard_request() can be reached
+via vdagent_chr_write() and vdagent_clipboard_recv_request() and
+there, the clipboard owner's 'request' callback will be attempted to
+be called, but that is a NULL pointer.
+
+In particular, this can happen when using the KRDC (22.12.3) VNC
+client.
+
+Another scenario leading to the same issue is with two clients (say
+noVNC and KRDC):
+
+The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
+initializes its cbpeer.
+
+The KRDC client does not, but triggers a vnc_client_cut_text() (note
+it's not the _ext variant)). There, a new clipboard info with it as
+the 'owner' is created and via qemu_clipboard_set_data() is called,
+which in turn calls qemu_clipboard_update() with that info.
+
+In qemu_clipboard_update(), the notifier for the noVNC client will be
+called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
+noVNC client. The 'owner' in that clipboard info is the clipboard peer
+for the KRDC client, which did not initialize the 'request' function.
+That sounds correct to me, it is the owner of that clipboard info.
+
+Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
+the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
+passes), that clipboard info is passed to qemu_clipboard_request() and
+the original segfault still happens.
+
+Fix the issue by handling updates with size 0 differently. In
+particular, mark in the clipboard info that the type is not available.
+
+While at it, switch to g_memdup2(), because g_memdup() is deprecated.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2023-6683
+Reported-by: Markus Frank <m.frank@proxmox.com>
+Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Tested-by: Markus Frank <m.frank@proxmox.com>
+(picked from https://lists.nongnu.org/archive/html/qemu-stable/2024-01/msg00228.html)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ ui/clipboard.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf8..b3f6fa3c9e 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+     }
+ 
+     g_free(info->types[type].data);
+-    info->types[type].data = g_memdup(data, size);
+-    info->types[type].size = size;
+-    info->types[type].available = true;
++    if (size) {
++        info->types[type].data = g_memdup2(data, size);
++        info->types[type].size = size;
++        info->types[type].available = true;
++    } else {
++        info->types[type].data = NULL;
++        info->types[type].size = 0;
++        info->types[type].available = false;
++    }
+ 
+     if (update) {
+         qemu_clipboard_update(info);

debian/patches/extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch

@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Wed, 22 Nov 2023 13:17:25 +0100
-Subject: [PATCH] ui/vnc-clipboard: fix inflate_buffer
-
-Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
-inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
-required, because it can happen that stream.avail_in becomes zero
-before coming across a return value of Z_STREAM_END.
-
-This fixes the host->guest direction with noNVC.
-
-Reported-by: Friedrich Weber <f.weber@proxmox.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- ui/vnc-clipboard.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
-index c759be3438..124b6fbd9c 100644
---- a/ui/vnc-clipboard.c
-+++ b/ui/vnc-clipboard.c
-@@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
-         }
-     }
- 
-+    *size = stream.total_out;
-+    inflateEnd(&stream);
-+
-+    return out;
-+
- err_end:
-     inflateEnd(&stream);
- err:

debian/patches/extra/0010-virtio-scsi-Attach-event-vq-notifier-with-no_poll.patch

@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hanna Czenczek <hreitz@redhat.com>
+Date: Fri, 2 Feb 2024 16:31:56 +0100
+Subject: [PATCH] virtio-scsi: Attach event vq notifier with no_poll
+
+As of commit 38738f7dbbda90fbc161757b7f4be35b52205552 ("virtio-scsi:
+don't waste CPU polling the event virtqueue"), we only attach an io_read
+notifier for the virtio-scsi event virtqueue instead, and no polling
+notifiers.  During operation, the event virtqueue is typically
+non-empty, but none of the buffers are intended to be used immediately.
+Instead, they only get used when certain events occur.  Therefore, it
+makes no sense to continuously poll it when non-empty, because it is
+supposed to be and stay non-empty.
+
+We do this by using virtio_queue_aio_attach_host_notifier_no_poll()
+instead of virtio_queue_aio_attach_host_notifier() for the event
+virtqueue.
+
+Commit 766aa2de0f29b657148e04599320d771c36fd126 ("virtio-scsi: implement
+BlockDevOps->drained_begin()") however has virtio_scsi_drained_end() use
+virtio_queue_aio_attach_host_notifier() for all virtqueues, including
+the event virtqueue.  This can lead to it being polled again, undoing
+the benefit of commit 38738f7dbbda90fbc161757b7f4be35b52205552.
+
+Fix it by using virtio_queue_aio_attach_host_notifier_no_poll() for the
+event virtqueue.
+
+       ("virtio-scsi: implement BlockDevOps->drained_begin()")
+
+Reported-by: Fiona Ebner <f.ebner@proxmox.com>
+Fixes: 766aa2de0f29b657148e04599320d771c36fd126
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Tested-by: Fiona Ebner <f.ebner@proxmox.com>
+Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
+Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ hw/scsi/virtio-scsi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 45b95ea070..ad24a882fd 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -1148,6 +1148,7 @@ static void virtio_scsi_drained_begin(SCSIBus *bus)
+ static void virtio_scsi_drained_end(SCSIBus *bus)
+ {
+     VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus);
++    VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
+     VirtIODevice *vdev = VIRTIO_DEVICE(s);
+     uint32_t total_queues = VIRTIO_SCSI_VQ_NUM_FIXED +
+                             s->parent_obj.conf.num_queues;
+@@ -1165,7 +1166,11 @@ static void virtio_scsi_drained_end(SCSIBus *bus)
+ 
+     for (uint32_t i = 0; i < total_queues; i++) {
+         VirtQueue *vq = virtio_get_queue(vdev, i);
+-        virtio_queue_aio_attach_host_notifier(vq, s->ctx);
++        if (vq == vs->event_vq) {
++            virtio_queue_aio_attach_host_notifier_no_poll(vq, s->ctx);
++        } else {
++            virtio_queue_aio_attach_host_notifier(vq, s->ctx);
++        }
+     }
+ }
+ 

