Bug#1070801: bookworm-pu: package qemu/1:7.2+dfsg-7+deb12u6
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: qemu@packages.debian.org, pkg-qemu-devel@lists.alioth.debian.org
Control: affects -1 + src:qemu
[ Reason ]
There were 2 qemu stable/bugfix releases (7.2.10 and 7.2.11) since
the previous debian release, fixing a number of various issues.
It would be nice to have these fixes in debian too, so debian users
will benefit from the qemu stable series.
Among others, this release fixes several (low-priority) security
issues: CVE-2024-3446 CVE-2024-3447 CVE-2024-26327 CVE-2024-26328
[ Tests ]
Both upstream automatic tests are passed, and my usual share of
quick real-life tests too (a bunch of qemu/kvm guests which I
test for every new qemu release).
[ Risks ]
The risks do exists obviously, however we're trying hard to minimize
possible risks as much as possible by carefully selecting which changes
to pick and how to do that.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
All changes except one comes from the upstream repository,
which is also mirrored on salsa:
https://salsa.debian.org/qemu-team/qemu/-/commits/stable-7.2/
In this case the talk is about v7.2.10 and v7.2.11 tags.
Complete changelog is below (a part of debdiff, at the top).
[ Other info ]
Historically, qemu in debian were built with base upstream release
plus stable/bugfix patches (7.2.orig.tar.gz which corresponds to
upstream 7.2.0 plus 7.2.1..7.2.2..7.2.3 etc patches). I don't
remember why this has been done this way, and changed it to include
complete 3-component upstream version tarball past bookworm, but
continue this scheme in bookworm stable.
Some of the upstream changes are about testuite/CI (.gitlab-ci.d/,
tests/) which are not relevant for Debian, but does not affect Debian
either.
Also, I changed debian/changelog file to add mentions of CVEs fixed
by previous releases where appropriate (which is reflected in the
latest changelog entry too).
[ Debdiff ]
diff -Nru qemu-7.2+dfsg/debian/changelog qemu-7.2+dfsg/debian/changelog
--- qemu-7.2+dfsg/debian/changelog 2024-02-06 20:38:06.000000000 +0300
+++ qemu-7.2+dfsg/debian/changelog 2024-05-09 08:44:38.000000000 +0300
@@ -1,3 +1,150 @@
+qemu (1:7.2+dfsg-7+deb12u6) bookworm; urgency=medium
+
+ * update to upstream 7.2.11 stable/bugfix release, v7.2.11.diff,
+ https://gitlab.com/qemu-project/qemu/-/commits/v7.2.11 :
+ - Update version for 7.2.11 release
+ - ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS.
+ - ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs.
+ - target/sh4: add missing CHECK_NOT_DELAY_SLOT
+ - hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set
+ (Closes: #1068821, CVE-2024-3447)
+ - hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
+ - hw/net/lan9118: Fix overflow in MIL TX FIFO
+ - backends/cryptodev: Do not abort for invalid session ID
+ - hw/misc/applesmc: Fix memory leak in reset() handler
+ - hw/block/nand: Fix out-of-bound access in NAND block buffer
+ - hw/block/nand: Have blk_load() take unsigned offset and return boolean
+ - hw/block/nand: Factor nand_load_iolen() method out
+ - qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo
+ - hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs
+ (Closes: #1068820, CVE-2024-3446)
+ - hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs
+ (Closes: #1068820, CVE-2024-3446)
+ - hw/display/virtio-gpu: Protect from DMA re-entrancy bugs
+ (Closes: #1068820, CVE-2024-3446)
+ - hw/virtio: Introduce virtio_bh_new_guarded() helper
+ - linux-user: Fix waitid return of siginfo_t and rusage
+ - tcg/optimize: Do not attempt to constant fold neg_vec
+ - hw/virtio: Fix packed virtqueue flush used_idx
+ - hw/net/virtio-net: fix qemu set used ring flag even vhost started
+ - hw/intc/arm_gicv3: ICC_HPPIR* return SPURIOUS if int group is disabled
+ - gitlab-ci/cirrus: switch from 'master' to 'latest'
+ - target/hppa: Clear psw_n for BE on use_nullify_skip path
+ - tcg/optimize: Fix sign_mask for logical right-shift
+ - virtio-net: Fix vhost virtqueue notifiers for RSS
+ - monitor/hmp-cmds-target: Append a space in error message in gpa2hva()
+ - hw/scsi/scsi-generic: Fix io_timeout property not applying
+ - target/loongarch: Fix qemu-system-loongarch64 assert failed
+ with the option '-d int'
+ - target/i386: Revert monitor_puts() in do_inject_x86_mce()
+ - target/i386: fix direction of "32-bit MMU" test
+ - target/i386: use separate MMU indexes for 32-bit accesses
+ - target/i386: introduce function to query MMU indices
+ - tests: Raise timeouts for bufferiszero and crypto-tlscredsx509
+ - tests/unit: Bump test-replication timeout to 60 seconds
+ - tests/unit: Bump test-crypto-block test timeout to 5 minutes
+ - tests/unit: Bump test-aio-multithread test timeout to 2 minutes
+ - migration: Skip only empty block devices
+ - hmat acpi: Fix out of bounds access due to missing use of indirection
+ - pcie_sriov: Validate NumVFs
+ (Closes: #1068819, CVE-2024-26327)
+ - hw/nvme: Use pcie_sriov_num_vfs()
+ (Closes: #1068819, CVE-2024-26328)
+ - pcie: Introduce pcie_sriov_num_vfs
+ - hw/nvme: add machine compatibility parameter to enable msix exclusive bar
+ - hw/nvme: generalize the mbar size helper
+ - hw/nvme: separate 'serial' property for VFs
+ - hw/nvme: cleanup error reporting in nvme_init_pci()
+ - hw/nvme: clean up confusing use of errp/local_err
+ - Avoid unaligned fetch in ladr_match()
+ - e1000e: fix link state on resume
+ - make-release: switch to .xz format by default
+ - hw/scsi/lsi53c895a: add timer to scripts processing
+ - hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
+ - hw/scsi/lsi53c895a: stop script on phase mismatch
+ - system/qdev-monitor: move drain_call_rcu call
+ under if (!dev) in qmp_device_add()
+ - hw/rtc/sun4v-rtc: Relicense to GPLv2-or-later
+ - target/arm: Fix SME full tile indexing
+ - tests/tcg/aarch64/sysregs.c: Use S syntax for
+ id_aa64zfr0_el1 and id_aa64smfr0_el1
+ - target/arm: align exposed ID registers with Linux
+ - ui/cocoa: Fix window clipping on macOS 14
+ - gitlab: update FreeBSD Cirrus CI image to 13.3
+ * update to upstream 7.2.10 stable/bugfix release, v7.2.10.diff,
+ https://gitlab.com/qemu-project/qemu/-/commits/v7.2.10 :
+ - Update version for 7.2.10 release
+ - target/i386: the sgx_epc_get_section stub is reachable
+ - tests/unit/test-blockjob: Disable complete_in_standby test
+ - tests/qtest/display-vga-test: Add proper checks if a device is available
+ - test-vmstate: fix bad GTree usage, use-after-free
+ - tests/unit/test-util-sockets: Remove temporary file after test
+ - hw/usb/bus.c: PCAP adding 0xA in Windows version
+ - gitlab: force allow use of pip in Cirrus jobs
+ - tests/vm: avoid re-building the VM images all the time
+ - tests/vm: update openbsd image to 7.4
+ - target/i386: leave the A20 bit set in the final NPT walk
+ - target/i386: remove unnecessary/wrong application of the A20 mask
+ - target/i386: Fix physical address truncation
+ - target/i386: check validity of VMCB addresses
+ - target/i386: mask high bits of CR3 in 32-bit mode
+ - pl031: Update last RTCLR value on write in case it's read back
+ - hw/nvme: fix invalid endian conversion
+ - target/ppc: Fix lxv/stxv MSR facility check
+ - .gitlab-ci.d/windows.yml: Drop msys2-32bit job
+ - system/vl: Update description for input grab key
+ - docs/system: Update description for input grab key
+ - audio: Depend on dbus_display1_dep
+ - meson: ensure dbus-display generated code is built before other units
+ - ui/console: Fix console resize with placeholder surface
+ - ui/clipboard: add asserts for update and request
+ - ui/clipboard: mark type as not available when there is no data
+ (Closes: CVE-2023-6683, already fixed in debian)
+ - ui: reject extended clipboard message if not activated
+ - target/i386: Generate an illegal opcode exception on cmp instructions
+ with lock prefix
+ - i386/cpuid: Move leaf 7 to correct group
+ - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
+ - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and
+ FEAT_XSAVE_XSS_HI leafs
+ - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE
+ is not available
+ - iotests: Make 144 deterministic again
+ - target/arm: Don't get MDCR_EL2 in pmu_counter_enabled()
+ before checking ARM_FEATURE_PMU
+ - target/arm: Fix SVE/SME gross MTE suppression checks
+ - target/arm: Fix nregs computation in do_{ld,st}_zpa
+ - linux-user/aarch64: Choose SYNC as the preferred MTE mode
+ - tests/acpi: Update DSDT.cxl to reflect change _STA return value.
+ - hw/i386: Fix _STA return value for ACPI0017
+ - tests/acpi: Allow update of DSDT.cxl
+ - smmu: Clear SMMUPciBus pointer cache when system reset
+ - virtio_iommu: Clear IOMMUPciBus pointer cache when system reset
+ - hw/cxl: Pass CXLComponentState to cache_mem_ops
+ - cxl/cdat: Fix header sum value in CDAT checksum
+ - cxl/cdat: Handle cdat table build errors
+ - vhost-user.rst: Fix vring address description
+ - hw/smbios: Fix port connector option validation
+ - hw/smbios: Fix OEM strings table option validation
+ - pci-host: designware: Limit value range of iATU viewport register
+ - qemu-options.hx: Improve -serial option documentation
+ - system/vl.c: Fix handling of '-serial none -serial something'
+ - target/arm: fix exception syndrome for AArch32 bkpt insn
+ - block/blkio: Make s->mem_region_alignment be 64 bits
+ - qemu-docs: Update options for graphical frontends
+ - migration: Fix use-after-free of migration state object
+ * d/patches: remove
+ revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch
+ This one turned out to be innocent, cryptsetup CI fails anyway.
+ * d/patches: remove now included upstream
+ ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch
+ * d/changelog: mention previous CVE fixes:
+ - CVE-2023-3019 fixed by 7.2+dfsg-7+deb12u4
+ - CVE-2024-24474 & CVE-2023-5088 fixed by 7.2+dfsg-7+deb12u3
+ - CVE-2023-3301 fixed by 7.2+dfsg-7+deb12u1
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 May 2024 08:44:38 +0300
+
qemu (1:7.2+dfsg-7+deb12u5) bookworm; urgency=medium
* +revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch
@@ -73,6 +220,7 @@
- tests/avocado: Replace assertEquals() for Python 3.12 compatibility
- linux-user: Fix loaddr computation for some elf files
- net: Update MemReentrancyGuard for NIC
+ (Closes: #1041102, CVE-2023-3019)
- net: Provide MemReentrancyGuard * to qemu_new_nic()
- hw/ide/ahci: fix legacy software reset
- target/arm: Fix SME FMOPA (16-bit), BFMOPA
@@ -102,6 +250,7 @@
- target/s390x: Fix LAALG not updating cc_src
- tests/qtest: ahci-test: add test exposing reset issue with pending callback
- hw/ide: reset: cancel async DMA operation before resetting state
+ (Closes: CVE-2023-5088)
- target/mips: Fix TX79 LQ/SQ opcodes
- target/mips: Fix MSA BZ/BNZ opcodes displacement
- ui/gtk-egl: apply scale factor when calculating window's dimension
@@ -142,6 +291,7 @@
- target/i386: fix operand size of unary SSE operations
- scsi-disk: ensure that FORMAT UNIT commands are terminated
- esp: restrict non-DMA transfer length to that of available data
+ (Closes: CVE-2024-24474)
- esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux()
- optionrom: Remove build-id section
- ui/vnc: fix handling of VNC_FEATURE_XVP
@@ -399,6 +549,7 @@
- vdpa: fix not using CVQ buffer in case of error
- vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic
is present
+ (Closes: CVE-2023-3301)
- virtio-gpu: Make non-gl display updates work again when blob=true
- icount: don't adjust virtual time backwards after warp
- vdpa: mask _F_CTRL_GUEST_OFFLOADS for vhost vdpa devices
diff -Nru qemu-7.2+dfsg/debian/patches/revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch qemu-7.2+dfsg/debian/patches/revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch
--- qemu-7.2+dfsg/debian/patches/revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch 2024-02-06 20:36:21.000000000 +0300
+++ qemu-7.2+dfsg/debian/patches/revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch 1970-01-01 03:00:00.000000000 +0300
@@ -1,1544 +0,0 @@
-From 84a139b0289470994f8a518034d69186f5ad5bb9 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Tue, 6 Feb 2024 20:35:22 +0300
-Subject: [PATCH] Revert "monitor: only run coroutine commands in
- qemu_aio_context"
-
-This reverts commit 8ec90598e922a604c222bdbc6289bed7279dced6.
-Causes a regression at least in suspend-resume-hibernate cycle,
-let's revert it to restore the status quo for now.