debian/patches/extra/0011-virtio-Re-enable-notifications-after-drain.patch

@@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hanna Czenczek <hreitz@redhat.com>
+Date: Fri, 2 Feb 2024 16:31:57 +0100
+Subject: [PATCH] virtio: Re-enable notifications after drain
+
+During drain, we do not care about virtqueue notifications, which is why
+we remove the handlers on it.  When removing those handlers, whether vq
+notifications are enabled or not depends on whether we were in polling
+mode or not; if not, they are enabled (by default); if so, they have
+been disabled by the io_poll_start callback.
+
+Because we do not care about those notifications after removing the
+handlers, this is fine.  However, we have to explicitly ensure they are
+enabled when re-attaching the handlers, so we will resume receiving
+notifications.  We do this in virtio_queue_aio_attach_host_notifier*().
+If such a function is called while we are in a polling section,
+attaching the notifiers will then invoke the io_poll_start callback,
+re-disabling notifications.
+
+Because we will always miss virtqueue updates in the drained section, we
+also need to poll the virtqueue once after attaching the notifiers.
+
+Buglink: https://issues.redhat.com/browse/RHEL-3934
+Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ hw/virtio/virtio.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
+ include/block/aio.h |  7 ++++++-
+ 2 files changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 969c25f4cf..02cce83111 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -3526,6 +3526,17 @@ static void virtio_queue_host_notifier_aio_poll_end(EventNotifier *n)
+ 
+ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
+ {
++    /*
++     * virtio_queue_aio_detach_host_notifier() can leave notifications disabled.
++     * Re-enable them.  (And if detach has not been used before, notifications
++     * being enabled is still the default state while a notifier is attached;
++     * see virtio_queue_host_notifier_aio_poll_end(), which will always leave
++     * notifications enabled once the polling section is left.)
++     */
++    if (!virtio_queue_get_notification(vq)) {
++        virtio_queue_set_notification(vq, 1);
++    }
++
+     aio_set_event_notifier(ctx, &vq->host_notifier,
+                            virtio_queue_host_notifier_read,
+                            virtio_queue_host_notifier_aio_poll,
+@@ -3533,6 +3544,13 @@ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
+     aio_set_event_notifier_poll(ctx, &vq->host_notifier,
+                                 virtio_queue_host_notifier_aio_poll_begin,
+                                 virtio_queue_host_notifier_aio_poll_end);
++
++    /*
++     * We will have ignored notifications about new requests from the guest
++     * while no notifiers were attached, so "kick" the virt queue to process
++     * those requests now.
++     */
++    event_notifier_set(&vq->host_notifier);
+ }
+ 
+ /*
+@@ -3543,14 +3561,38 @@ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
+  */
+ void virtio_queue_aio_attach_host_notifier_no_poll(VirtQueue *vq, AioContext *ctx)
+ {
++    /* See virtio_queue_aio_attach_host_notifier() */
++    if (!virtio_queue_get_notification(vq)) {
++        virtio_queue_set_notification(vq, 1);
++    }
++
+     aio_set_event_notifier(ctx, &vq->host_notifier,
+                            virtio_queue_host_notifier_read,
+                            NULL, NULL);
++
++    /*
++     * See virtio_queue_aio_attach_host_notifier().
++     * Note that this may be unnecessary for the type of virtqueues this
++     * function is used for.  Still, it will not hurt to have a quick look into
++     * whether we can/should process any of the virtqueue elements.
++     */
++    event_notifier_set(&vq->host_notifier);
+ }
+ 
+ void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx)
+ {
+     aio_set_event_notifier(ctx, &vq->host_notifier, NULL, NULL, NULL);
++
++    /*
++     * aio_set_event_notifier_poll() does not guarantee whether io_poll_end()
++     * will run after io_poll_begin(), so by removing the notifier, we do not
++     * know whether virtio_queue_host_notifier_aio_poll_end() has run after a
++     * previous virtio_queue_host_notifier_aio_poll_begin(), i.e. whether
++     * notifications are enabled or disabled.  It does not really matter anyway;
++     * we just removed the notifier, so we do not care about notifications until
++     * we potentially re-attach it.  The attach_host_notifier functions will
++     * ensure that notifications are enabled again when they are needed.
++     */
+ }
+ 
+ void virtio_queue_host_notifier_read(EventNotifier *n)
+diff --git a/include/block/aio.h b/include/block/aio.h
+index 32042e8905..79efadfa48 100644
+--- a/include/block/aio.h
++++ b/include/block/aio.h
+@@ -498,9 +498,14 @@ void aio_set_event_notifier(AioContext *ctx,
+                             AioPollFn *io_poll,
+                             EventNotifierHandler *io_poll_ready);
+ 
+-/* Set polling begin/end callbacks for an event notifier that has already been
++/*
++ * Set polling begin/end callbacks for an event notifier that has already been
+  * registered with aio_set_event_notifier.  Do nothing if the event notifier is
+  * not registered.
++ *
++ * Note that if the io_poll_end() callback (or the entire notifier) is removed
++ * during polling, it will not be called, so an io_poll_begin() is not
++ * necessarily always followed by an io_poll_end().
+  */
+ void aio_set_event_notifier_poll(AioContext *ctx,
+                                  EventNotifier *notifier,