----
- monitor/qmp.c | 17 ++++++
- qapi/qmp-dispatch.c | 24 +--------
- tests/qemu-iotests/060.out | 4 +-
- tests/qemu-iotests/071.out | 4 +-
- tests/qemu-iotests/081.out | 16 +++---
- tests/qemu-iotests/087.out | 12 ++---
- tests/qemu-iotests/108.out | 2 +-
- tests/qemu-iotests/109 | 4 +-
- tests/qemu-iotests/109.out | 78 +++++++++++++++------------
- tests/qemu-iotests/117.out | 2 +-
- tests/qemu-iotests/120.out | 2 +-
- tests/qemu-iotests/127.out | 2 +-
- tests/qemu-iotests/140.out | 2 +-
- tests/qemu-iotests/143.out | 2 +-
- tests/qemu-iotests/156.out | 2 +-
- tests/qemu-iotests/176.out | 16 +++---
- tests/qemu-iotests/182.out | 2 +-
- tests/qemu-iotests/183.out | 4 +-
- tests/qemu-iotests/184.out | 32 +++++------
- tests/qemu-iotests/185 | 6 +--
- tests/qemu-iotests/185.out | 45 ++--------------
- tests/qemu-iotests/191.out | 16 +++---
- tests/qemu-iotests/195.out | 16 +++---
- tests/qemu-iotests/223.out | 12 ++---
- tests/qemu-iotests/227.out | 32 +++++------
- tests/qemu-iotests/247.out | 2 +-
- tests/qemu-iotests/273.out | 8 +--
- tests/qemu-iotests/308 | 4 +-
- tests/qemu-iotests/308.out | 2 +-
- tests/qemu-iotests/tests/qsd-jobs.out | 4 +-
- 30 files changed, 173 insertions(+), 201 deletions(-)
-
-diff --git a/monitor/qmp.c b/monitor/qmp.c
-index acd0a350c2..092c527b6f 100644
---- a/monitor/qmp.c
-+++ b/monitor/qmp.c
-@@ -296,6 +296,14 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data)
- qemu_coroutine_yield();
- }
-
-+ /*
-+ * Move the coroutine from iohandler_ctx to qemu_aio_context for
-+ * executing the command handler so that it can make progress if it
-+ * involves an AIO_WAIT_WHILE().
-+ */
-+ aio_co_schedule(qemu_get_aio_context(), qmp_dispatcher_co);
-+ qemu_coroutine_yield();
-+
- /* Process request */
- if (req_obj->req) {
- if (trace_event_get_state(TRACE_MONITOR_QMP_CMD_IN_BAND)) {
-@@ -322,6 +330,15 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data)
- }
-
- qmp_request_free(req_obj);
-+
-+ /*
-+ * Yield and reschedule so the main loop stays responsive.
-+ *
-+ * Move back to iohandler_ctx so that nested event loops for
-+ * qemu_aio_context don't start new monitor commands.
-+ */
-+ aio_co_schedule(iohandler_get_aio_context(), qmp_dispatcher_co);
-+ qemu_coroutine_yield();
- }
- }
-
-diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
-index 5d000fae87..0990873ec8 100644
---- a/qapi/qmp-dispatch.c
-+++ b/qapi/qmp-dispatch.c
-@@ -206,31 +206,9 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
- assert(!(oob && qemu_in_coroutine()));
- assert(monitor_cur() == NULL);
- if (!!(cmd->options & QCO_COROUTINE) == qemu_in_coroutine()) {
-- if (qemu_in_coroutine()) {
-- /*
-- * Move the coroutine from iohandler_ctx to qemu_aio_context for
-- * executing the command handler so that it can make progress if it
-- * involves an AIO_WAIT_WHILE().
-- */
-- aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self());
-- qemu_coroutine_yield();
-- }
--
- monitor_set_cur(qemu_coroutine_self(), cur_mon);
- cmd->fn(args, &ret, &err);
- monitor_set_cur(qemu_coroutine_self(), NULL);
--
-- if (qemu_in_coroutine()) {
-- /*
-- * Yield and reschedule so the main loop stays responsive.
-- *
-- * Move back to iohandler_ctx so that nested event loops for
-- * qemu_aio_context don't start new monitor commands.
-- */
-- aio_co_schedule(iohandler_get_aio_context(),
-- qemu_coroutine_self());
-- qemu_coroutine_yield();
-- }
- } else {
- /*
- * Actual context doesn't match the one the command needs.
-@@ -254,7 +232,7 @@ QDict *qmp_dispatch(const QmpCommandList *cmds, QObject *request,
- .errp = &err,
- .co = qemu_coroutine_self(),
- };
-- aio_bh_schedule_oneshot(iohandler_get_aio_context(), do_qmp_dispatch_bh,
-+ aio_bh_schedule_oneshot(qemu_get_aio_context(), do_qmp_dispatch_bh,
- &data);
- qemu_coroutine_yield();
- }
-diff --git a/tests/qemu-iotests/060.out b/tests/qemu-iotests/060.out
-index a37bf446e9..329977d9b9 100644
---- a/tests/qemu-iotests/060.out
-+++ b/tests/qemu-iotests/060.out
-@@ -421,8 +421,8 @@ QMP_VERSION
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_IMAGE_CORRUPTED", "data": {"device": "none0", "msg": "Preventing invalid write on metadata (overlaps with refcount table)", "offset": 65536, "node-name": "drive", "fatal": true, "size": 65536}}
- write failed: Input/output error
- {"return": ""}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- === Testing incoming inactive corrupted image ===
-
-@@ -432,8 +432,8 @@ QMP_VERSION
- qcow2: Image is corrupt: L2 table offset 0x2a2a2a00 unaligned (L1 index: 0); further non-fatal corruption events will be suppressed
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_IMAGE_CORRUPTED", "data": {"device": "", "msg": "L2 table offset 0x2a2a2a00 unaligned (L1 index: 0)", "node-name": "drive", "fatal": false}}
- {"return": ""}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- corrupt: false
- *** done
-diff --git a/tests/qemu-iotests/071.out b/tests/qemu-iotests/071.out
-index a2923b05c2..bca0c02f5c 100644
---- a/tests/qemu-iotests/071.out
-+++ b/tests/qemu-iotests/071.out
-@@ -45,8 +45,8 @@ QMP_VERSION
- {"return": {}}
- read failed: Input/output error
- {"return": ""}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === Testing blkverify on existing block device ===
-@@ -84,9 +84,9 @@ wrote 512/512 bytes at offset 0
- {"return": ""}
- read failed: Input/output error
- {"return": ""}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- QEMU_PROG: Failed to flush the L2 table cache: Input/output error
- QEMU_PROG: Failed to flush the refcount block cache: Input/output error
--{"return": {}}
-
- *** done
-diff --git a/tests/qemu-iotests/081.out b/tests/qemu-iotests/081.out
-index aba85ea564..615c083549 100644
---- a/tests/qemu-iotests/081.out
-+++ b/tests/qemu-iotests/081.out
-@@ -35,8 +35,8 @@ QMP_VERSION
- read 10485760/10485760 bytes at offset 0
- 10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- {"return": ""}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- == using quorum rewrite corrupted mode ==
-@@ -67,8 +67,8 @@ QMP_VERSION
- read 10485760/10485760 bytes at offset 0
- 10 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- {"return": ""}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- -- checking that the image has been corrected --
- read 10485760/10485760 bytes at offset 0
-@@ -106,8 +106,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- Testing:
- QMP_VERSION
-@@ -115,8 +115,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "Cannot add a child to a quorum in blkverify mode"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- == dynamically removing a child from a quorum ==
-@@ -125,31 +125,31 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- Testing:
- QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "The number of children cannot be lower than the vote threshold 2"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- Testing:
- QMP_VERSION
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "blkverify=on can only be set if there are exactly two files and vote-threshold is 2"}}
- {"error": {"class": "GenericError", "desc": "Cannot find device='drive0-quorum' nor node-name='drive0-quorum'"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- Testing:
- QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "The number of children cannot be lower than the vote threshold 2"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- *** done
-diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
-index 97b6d8036d..e1c23a6983 100644
---- a/tests/qemu-iotests/087.out
-+++ b/tests/qemu-iotests/087.out
-@@ -7,8 +7,8 @@ Testing:
- QMP_VERSION
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "'node-name' must be specified for the root node"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === Duplicate ID ===
-@@ -18,8 +18,8 @@ QMP_VERSION
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "node-name=disk is conflicting with a device id"}}
- {"error": {"class": "GenericError", "desc": "Duplicate nodes with node-name='test-node'"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === aio=native without O_DIRECT ===
-@@ -28,8 +28,8 @@ Testing:
- QMP_VERSION
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "aio=native was specified, but it requires cache.direct=on, which was not specified."}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === Encrypted image QCow ===
-@@ -40,8 +40,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "Use of AES-CBC encrypted IMGFMT images is no longer supported in system emulators"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === Encrypted image LUKS ===
-@@ -52,8 +52,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === Missing driver ===
-@@ -63,7 +63,7 @@ Testing: -S
- QMP_VERSION
- {"return": {}}
- {"error": {"class": "GenericError", "desc": "Parameter 'driver' is missing"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- *** done
-diff --git a/tests/qemu-iotests/108.out b/tests/qemu-iotests/108.out
-index b9c876b394..b5401d788d 100644
---- a/tests/qemu-iotests/108.out
-+++ b/tests/qemu-iotests/108.out
-@@ -173,8 +173,8 @@ OK: Reftable is where we expect it
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "create"}}
- {"return": {}}
- { "execute": "quit" }
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- wrote 65536/65536 bytes at offset 0
- 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-diff --git a/tests/qemu-iotests/109 b/tests/qemu-iotests/109
-index 0fb580f9a5..e207a555f3 100755
---- a/tests/qemu-iotests/109
-+++ b/tests/qemu-iotests/109
-@@ -57,13 +57,13 @@ run_qemu()
- _launch_qemu -drive file="${source_img}",format=raw,cache=${CACHEMODE},aio=${AIOMODE},id=src
- _send_qemu_cmd $QEMU_HANDLE "{ 'execute': 'qmp_capabilities' }" "return"
-
-- capture_events="$qmp_event" _send_qemu_cmd $QEMU_HANDLE \
-+ _send_qemu_cmd $QEMU_HANDLE \
- "{'execute':'drive-mirror', 'arguments':{
- 'device': 'src', 'target': '$raw_img', $qmp_format
- 'mode': 'existing', 'sync': 'full'}}" \
- "return"
-
-- capture_events="$qmp_event JOB_STATUS_CHANGE" _wait_event $QEMU_HANDLE "$qmp_event"
-+ _send_qemu_cmd $QEMU_HANDLE '' "$qmp_event"
- if test "$qmp_event" = BLOCK_JOB_ERROR; then
- _send_qemu_cmd $QEMU_HANDLE '' '"status": "null"'
- fi
-diff --git a/tests/qemu-iotests/109.out b/tests/qemu-iotests/109.out
-index 255b81fcdc..e29280015e 100644
---- a/tests/qemu-iotests/109.out
-+++ b/tests/qemu-iotests/109.out
-@@ -7,7 +7,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -23,8 +23,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -35,10 +35,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 1024, "offset": 1024, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 1024, "offset": 1024, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -46,7 +48,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 1024, "offset": 1024, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Writing a qcow2 header into raw ===
-@@ -56,7 +57,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -72,8 +73,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -84,10 +85,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 197120, "offset": 197120, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 197120, "offset": 197120, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -95,7 +98,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 197120, "offset": 197120, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Writing a qed header into raw ===
-@@ -105,7 +107,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -121,8 +123,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -133,10 +135,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 327680, "offset": 327680, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 327680, "offset": 327680, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -144,7 +148,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 327680, "offset": 327680, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Writing a vdi header into raw ===
-@@ -154,7 +157,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -170,8 +173,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -182,10 +185,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 1024, "offset": 1024, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 1024, "offset": 1024, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -193,7 +198,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 1024, "offset": 1024, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Writing a vmdk header into raw ===
-@@ -203,7 +207,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -219,8 +223,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -231,10 +235,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 65536, "offset": 65536, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 65536, "offset": 65536, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -242,7 +248,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 65536, "offset": 65536, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Writing a vpc header into raw ===
-@@ -252,7 +257,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -268,8 +273,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -280,10 +285,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 2560, "offset": 2560, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 2560, "offset": 2560, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -291,7 +298,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 2560, "offset": 2560, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Copying sample image empty.bochs into raw ===
-@@ -300,7 +306,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -316,8 +322,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -328,10 +334,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 2560, "offset": 2560, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 2560, "offset": 2560, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -339,7 +347,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 2560, "offset": 2560, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Copying sample image iotest-dirtylog-10G-4M.vhdx into raw ===
-@@ -348,7 +355,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -364,8 +371,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -376,10 +383,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 31457280, "offset": 31457280, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 31457280, "offset": 31457280, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -387,7 +396,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 31457280, "offset": 31457280, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Copying sample image parallels-v1 into raw ===
-@@ -396,7 +404,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -412,8 +420,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -424,10 +432,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 327680, "offset": 327680, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 327680, "offset": 327680, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -435,7 +445,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 327680, "offset": 327680, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Copying sample image simple-pattern.cloop into raw ===
-@@ -444,7 +453,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -460,8 +469,8 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"execute":"query-block-jobs"}
- {"return": []}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 512/512 bytes at offset 0
- 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- { 'execute': 'qmp_capabilities' }
-@@ -472,10 +481,12 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 2048, "offset": 2048, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 2048, "offset": 2048, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -483,7 +494,6 @@ read 512/512 bytes at offset 0
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 2048, "offset": 2048, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
-
- === Write legitimate MBR into raw ===
-@@ -492,7 +502,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=SIZE
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
- {'execute':'drive-mirror', 'arguments':{
-- 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
-+ 'device': 'src', 'target': 'TEST_DIR/t.IMGFMT',
- 'mode': 'existing', 'sync': 'full'}}
- WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed raw.
- Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
-@@ -500,10 +510,12 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 512, "offset": 512, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 512, "offset": 512, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -511,7 +523,6 @@ WARNING: Image format was not specified for 'TEST_DIR/t.raw' and probing guessed
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 512, "offset": 512, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
-@@ -521,10 +532,12 @@ Images are identical.
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "src"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "src", "len": 512, "offset": 512, "speed": 0, "type": "mirror"}}
- {"execute":"query-block-jobs"}
- {"return": [{"auto-finalize": true, "io-status": "ok", "device": "src", "auto-dismiss": true, "busy": false, "len": 512, "offset": 512, "status": "ready", "paused": false, "speed": 0, "ready": true, "type": "mirror"}]}
- {"execute":"quit"}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "standby", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "src"}}
-@@ -532,6 +545,5 @@ Images are identical.