debian/patches/extra/0012-qemu_init-increase-NOFILE-soft-limit-on-POSIX.patch

@@ -0,0 +1,119 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Mon, 18 Dec 2023 11:13:40 +0100
+Subject: [PATCH] qemu_init: increase NOFILE soft limit on POSIX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In many configurations, e.g. multiple vNICs with multiple queues or
+with many Ceph OSDs, the default soft limit of 1024 is not enough.
+QEMU is supposed to work fine with file descriptors >= 1024 and does
+not use select() on POSIX. Bump the soft limit to the allowed hard
+limit to avoid issues with the aforementioned configurations.
+
+Of course the limit could be raised from the outside, but the man page
+of systemd.exec states about 'LimitNOFILE=':
+
+> Don't use.
+> [...]
+> Typically applications should increase their soft limit to the hard
+> limit on their own, if they are OK with working with file
+> descriptors above 1023,
+
+If the soft limit is already the same as the hard limit, avoid the
+superfluous setrlimit call. This can avoid a warning with a strict
+seccomp filter blocking setrlimit if NOFILE was already raised before
+executing QEMU.
+
+Buglink: https://bugzilla.proxmox.com/show_bug.cgi?id=4507
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ include/sysemu/os-posix.h |  1 +
+ include/sysemu/os-win32.h |  5 +++++
+ os-posix.c                | 22 ++++++++++++++++++++++
+ softmmu/vl.c              |  2 ++
+ 4 files changed, 30 insertions(+)
+
+diff --git a/include/sysemu/os-posix.h b/include/sysemu/os-posix.h
+index 1030d39904..edc415aff5 100644
+--- a/include/sysemu/os-posix.h
++++ b/include/sysemu/os-posix.h
+@@ -48,6 +48,7 @@ void os_setup_early_signal_handling(void);
+ void os_set_proc_name(const char *s);
+ void os_setup_signal_handling(void);
+ void os_daemonize(void);
++void os_setup_limits(void);
+ void os_setup_post(void);
+ int os_mlock(void);
+ 
+diff --git a/include/sysemu/os-win32.h b/include/sysemu/os-win32.h
+index 91aa0d7ec0..f6e23fe01e 100644
+--- a/include/sysemu/os-win32.h
++++ b/include/sysemu/os-win32.h
+@@ -129,6 +129,11 @@ static inline int os_mlock(void)
+     return -ENOSYS;
+ }
+ 
++void os_setup_limits(void)
++{
++    return;
++}
++
+ #define fsync _commit
+ 
+ #if !defined(lseek)
+diff --git a/os-posix.c b/os-posix.c
+index cfcb96533c..0cc1d991b1 100644
+--- a/os-posix.c
++++ b/os-posix.c
+@@ -24,6 +24,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include <sys/resource.h>
+ #include <sys/wait.h>
+ #include <pwd.h>
+ #include <grp.h>
+@@ -286,6 +287,27 @@ void os_daemonize(void)
+     }
+ }
+ 
++void os_setup_limits(void)
++{
++    struct rlimit nofile;
++
++    if (getrlimit(RLIMIT_NOFILE, &nofile) < 0) {
++        warn_report("unable to query NOFILE limit: %s", strerror(errno));
++        return;
++    }
++
++    if (nofile.rlim_cur == nofile.rlim_max) {
++        return;
++    }
++
++    nofile.rlim_cur = nofile.rlim_max;
++
++    if (setrlimit(RLIMIT_NOFILE, &nofile) < 0) {
++        warn_report("unable to set NOFILE limit: %s", strerror(errno));
++        return;
++    }
++}
++
+ void os_setup_post(void)
+ {
+     int fd = 0;
+diff --git a/softmmu/vl.c b/softmmu/vl.c
+index c9e9ede237..ba6ad8a8df 100644
+--- a/softmmu/vl.c
++++ b/softmmu/vl.c
+@@ -2713,6 +2713,8 @@ void qemu_init(int argc, char **argv)
+     error_init(argv[0]);
+     qemu_init_exec_dir(argv[0]);
+ 
++    os_setup_limits();
++
+     qemu_init_arch_modules();
+ 
+     qemu_init_subsystems();