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "src", "len": 512, "offset": 512, "speed": 0, "type": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "src"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "src"}}
--{"return": {}}
- Images are identical.
- *** done
-diff --git a/tests/qemu-iotests/117.out b/tests/qemu-iotests/117.out
-index 1cea9e0217..735ffd25c6 100644
---- a/tests/qemu-iotests/117.out
-+++ b/tests/qemu-iotests/117.out
-@@ -18,8 +18,8 @@ wrote 65536/65536 bytes at offset 0
- 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- {"return": ""}
- { 'execute': 'quit' }
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- No errors were found on the image.
- read 65536/65536 bytes at offset 0
- 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-diff --git a/tests/qemu-iotests/120.out b/tests/qemu-iotests/120.out
-index 35d84a5bc5..0744c1f136 100644
---- a/tests/qemu-iotests/120.out
-+++ b/tests/qemu-iotests/120.out
-@@ -5,8 +5,8 @@ QMP_VERSION
- wrote 65536/65536 bytes at offset 0
- 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- {"return": ""}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- read 65536/65536 bytes at offset 0
- 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- read 65536/65536 bytes at offset 0
-diff --git a/tests/qemu-iotests/127.out b/tests/qemu-iotests/127.out
-index dd8c4a8aa9..1685c4850a 100644
---- a/tests/qemu-iotests/127.out
-+++ b/tests/qemu-iotests/127.out
-@@ -28,6 +28,6 @@ wrote 42/42 bytes at offset 0
- { 'execute': 'quit' }
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "mirror"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "mirror"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- *** done
-diff --git a/tests/qemu-iotests/140.out b/tests/qemu-iotests/140.out
-index 32866440ae..312f76d5da 100644
---- a/tests/qemu-iotests/140.out
-+++ b/tests/qemu-iotests/140.out
-@@ -19,6 +19,6 @@ read 65536/65536 bytes at offset 0
- qemu-io: can't open device nbd+unix:///drv?socket=SOCK_DIR/nbd: Requested export not available
- server reported: export 'drv' not present
- { 'execute': 'quit' }
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- *** done
-diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out
-index d6afa32abc..9ec5888e0e 100644
---- a/tests/qemu-iotests/143.out
-+++ b/tests/qemu-iotests/143.out
-@@ -10,6 +10,6 @@ server reported: export 'no_such_export' not present
- qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available
- server reported: export 'aa--aa...' not present
- { 'execute': 'quit' }
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- *** done
-diff --git a/tests/qemu-iotests/156.out b/tests/qemu-iotests/156.out
-index 07e5e83f5d..4a22f0c41a 100644
---- a/tests/qemu-iotests/156.out
-+++ b/tests/qemu-iotests/156.out
-@@ -72,8 +72,8 @@ read 65536/65536 bytes at offset 196608
- {"return": ""}
-
- { 'execute': 'quit' }
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- read 65536/65536 bytes at offset 0
- 64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-diff --git a/tests/qemu-iotests/176.out b/tests/qemu-iotests/176.out
-index 45e9153ef3..9d09b60452 100644
---- a/tests/qemu-iotests/176.out
-+++ b/tests/qemu-iotests/176.out
-@@ -169,8 +169,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- wrote 196608/196608 bytes at offset 2147287040
- 192 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- wrote 131072/131072 bytes at offset 2147352576
-@@ -206,8 +206,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {"sha256": HASH}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- === Test pass bitmap.1 ===
-
-@@ -218,8 +218,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- wrote 196608/196608 bytes at offset 2147287040
- 192 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- wrote 131072/131072 bytes at offset 2147352576
-@@ -256,8 +256,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {"sha256": HASH}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- === Test pass bitmap.2 ===
-
-@@ -268,8 +268,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- wrote 196608/196608 bytes at offset 2147287040
- 192 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- wrote 131072/131072 bytes at offset 2147352576
-@@ -306,8 +306,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {"sha256": HASH}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- === Test pass bitmap.3 ===
-
-@@ -318,8 +318,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- wrote 196608/196608 bytes at offset 2147287040
- 192 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
- wrote 131072/131072 bytes at offset 2147352576
-@@ -353,6 +353,6 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {"sha256": HASH}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- *** done
-diff --git a/tests/qemu-iotests/182.out b/tests/qemu-iotests/182.out
-index 83fc1a4797..57f7265458 100644
---- a/tests/qemu-iotests/182.out
-+++ b/tests/qemu-iotests/182.out
-@@ -53,6 +53,6 @@ Formatting 'TEST_DIR/t.qcow2.overlay', fmt=qcow2 cluster_size=65536 extended_l2=
- {'execute': 'qmp_capabilities'}
- {"return": {}}
- {'execute': 'quit'}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- *** done
-diff --git a/tests/qemu-iotests/183.out b/tests/qemu-iotests/183.out
-index 51aa41c888..fd9c2e52a5 100644
---- a/tests/qemu-iotests/183.out
-+++ b/tests/qemu-iotests/183.out
-@@ -53,11 +53,11 @@ wrote 65536/65536 bytes at offset 1048576
- === Shut down and check image ===
-
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- No errors were found on the image.
- No errors were found on the image.