debian/patches/pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch

@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/block/file-posix.c b/block/file-posix.c
-index aa89789737..0db366a851 100644
+index 7f540b03ed..ca551baa42 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
-@@ -564,7 +564,7 @@ static QemuOptsList raw_runtime_opts = {
+@@ -563,7 +563,7 @@ static QemuOptsList raw_runtime_opts = {
          {
              .name = "locking",
              .type = QEMU_OPT_STRING,
@@ -26,7 +26,7 @@ index aa89789737..0db366a851 100644
          },
          {
              .name = "pr-manager",
-@@ -664,7 +664,7 @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
+@@ -663,7 +663,7 @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
          s->use_lock = false;
          break;
      case ON_OFF_AUTO_AUTO:

debian/patches/pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch

@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/include/net/net.h b/include/net/net.h
-index 1448d00afb..d1601d32c1 100644
+index 685ec58318..22edf4ee96 100644
 --- a/include/net/net.h
 +++ b/include/net/net.h
-@@ -258,8 +258,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
+@@ -260,8 +260,8 @@ void netdev_add(QemuOpts *opts, Error **errp);
  int net_hub_id_for_client(NetClientState *nc, int *id);
  NetClientState *net_hub_port_find(int hub_id);
  

debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch

@@ -10,7 +10,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index e0771a1043..1018ccc0b8 100644
+index 0893b794e9..6d650a58b9 100644
 --- a/target/i386/cpu.h
 +++ b/target/i386/cpu.h
 @@ -2243,9 +2243,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);

debian/patches/pve/0008-PVE-Up-qemu-img-return-success-on-info-without-snaps.patch

@@ -9,7 +9,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/qemu-img.c b/qemu-img.c
-index 27f48051b0..bb287d8538 100644
+index 78433f3746..25d427edd1 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
 @@ -3062,7 +3062,8 @@ static int img_info(int argc, char **argv)

debian/patches/pve/0009-PVE-Up-qemu-img-dd-add-osize-and-read-from-to-stdin-.patch

@@ -54,10 +54,10 @@ index 1b1dab5b17..d1616c045a 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index bb287d8538..09c0340d16 100644
+index 25d427edd1..220e6ec577 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4888,10 +4888,12 @@ static int img_bitmap(int argc, char **argv)
+@@ -4899,10 +4899,12 @@ static int img_bitmap(int argc, char **argv)
  #define C_IF      04
  #define C_OF      010
  #define C_SKIP    020
@@ -70,7 +70,7 @@ index bb287d8538..09c0340d16 100644
  };
  
  struct DdIo {
-@@ -4967,6 +4969,19 @@ static int img_dd_skip(const char *arg,
+@@ -4978,6 +4980,19 @@ static int img_dd_skip(const char *arg,
      return 0;
  }
  
@@ -90,7 +90,7 @@ index bb287d8538..09c0340d16 100644
  static int img_dd(int argc, char **argv)
  {
      int ret = 0;
-@@ -5007,6 +5022,7 @@ static int img_dd(int argc, char **argv)
+@@ -5018,6 +5033,7 @@ static int img_dd(int argc, char **argv)
          { "if", img_dd_if, C_IF },
          { "of", img_dd_of, C_OF },
          { "skip", img_dd_skip, C_SKIP },
@@ -98,7 +98,7 @@ index bb287d8538..09c0340d16 100644
          { NULL, NULL, 0 }
      };
      const struct option long_options[] = {
-@@ -5082,91 +5098,112 @@ static int img_dd(int argc, char **argv)
+@@ -5093,91 +5109,112 @@ static int img_dd(int argc, char **argv)
          arg = NULL;
      }
  
@@ -275,7 +275,7 @@ index bb287d8538..09c0340d16 100644
      }
  
      if (dd.flags & C_SKIP && (in.offset > INT64_MAX / in.bsz ||
-@@ -5183,20 +5220,43 @@ static int img_dd(int argc, char **argv)
+@@ -5194,20 +5231,43 @@ static int img_dd(int argc, char **argv)
      in.buf = g_new(uint8_t, in.bsz);
  
      for (out_pos = 0; in_pos < size; ) {

debian/patches/pve/0010-PVE-Up-qemu-img-dd-add-isize-parameter.patch

@@ -16,10 +16,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 25 insertions(+), 3 deletions(-)
 
 diff --git a/qemu-img.c b/qemu-img.c
-index 09c0340d16..556535d9d5 100644
+index 220e6ec577..58bf9b43d1 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -4889,11 +4889,13 @@ static int img_bitmap(int argc, char **argv)
+@@ -4900,11 +4900,13 @@ static int img_bitmap(int argc, char **argv)
  #define C_OF      010
  #define C_SKIP    020
  #define C_OSIZE   040
@@ -33,7 +33,7 @@ index 09c0340d16..556535d9d5 100644
  };
  
  struct DdIo {
-@@ -4982,6 +4984,19 @@ static int img_dd_osize(const char *arg,
+@@ -4993,6 +4995,19 @@ static int img_dd_osize(const char *arg,
      return 0;
  }
  
@@ -53,7 +53,7 @@ index 09c0340d16..556535d9d5 100644
  static int img_dd(int argc, char **argv)
  {
      int ret = 0;
-@@ -4996,12 +5011,14 @@ static int img_dd(int argc, char **argv)
+@@ -5007,12 +5022,14 @@ static int img_dd(int argc, char **argv)
      int c, i;
      const char *out_fmt = "raw";
      const char *fmt = NULL;
@@ -69,7 +69,7 @@ index 09c0340d16..556535d9d5 100644
      };
      struct DdIo in = {
          .bsz = 512, /* Block size is by default 512 bytes */
-@@ -5023,6 +5040,7 @@ static int img_dd(int argc, char **argv)
+@@ -5034,6 +5051,7 @@ static int img_dd(int argc, char **argv)
          { "of", img_dd_of, C_OF },
          { "skip", img_dd_skip, C_SKIP },
          { "osize", img_dd_osize, C_OSIZE },
@@ -77,7 +77,7 @@ index 09c0340d16..556535d9d5 100644
          { NULL, NULL, 0 }
      };
      const struct option long_options[] = {
-@@ -5219,9 +5237,10 @@ static int img_dd(int argc, char **argv)
+@@ -5230,9 +5248,10 @@ static int img_dd(int argc, char **argv)
  
      in.buf = g_new(uint8_t, in.bsz);
  
@@ -90,7 +90,7 @@ index 09c0340d16..556535d9d5 100644
          if (blk1) {
              in_ret = blk_pread(blk1, in_pos, bytes, in.buf, 0);
              if (in_ret == 0) {
-@@ -5230,6 +5249,9 @@ static int img_dd(int argc, char **argv)
+@@ -5241,6 +5260,9 @@ static int img_dd(int argc, char **argv)
          } else {
              in_ret = read(STDIN_FILENO, in.buf, bytes);
              if (in_ret == 0) {

debian/patches/pve/0011-PVE-Up-qemu-img-dd-add-n-skip_create.patch

@@ -65,10 +65,10 @@ index d1616c045a..b5b0bb4467 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 556535d9d5..289c78febb 100644
+index 58bf9b43d1..9d414d639b 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -5013,7 +5013,7 @@ static int img_dd(int argc, char **argv)
+@@ -5024,7 +5024,7 @@ static int img_dd(int argc, char **argv)
      const char *fmt = NULL;
      int64_t size = 0, readsize = 0;
      int64_t out_pos, in_pos;
@@ -77,7 +77,7 @@ index 556535d9d5..289c78febb 100644
      struct DdInfo dd = {
          .flags = 0,
          .count = 0,
-@@ -5051,7 +5051,7 @@ static int img_dd(int argc, char **argv)
+@@ -5062,7 +5062,7 @@ static int img_dd(int argc, char **argv)
          { 0, 0, 0, 0 }
      };
  
@@ -86,7 +86,7 @@ index 556535d9d5..289c78febb 100644
          if (c == EOF) {
              break;
          }
-@@ -5071,6 +5071,9 @@ static int img_dd(int argc, char **argv)
+@@ -5082,6 +5082,9 @@ static int img_dd(int argc, char **argv)
          case 'h':
              help();
              break;
@@ -96,7 +96,7 @@ index 556535d9d5..289c78febb 100644
          case 'U':
              force_share = true;
              break;
-@@ -5201,13 +5204,15 @@ static int img_dd(int argc, char **argv)
+@@ -5212,13 +5215,15 @@ static int img_dd(int argc, char **argv)
                                  size - in.bsz * in.offset, &error_abort);
          }
  

debian/patches/pve/0012-qemu-img-dd-add-l-option-for-loading-a-snapshot.patch

@@ -46,10 +46,10 @@ index b5b0bb4467..36f97e1f19 100644
  
  DEF("info", img_info,
 diff --git a/qemu-img.c b/qemu-img.c
-index 289c78febb..da543d05cb 100644
+index 9d414d639b..e13a12137b 100644
 --- a/qemu-img.c
 +++ b/qemu-img.c
-@@ -5005,6 +5005,7 @@ static int img_dd(int argc, char **argv)
+@@ -5016,6 +5016,7 @@ static int img_dd(int argc, char **argv)
      BlockDriver *drv = NULL, *proto_drv = NULL;
      BlockBackend *blk1 = NULL, *blk2 = NULL;
      QemuOpts *opts = NULL;
@@ -57,7 +57,7 @@ index 289c78febb..da543d05cb 100644
      QemuOptsList *create_opts = NULL;
      Error *local_err = NULL;
      bool image_opts = false;
-@@ -5014,6 +5015,7 @@ static int img_dd(int argc, char **argv)
+@@ -5025,6 +5026,7 @@ static int img_dd(int argc, char **argv)
      int64_t size = 0, readsize = 0;
      int64_t out_pos, in_pos;
      bool force_share = false, skip_create = false;
@@ -65,7 +65,7 @@ index 289c78febb..da543d05cb 100644
      struct DdInfo dd = {
          .flags = 0,
          .count = 0,
-@@ -5051,7 +5053,7 @@ static int img_dd(int argc, char **argv)
+@@ -5062,7 +5064,7 @@ static int img_dd(int argc, char **argv)
          { 0, 0, 0, 0 }
      };
  