- wrote 65536/65536 bytes at offset 1048576
-diff --git a/tests/qemu-iotests/184.out b/tests/qemu-iotests/184.out
-index e8f631f853..77e5489d65 100644
---- a/tests/qemu-iotests/184.out
-+++ b/tests/qemu-iotests/184.out
-@@ -89,6 +89,10 @@ Testing:
- "return": [
- ]
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -100,10 +104,6 @@ Testing:
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- == property changes in ThrottleGroup ==
-@@ -169,6 +169,10 @@ Testing:
- "iops-total-max": 0
- }
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -180,10 +184,6 @@ Testing:
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- == object creation/set errors ==
-@@ -211,6 +211,10 @@ Testing:
- "desc": "bps/iops/max total values and read/write values cannot be used at the same time"
- }
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -222,10 +226,6 @@ Testing:
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- == don't specify group ==
-@@ -247,6 +247,10 @@ Testing:
- "desc": "Parameter 'throttle-group' is missing"
- }
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -258,10 +262,6 @@ Testing:
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- *** done
-diff --git a/tests/qemu-iotests/185 b/tests/qemu-iotests/185
-index 61f13d0460..8b1143dc16 100755
---- a/tests/qemu-iotests/185
-+++ b/tests/qemu-iotests/185
-@@ -344,14 +344,14 @@ wait_for_job_and_quit() {
-
- sleep 1
-
-- # List of expected events
-- capture_events='BLOCK_JOB_CANCELLED JOB_STATUS_CHANGE SHUTDOWN'
--
- _send_qemu_cmd $h \
- '{"execute": "quit"}' \
- 'return'
-
-+ # List of expected events
-+ capture_events='BLOCK_JOB_CANCELLED JOB_STATUS_CHANGE SHUTDOWN'
- _wait_event $h 'SHUTDOWN'
-+ QEMU_EVENTS= # Ignore all JOB_STATUS_CHANGE events that came before SHUTDOWN
- _wait_event $h 'JOB_STATUS_CHANGE' # standby
- _wait_event $h 'JOB_STATUS_CHANGE' # ready
- _wait_event $h 'JOB_STATUS_CHANGE' # aborting
-diff --git a/tests/qemu-iotests/185.out b/tests/qemu-iotests/185.out
-index 1cccccb1b6..70e8dd6c87 100644
---- a/tests/qemu-iotests/185.out
-+++ b/tests/qemu-iotests/185.out
-@@ -40,16 +40,9 @@ Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off comp
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
- {"return": {}}
- { 'execute': 'quit' }
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "aborting", "id": "disk"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "disk", "len": 67108864, "offset": 524288, "speed": 65536, "type": "commit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "disk"}}
--{"return": {}}
-
- === Start active commit job and exit qemu ===
-
-@@ -63,16 +56,9 @@ Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off comp
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
- {"return": {}}
- { 'execute': 'quit' }
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "aborting", "id": "disk"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "disk", "len": 4194304, "offset": 4194304, "speed": 65536, "type": "commit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "disk"}}
--{"return": {}}
-
- === Start mirror job and exit qemu ===
-
-@@ -89,16 +75,9 @@ Formatting 'TEST_DIR/t.qcow2.copy', fmt=qcow2 cluster_size=65536 extended_l2=off
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
- {"return": {}}
- { 'execute': 'quit' }
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "aborting", "id": "disk"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "disk", "len": 4194304, "offset": 4194304, "speed": 65536, "type": "mirror"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "disk"}}
--{"return": {}}
-
- === Start backup job and exit qemu ===
-
-@@ -118,16 +97,9 @@ Formatting 'TEST_DIR/t.qcow2.copy', fmt=qcow2 cluster_size=65536 extended_l2=off
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
- {"return": {}}
- { 'execute': 'quit' }
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "aborting", "id": "disk"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "disk", "len": 67108864, "offset": 65536, "speed": 65536, "type": "backup"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "disk"}}
--{"return": {}}
-
- === Start streaming job and exit qemu ===
-
-@@ -140,16 +112,9 @@ Formatting 'TEST_DIR/t.qcow2.copy', fmt=qcow2 cluster_size=65536 extended_l2=off
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
- {"return": {}}
- { 'execute': 'quit' }
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "aborting", "id": "disk"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "disk", "len": 67108864, "offset": 524288, "speed": 65536, "type": "stream"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "disk"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "disk"}}
--{"return": {}}
- No errors were found on the image.
-
- === Start mirror to throttled QSD and exit qemu ===
-diff --git a/tests/qemu-iotests/191.out b/tests/qemu-iotests/191.out
-index c3309e4bc6..ea88777374 100644
---- a/tests/qemu-iotests/191.out
-+++ b/tests/qemu-iotests/191.out
-@@ -378,6 +378,10 @@ wrote 65536/65536 bytes at offset 1048576
- ]
- }
- { 'execute': 'quit' }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -389,10 +393,6 @@ wrote 65536/65536 bytes at offset 1048576
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
- virtual size: 64 MiB (67108864 bytes)
-@@ -796,6 +796,10 @@ wrote 65536/65536 bytes at offset 1048576
- ]
- }
- { 'execute': 'quit' }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -807,10 +811,6 @@ wrote 65536/65536 bytes at offset 1048576
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
- virtual size: 64 MiB (67108864 bytes)
-diff --git a/tests/qemu-iotests/195.out b/tests/qemu-iotests/195.out
-index 91717d302e..ec84df5012 100644
---- a/tests/qemu-iotests/195.out
-+++ b/tests/qemu-iotests/195.out
-@@ -17,6 +17,10 @@ Testing: -drive if=none,file=TEST_DIR/t.IMGFMT,backing.node-name=mid
- "return": {
- }
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -28,10 +32,6 @@ Testing: -drive if=none,file=TEST_DIR/t.IMGFMT,backing.node-name=mid
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
- image: TEST_DIR/t.IMGFMT.mid
- file format: IMGFMT
-@@ -55,6 +55,10 @@ Testing: -drive if=none,file=TEST_DIR/t.IMGFMT,node-name=top
- "return": {
- }
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -66,10 +70,6 @@ Testing: -drive if=none,file=TEST_DIR/t.IMGFMT,node-name=top
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
-diff --git a/tests/qemu-iotests/223.out b/tests/qemu-iotests/223.out
-index 65625c491e..26fb347c5d 100644
---- a/tests/qemu-iotests/223.out
-+++ b/tests/qemu-iotests/223.out
-@@ -11,8 +11,8 @@ QMP_VERSION
- {"return": {}}
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
-
- === Write part of the file under active bitmap ===
-@@ -142,14 +142,14 @@ read 2097152/2097152 bytes at offset 2097152
-
- {"execute":"nbd-server-remove",
- "arguments":{"name":"n"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n"}}
- {"return": {}}
- {"execute":"nbd-server-remove",
- "arguments":{"name":"n2"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n2"}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n"}}
- {"return": {}}
- {"execute":"nbd-server-remove",
- "arguments":{"name":"n2"}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n2"}}
- {"error": {"class": "GenericError", "desc": "Export 'n2' is not found"}}
- {"execute":"nbd-server-stop"}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n3"}}
-@@ -261,14 +261,14 @@ read 2097152/2097152 bytes at offset 2097152
-
- {"execute":"nbd-server-remove",
- "arguments":{"name":"n"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n"}}
- {"return": {}}
- {"execute":"nbd-server-remove",
- "arguments":{"name":"n2"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n2"}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n"}}
- {"return": {}}
- {"execute":"nbd-server-remove",
- "arguments":{"name":"n2"}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n2"}}
- {"error": {"class": "GenericError", "desc": "Export 'n2' is not found"}}
- {"execute":"nbd-server-stop"}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "n3"}}
-@@ -276,8 +276,8 @@ read 2097152/2097152 bytes at offset 2097152
- {"execute":"nbd-server-stop"}