@@ -74,7 +74,7 @@ index 289c78febb..da543d05cb 100644
          if (c == EOF) {
              break;
          }
-@@ -5074,6 +5076,19 @@ static int img_dd(int argc, char **argv)
+@@ -5085,6 +5087,19 @@ static int img_dd(int argc, char **argv)
          case 'n':
              skip_create = true;
              break;
@@ -94,7 +94,7 @@ index 289c78febb..da543d05cb 100644
          case 'U':
              force_share = true;
              break;
-@@ -5133,11 +5148,24 @@ static int img_dd(int argc, char **argv)
+@@ -5144,11 +5159,24 @@ static int img_dd(int argc, char **argv)
      if (dd.flags & C_IF) {
          blk1 = img_open(image_opts, in.filename, fmt, 0, false, false,
                          force_share);
@@ -120,7 +120,7 @@ index 289c78febb..da543d05cb 100644
      }
  
      if (dd.flags & C_OSIZE) {
-@@ -5292,6 +5320,7 @@ static int img_dd(int argc, char **argv)
+@@ -5303,6 +5331,7 @@ static int img_dd(int argc, char **argv)
  out:
      g_free(arg);
      qemu_opts_del(opts);

debian/patches/pve/0017-PVE-add-savevm-async-for-background-state-snapshots.patch

@@ -800,10 +800,10 @@ index cda2effa81..94a58bb0bf 100644
  # @CommandLineParameterType:
  #
 diff --git a/qemu-options.hx b/qemu-options.hx
-index b56f6b2fb2..c8c78c92d4 100644
+index 8073f5edf5..dc1ececc9c 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
-@@ -4479,6 +4479,18 @@ SRST
+@@ -4483,6 +4483,18 @@ SRST
      Start right away with a saved state (``loadvm`` in monitor)
  ERST
  
@@ -823,7 +823,7 @@ index b56f6b2fb2..c8c78c92d4 100644
  DEF("daemonize", 0, QEMU_OPTION_daemonize, \
      "-daemonize      daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index b0b96f67fa..f3251de3e7 100644
+index ba6ad8a8df..ddeace306e 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
 @@ -164,6 +164,7 @@ static const char *accelerators;
@@ -834,7 +834,7 @@ index b0b96f67fa..f3251de3e7 100644
  static QTAILQ_HEAD(, ObjectOption) object_opts = QTAILQ_HEAD_INITIALIZER(object_opts);
  static QTAILQ_HEAD(, DeviceOption) device_opts = QTAILQ_HEAD_INITIALIZER(device_opts);
  static int display_remote;
-@@ -2643,6 +2644,12 @@ void qmp_x_exit_preconfig(Error **errp)
+@@ -2647,6 +2648,12 @@ void qmp_x_exit_preconfig(Error **errp)
  
      if (loadvm) {
          load_snapshot(loadvm, NULL, false, NULL, &error_fatal);
@@ -847,7 +847,7 @@ index b0b96f67fa..f3251de3e7 100644
      }
      if (replay_mode != REPLAY_MODE_NONE) {
          replay_vmstate_init();
-@@ -3190,6 +3197,9 @@ void qemu_init(int argc, char **argv)
+@@ -3196,6 +3203,9 @@ void qemu_init(int argc, char **argv)
              case QEMU_OPTION_loadvm:
                  loadvm = optarg;
                  break;

debian/patches/pve/0020-PVE-Add-dummy-id-command-line-parameter.patch

@@ -14,7 +14,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 11 insertions(+)
 
 diff --git a/qemu-options.hx b/qemu-options.hx
-index c8c78c92d4..20ca2cdba7 100644
+index dc1ececc9c..848d2dfdd1 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
 @@ -1197,6 +1197,9 @@ legacy PC, they are not recommended for modern configurations.
@@ -28,10 +28,10 @@ index c8c78c92d4..20ca2cdba7 100644
      "-fda/-fdb file  use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL)
  DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index f3251de3e7..1b63ffd33d 100644
+index ddeace306e..3ee90b3b94 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
-@@ -2679,6 +2679,7 @@ void qemu_init(int argc, char **argv)
+@@ -2683,6 +2683,7 @@ void qemu_init(int argc, char **argv)
      MachineClass *machine_class;
      bool userconfig = true;
      FILE *vmstate_dump_file = NULL;
@@ -39,7 +39,7 @@ index f3251de3e7..1b63ffd33d 100644
  
      qemu_add_opts(&qemu_drive_opts);
      qemu_add_drive_opts(&qemu_legacy_drive_opts);
-@@ -3302,6 +3303,13 @@ void qemu_init(int argc, char **argv)
+@@ -3308,6 +3309,13 @@ void qemu_init(int argc, char **argv)
                  machine_parse_property_opt(qemu_find_opts("smp-opts"),
                                             "smp", optarg);
                  break;

debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch

@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 42 insertions(+), 20 deletions(-)
 
 diff --git a/block/file-posix.c b/block/file-posix.c
-index 0db366a851..46f1ee38ae 100644
+index ca551baa42..8b3b83e9d4 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
-@@ -2870,6 +2870,7 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2873,6 +2873,7 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
      int fd;
      uint64_t perm, shared;
      int result = 0;
@@ -24,7 +24,7 @@ index 0db366a851..46f1ee38ae 100644
  