- {"error": {"class": "GenericError", "desc": "NBD server not running"}}
- {"execute":"quit"}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- === Use qemu-nbd as server ===
-
-diff --git a/tests/qemu-iotests/227.out b/tests/qemu-iotests/227.out
-index b6a56118b7..378c1b8fb1 100644
---- a/tests/qemu-iotests/227.out
-+++ b/tests/qemu-iotests/227.out
-@@ -48,6 +48,10 @@ Testing: -drive driver=null-co,read-zeroes=on,if=virtio
- }
- ]
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -59,10 +63,6 @@ Testing: -drive driver=null-co,read-zeroes=on,if=virtio
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- === blockstats with -drive if=none ===
-@@ -112,6 +112,10 @@ Testing: -drive driver=null-co,if=none
- }
- ]
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -123,10 +127,6 @@ Testing: -drive driver=null-co,if=none
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- === blockstats with -blockdev ===
-@@ -143,6 +143,10 @@ Testing: -blockdev driver=null-co,node-name=null
- "return": [
- ]
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -154,10 +158,6 @@ Testing: -blockdev driver=null-co,node-name=null
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
-
- === blockstats with -blockdev and -device ===
-@@ -208,6 +208,10 @@ Testing: -blockdev driver=null-co,read-zeroes=on,node-name=null -device virtio-b
- }
- ]
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -219,9 +223,5 @@ Testing: -blockdev driver=null-co,read-zeroes=on,node-name=null -device virtio-b
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
- *** done
-diff --git a/tests/qemu-iotests/247.out b/tests/qemu-iotests/247.out
-index 7d252e7fe4..e909e83994 100644
---- a/tests/qemu-iotests/247.out
-+++ b/tests/qemu-iotests/247.out
-@@ -17,6 +17,6 @@ QMP_VERSION
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_COMPLETED", "data": {"device": "job0", "len": 134217728, "offset": 134217728, "speed": 0, "type": "commit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "job0"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "job0"}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- *** done
-diff --git a/tests/qemu-iotests/273.out b/tests/qemu-iotests/273.out
-index 71843f02de..6a74a8138b 100644
---- a/tests/qemu-iotests/273.out
-+++ b/tests/qemu-iotests/273.out
-@@ -282,6 +282,10 @@ Testing: -blockdev file,node-name=base,filename=TEST_DIR/t.IMGFMT.base -blockdev
- ]
- }
- }
-+{
-+ "return": {
-+ }
-+}
- {
- "timestamp": {
- "seconds": TIMESTAMP,
-@@ -293,9 +297,5 @@ Testing: -blockdev file,node-name=base,filename=TEST_DIR/t.IMGFMT.base -blockdev
- "reason": "host-qmp-quit"
- }
- }
--{
-- "return": {
-- }
--}
-
- *** done
-diff --git a/tests/qemu-iotests/308 b/tests/qemu-iotests/308
-index d1bb49f1de..bde4aac2fa 100755
---- a/tests/qemu-iotests/308
-+++ b/tests/qemu-iotests/308
-@@ -77,7 +77,6 @@ fuse_export_add()
- # $1: Export ID
- fuse_export_del()
- {
-- capture_events="BLOCK_EXPORT_DELETED" \
- _send_qemu_cmd $QEMU_HANDLE \
- "{'execute': 'block-export-del',
- 'arguments': {
-@@ -85,7 +84,8 @@ fuse_export_del()
- } }" \
- 'return'
-
-- _wait_event $QEMU_HANDLE \
-+ _send_qemu_cmd $QEMU_HANDLE \
-+ '' \
- 'BLOCK_EXPORT_DELETED'
- }
-
-diff --git a/tests/qemu-iotests/308.out b/tests/qemu-iotests/308.out
-index 9fcf8844d4..e4467a10cf 100644
---- a/tests/qemu-iotests/308.out
-+++ b/tests/qemu-iotests/308.out
-@@ -165,9 +165,9 @@ OK: Post-truncate image size is as expected
-
- === Tear down ===
- {'execute': 'quit'}
-+{"return": {}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "export-mp"}}
--{"return": {}}
-
- === Compare copy with original ===
- Images are identical.
-diff --git a/tests/qemu-iotests/tests/qsd-jobs.out b/tests/qemu-iotests/tests/qsd-jobs.out
-index aa6b6d1aef..c1bc9b8356 100644
---- a/tests/qemu-iotests/tests/qsd-jobs.out
-+++ b/tests/qemu-iotests/tests/qsd-jobs.out
-@@ -7,8 +7,8 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 backing_file=TEST_DIR/
- QMP_VERSION
- {"return": {}}
- {"return": {}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "job0", "len": 0, "offset": 0, "speed": 0, "type": "commit"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_CANCELLED", "data": {"device": "job0", "len": 0, "offset": 0, "speed": 0, "type": "commit"}}
-
- === Streaming can't get permission on base node ===
-
-@@ -17,6 +17,6 @@ QMP_VERSION
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "job0"}}
- {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "job0"}}
- {"error": {"class": "GenericError", "desc": "Permission conflict on node 'fmt_base': permissions 'write' are both required by an unnamed block device (uses node 'fmt_base' as 'root' child) and unshared by stream job 'job0' (uses node 'fmt_base' as 'intermediate node' child)."}}
--{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "export1"}}
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "export1"}}
- *** done
---
-2.39.2
-
diff -Nru qemu-7.2+dfsg/debian/patches/series qemu-7.2+dfsg/debian/patches/series
--- qemu-7.2+dfsg/debian/patches/series 2024-02-06 20:37:25.000000000 +0300
+++ qemu-7.2+dfsg/debian/patches/series 2024-05-03 18:34:31.000000000 +0300
@@ -7,6 +7,8 @@
v7.2.7.diff
v7.2.8.diff
v7.2.9.diff
+v7.2.10.diff
+v7.2.11.diff
microvm-default-machine-type.patch
skip-meson-pc-bios.diff
linux-user-binfmt-P.diff
@@ -23,5 +25,3 @@
openbios-spelling-endianess.patch
slof-spelling-seperator.patch
ignore-roms-dependency-in-qtest.patch
-ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch
-revert-monitor-only-run-coroutine-commands-in-qemu_aio_context.patch
diff -Nru qemu-7.2+dfsg/debian/patches/ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch qemu-7.2+dfsg/debian/patches/ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch
--- qemu-7.2+dfsg/debian/patches/ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch 2024-01-30 19:30:14.000000000 +0300
+++ qemu-7.2+dfsg/debian/patches/ui-clipboard-mark-type-as-not-available-when-no-data-CVE-2023-6683.patch 1970-01-01 03:00:00.000000000 +0300
@@ -1,82 +0,0 @@
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Wed, 24 Jan 2024 11:57:48 +0100
-Subject: ui/clipboard: mark type as not available when there is no data
-Forwarded: yes
-Origin: upstream, https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg04742.html
-
-With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
-message with len=0. In qemu_clipboard_set_data(), the clipboard info
-will be updated setting data to NULL (because g_memdup(data, size)
-returns NULL when size is 0). If the client does not set the
-VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
-the 'request' callback for the clipboard peer is not initialized.
-Later, because data is NULL, qemu_clipboard_request() can be reached
-via vdagent_chr_write() and vdagent_clipboard_recv_request() and
-there, the clipboard owner's 'request' callback will be attempted to
-be called, but that is a NULL pointer.
-
-In particular, this can happen when using the KRDC (22.12.3) VNC
-client.
-
-Another scenario leading to the same issue is with two clients (say
-noVNC and KRDC):
-
-The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
-initializes its cbpeer.
-
-The KRDC client does not, but triggers a vnc_client_cut_text() (note
-it's not the _ext variant)). There, a new clipboard info with it as
-the 'owner' is created and via qemu_clipboard_set_data() is called,
-which in turn calls qemu_clipboard_update() with that info.
-
-In qemu_clipboard_update(), the notifier for the noVNC client will be
-called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
-noVNC client. The 'owner' in that clipboard info is the clipboard peer
-for the KRDC client, which did not initialize the 'request' function.
-That sounds correct to me, it is the owner of that clipboard info.
-
-Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
-the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
-passes), that clipboard info is passed to qemu_clipboard_request() and
-the original segfault still happens.
-
-Fix the issue by handling updates with size 0 differently. In
-particular, mark in the clipboard info that the type is not available.
-
-While at it, switch to g_memdup2(), because g_memdup() is deprecated.