      /* Validate options and set default values */
      assert(options->driver == BLOCKDEV_DRIVER_FILE);
-@@ -2910,19 +2911,22 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2913,19 +2914,22 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
      perm = BLK_PERM_WRITE | BLK_PERM_RESIZE;
      shared = BLK_PERM_ALL & ~BLK_PERM_RESIZE;
  
@@ -59,7 +59,7 @@ index 0db366a851..46f1ee38ae 100644
      }
  
      /* Clear the file by truncating it to 0 */
-@@ -2976,13 +2980,15 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
+@@ -2979,13 +2983,15 @@ raw_co_create(BlockdevCreateOptions *options, Error **errp)
      }
  
  out_unlock:
@@ -82,7 +82,7 @@ index 0db366a851..46f1ee38ae 100644
      }
  
  out_close:
-@@ -3006,6 +3012,7 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
+@@ -3009,6 +3015,7 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
      PreallocMode prealloc;
      char *buf = NULL;
      Error *local_err = NULL;
@@ -90,7 +90,7 @@ index 0db366a851..46f1ee38ae 100644
  
      /* Skip file: protocol prefix */
      strstart(filename, "file:", &filename);
-@@ -3028,6 +3035,18 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
+@@ -3031,6 +3038,18 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
          return -EINVAL;
      }
  
@@ -109,7 +109,7 @@ index 0db366a851..46f1ee38ae 100644
      options = (BlockdevCreateOptions) {
          .driver     = BLOCKDEV_DRIVER_FILE,
          .u.file     = {
-@@ -3039,6 +3058,8 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
+@@ -3042,6 +3061,8 @@ raw_co_create_opts(BlockDriver *drv, const char *filename,
              .nocow              = nocow,
              .has_extent_size_hint = has_extent_size_hint,
              .extent_size_hint   = extent_size_hint,
@@ -119,10 +119,10 @@ index 0db366a851..46f1ee38ae 100644
      };
      return raw_co_create(&options, errp);
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 903392cb8f..125aa89858 100644
+index a5cea82139..bb471c078d 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
-@@ -4876,7 +4876,8 @@
+@@ -4880,7 +4880,8 @@
              'size':                 'size',
              '*preallocation':       'PreallocMode',
              '*nocow':               'bool',

debian/patches/pve/0023-PVE-monitor-disable-oob-capability.patch

@@ -18,10 +18,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 2 deletions(-)
 
 diff --git a/monitor/qmp.c b/monitor/qmp.c
-index c15bf1e1fc..04fe25c62c 100644
+index 589c9524f8..2505dd658a 100644
 --- a/monitor/qmp.c
 +++ b/monitor/qmp.c
-@@ -553,8 +553,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
+@@ -536,8 +536,7 @@ void monitor_init_qmp(Chardev *chr, bool pretty, Error **errp)
      qemu_chr_fe_set_echo(&mon->common.chr, true);
  
      /* Note: we run QMP monitor in I/O thread when @chr supports that */

debian/patches/pve/0025-PVE-Allow-version-code-in-machine-type.patch

@@ -72,7 +72,7 @@ index fbb61f18e4..7da3c519ba 100644
  ##
  # @query-machines:
 diff --git a/softmmu/vl.c b/softmmu/vl.c
-index 1b63ffd33d..20ba2c5c87 100644
+index 3ee90b3b94..4b6d0b82fd 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
 @@ -1597,6 +1597,7 @@ static const QEMUOption *lookup_opt(int argc, char **argv,
@@ -95,7 +95,7 @@ index 1b63ffd33d..20ba2c5c87 100644
      g_slist_free(machines);
      if (local_err) {
          error_append_hint(&local_err, "Use -machine help to list supported machines\n");
-@@ -3244,12 +3250,31 @@ void qemu_init(int argc, char **argv)
+@@ -3250,12 +3256,31 @@ void qemu_init(int argc, char **argv)
              case QEMU_OPTION_machine:
                  {
                      bool help;

debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch

@@ -205,7 +205,7 @@ index ca2599de44..6efe28cef5 100644
 +    hmp_handle_error(mon, error);
 +}
 diff --git a/blockdev.c b/blockdev.c
-index 060d86a65f..79c3575612 100644
+index cd5f205ad1..7793143d76 100644
 --- a/blockdev.c
 +++ b/blockdev.c
 @@ -37,6 +37,7 @@
@@ -1709,7 +1709,7 @@ index 0000000000..d84d807654
 +    return ret;
 +}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 125aa89858..331c8336d1 100644
+index bb471c078d..1b8462a51b 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -839,6 +839,235 @@

debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch

@@ -403,7 +403,7 @@ index c3330310d9..cbfc9a43fb 100644
  summary_info += {'libdaxctl support': libdaxctl}
  summary_info += {'libudev':           libudev}
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index 331c8336d1..a818d5f90f 100644
+index 1b8462a51b..d67a6d448a 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -3396,6 +3396,7 @@
@@ -432,7 +432,7 @@ index 331c8336d1..a818d5f90f 100644
  ##
  # @BlockdevOptionsNVMe:
  #
-@@ -4886,6 +4898,7 @@
+@@ -4890,6 +4902,7 @@
        'nfs':        'BlockdevOptionsNfs',
        'null-aio':   'BlockdevOptionsNull',
        'null-co':    'BlockdevOptionsNull',

debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch

@@ -34,10 +34,10 @@ index cbfc9a43fb..8206270272 100644
  endif
  
 diff --git a/os-posix.c b/os-posix.c
-index cfcb96533c..fb2ad87009 100644
+index 0cc1d991b1..f33d9901cf 100644
 --- a/os-posix.c
 +++ b/os-posix.c
-@@ -28,6 +28,8 @@
+@@ -29,6 +29,8 @@
  #include <pwd.h>
  #include <grp.h>
  #include <libgen.h>
@@ -46,7 +46,7 @@ index cfcb96533c..fb2ad87009 100644
  
  /* Needed early for CONFIG_BSD etc. */
  #include "net/slirp.h"
-@@ -310,9 +312,10 @@ void os_setup_post(void)
+@@ -332,9 +334,10 @@ void os_setup_post(void)
  
          dup2(fd, 0);
          dup2(fd, 1);

debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch

@@ -186,7 +186,7 @@ index d84d807654..9c8b88d075 100644
      ret->pbs_masterkey = true;
      ret->backup_max_workers = true;
 diff --git a/qapi/block-core.json b/qapi/block-core.json
-index a818d5f90f..48eb47c6ea 100644
+index d67a6d448a..09de550c95 100644
 --- a/qapi/block-core.json
 +++ b/qapi/block-core.json
 @@ -991,6 +991,11 @@

debian/patches/pve/0038-block-io-accept-NULL-qiov-in-bdrv_pad_request.patch

@@ -17,7 +17,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/block/io.c b/block/io.c
-index 055fcf7438..63f7b3ad3e 100644
+index 83d1b1dfdc..24a3c84c93 100644
 --- a/block/io.c
 +++ b/block/io.c
 @@ -1710,6 +1710,10 @@ static int bdrv_pad_request(BlockDriverState *bs,

debian/patches/pve/0044-migration-for-snapshots-hold-the-BQL-during-setup-ca.patch

@@ -140,10 +140,10 @@ index 86c2256a2b..8423e0c9f9 100644
      if (ret) {
          return ret;
 diff --git a/migration/ram.c b/migration/ram.c
-index 9040d66e61..01532c9fc9 100644
+index 6e1514f69f..6a1aec7031 100644
 --- a/migration/ram.c
 +++ b/migration/ram.c
-@@ -2895,8 +2895,16 @@ static void migration_bitmap_clear_discarded_pages(RAMState *rs)
+@@ -2896,8 +2896,16 @@ static void migration_bitmap_clear_discarded_pages(RAMState *rs)
  
  static void ram_init_bitmaps(RAMState *rs)
  {
@@ -162,7 +162,7 @@ index 9040d66e61..01532c9fc9 100644
      qemu_mutex_lock_ramlist();
  
      WITH_RCU_READ_LOCK_GUARD() {
-@@ -2908,7 +2916,9 @@ static void ram_init_bitmaps(RAMState *rs)
+@@ -2909,7 +2917,9 @@ static void ram_init_bitmaps(RAMState *rs)
          }
      }
      qemu_mutex_unlock_ramlist();
@@ -174,7 +174,7 @@ index 9040d66e61..01532c9fc9 100644
      /*
       * After an eventual first bitmap sync, fixup the initial bitmap
 diff --git a/migration/savevm.c b/migration/savevm.c
-index a2cb8855e2..ea8b30a630 100644
+index d60c4f487a..3c015722f7 100644
 --- a/migration/savevm.c
 +++ b/migration/savevm.c
 @@ -1625,10 +1625,8 @@ static int qemu_savevm_state(QEMUFile *f, Error **errp)

debian/patches/series

@@ -2,12 +2,14 @@ extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
 extra/0002-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
 extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch
 extra/0004-migration-block-dirty-bitmap-fix-loading-bitmap-when.patch
-extra/0005-hw-ide-reset-cancel-async-DMA-operation-before-reset.patch
-extra/0006-Revert-Revert-graph-lock-Disable-locking-for-now.patch
-extra/0007-migration-states-workaround-snapshot-performance-reg.patch
-extra/0008-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
-extra/0009-hw-ide-ahci-fix-legacy-software-reset.patch
-extra/0010-ui-vnc-clipboard-fix-inflate_buffer.patch
+extra/0005-Revert-Revert-graph-lock-Disable-locking-for-now.patch
+extra/0006-migration-states-workaround-snapshot-performance-reg.patch
+extra/0007-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
+extra/0008-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch
+extra/0009-ui-clipboard-mark-type-as-not-available-when-there-i.patch
+extra/0010-virtio-scsi-Attach-event-vq-notifier-with-no_poll.patch
+extra/0011-virtio-Re-enable-notifications-after-drain.patch
+extra/0012-qemu_init-increase-NOFILE-soft-limit-on-POSIX.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch

qemu

@@ -1 +1 @@
-Subproject commit 78385bc738108a9b5b20e639520dc60425ca2a5a
+Subproject commit 20a1b341a0af1fef84cec9e521d33da0e8d9ecf3