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2023-6683
-Reported-by: Markus Frank <m.frank@proxmox.com>
-Suggested-by: Marc-Andr�� Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- ui/clipboard.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/ui/clipboard.c b/ui/clipboard.c
-index 3d14bffaf8..b3f6fa3c9e 100644
---- a/ui/clipboard.c
-+++ b/ui/clipboard.c
-@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
- }
-
- g_free(info->types[type].data);
-- info->types[type].data = g_memdup(data, size);
-- info->types[type].size = size;
-- info->types[type].available = true;
-+ if (size) {
-+ info->types[type].data = g_memdup2(data, size);
-+ info->types[type].size = size;
-+ info->types[type].available = true;
-+ } else {
-+ info->types[type].data = NULL;
-+ info->types[type].size = 0;
-+ info->types[type].available = false;
-+ }
-
- if (update) {
- qemu_clipboard_update(info);
---
-2.39.2
-
diff -Nru qemu-7.2+dfsg/debian/patches/v7.2.10.diff qemu-7.2+dfsg/debian/patches/v7.2.10.diff
--- qemu-7.2+dfsg/debian/patches/v7.2.10.diff 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg/debian/patches/v7.2.10.diff 2024-05-03 18:30:25.000000000 +0300
@@ -0,0 +1,1444 @@
+Subject: v7.2.10
+Date: Mon Mar 4 15:14:39 2024 +0300
+From: Michael Tokarev <mjt@tls.msk.ru>
+Forwarded: not-needed
+
+This is a difference between upstream qemu v7.2.9
+and upstream qemu v7.2.10.
+
+ .gitlab-ci.d/cirrus/build.yml | 2 +-
+ .gitlab-ci.d/windows.yml | 34 ------------------
+ VERSION | 2 +-
+ audio/meson.build | 3 +-
+ block/blkio.c | 2 +-
+ docs/interop/vhost-user.rst | 6 ++--
+ docs/system/keys.rst.inc | 13 +++----
+ hw/arm/smmu-common.c | 2 ++
+ hw/cxl/cxl-cdat.c | 11 ++++--
+ hw/cxl/cxl-component-utils.c | 2 +-
+ hw/i386/acpi-build.c | 2 +-
+ hw/i386/sgx-stub.c | 2 +-
+ hw/nvme/ctrl.c | 2 +-
+ hw/pci-host/designware.c | 2 ++
+ hw/rtc/pl031.c | 1 +
+ hw/smbios/smbios.c | 12 +++++++
+ hw/usb/bus.c | 5 +--
+ hw/virtio/virtio-iommu.c | 4 +--
+ linux-user/aarch64/target_prctl.h | 29 +++++++++-------
+ migration/migration.c | 2 ++
+ qemu-options.hx | 14 ++++++--
+ softmmu/vl.c | 24 +++++++------
+ target/arm/helper.c | 30 ++++++++++++++--
+ target/arm/sme_helper.c | 8 ++---
+ target/arm/sve_helper.c | 12 +++----
+ target/arm/syndrome.h | 8 +++++
+ target/arm/translate-sve.c | 16 ++++-----
+ target/i386/cpu.c | 6 ++--
+ target/i386/cpu.h | 6 ++++
+ target/i386/kvm/kvm.c | 3 +-
+ target/i386/tcg/sysemu/excp_helper.c | 45 +++++++++++-------------
+ target/i386/tcg/sysemu/misc_helper.c | 3 ++
+ target/i386/tcg/sysemu/svm_helper.c | 27 +++++++++++----
+ target/i386/tcg/translate.c | 11 +++---
+ target/ppc/translate/vsx-impl.c.inc | 2 +-
+ tests/data/acpi/q35/DSDT.cxl | Bin 9636 -> 9637 bytes
+ tests/qemu-iotests/144 | 12 ++++++-
+ tests/qemu-iotests/144.out | 2 +-
+ tests/qtest/display-vga-test.c | 65 ++++++++++++++---------------------
+ tests/unit/test-blockjob.c | 9 ++++-
+ tests/unit/test-util-sockets.c | 1 +
+ tests/unit/test-vmstate.c | 5 ++-
+ tests/vm/Makefile.include | 2 +-
+ tests/vm/basevm.py | 4 +--
+ tests/vm/openbsd | 9 ++---
+ ui/clipboard.c | 26 ++++++++++++--
+ ui/console.c | 2 +-
+ ui/meson.build | 6 ++--
+ ui/vnc.c | 5 +++
+ 49 files changed, 299 insertions(+), 202 deletions(-)
+
+diff --git a/.gitlab-ci.d/cirrus/build.yml b/.gitlab-ci.d/cirrus/build.yml
+index 7ef6af8d33..d8cf08dc14 100644
+--- a/.gitlab-ci.d/cirrus/build.yml
++++ b/.gitlab-ci.d/cirrus/build.yml
+@@ -19,7 +19,7 @@ build_task:
+ install_script:
+ - @UPDATE_COMMAND@
+ - @INSTALL_COMMAND@ @PKGS@
+- - if test -n "@PYPI_PKGS@" ; then @PIP3@ install @PYPI_PKGS@ ; fi
++ - if test -n "@PYPI_PKGS@" ; then PYLIB=$(@PYTHON@ -c 'import sysconfig; print(sysconfig.get_path("stdlib"))'); rm -f $PYLIB/EXTERNALLY-MANAGED; @PIP3@ install @PYPI_PKGS@ ; fi
+ clone_script:
+ - git clone --depth 100 "$CI_REPOSITORY_URL" .
+ - git fetch origin "$CI_COMMIT_REF_NAME"
+diff --git a/.gitlab-ci.d/windows.yml b/.gitlab-ci.d/windows.yml
+index a3e7a37022..0180261b7f 100644
+--- a/.gitlab-ci.d/windows.yml
++++ b/.gitlab-ci.d/windows.yml
+@@ -63,37 +63,3 @@ msys2-64bit:
+ --enable-capstone --without-default-devices'
+ - .\msys64\usr\bin\bash -lc 'make'
+ - .\msys64\usr\bin\bash -lc 'make check || { cat build/meson-logs/testlog.txt; exit 1; } ;'
+-
+-msys2-32bit:
+- extends: .shared_msys2_builder
+- script:
+- - .\msys64\usr\bin\bash -lc "pacman -Sy --noconfirm --needed
+- bison diffutils flex
+- git grep make sed
+- mingw-w64-i686-capstone
+- mingw-w64-i686-curl
+- mingw-w64-i686-cyrus-sasl
+- mingw-w64-i686-gcc
+- mingw-w64-i686-glib2
+- mingw-w64-i686-gnutls
+- mingw-w64-i686-gtk3
+- mingw-w64-i686-libgcrypt
+- mingw-w64-i686-libjpeg-turbo
+- mingw-w64-i686-libssh
+- mingw-w64-i686-libtasn1
+- mingw-w64-i686-libusb
+- mingw-w64-i686-lzo2
+- mingw-w64-i686-ninja
+- mingw-w64-i686-pixman
+- mingw-w64-i686-pkgconf
+- mingw-w64-i686-python
+- mingw-w64-i686-snappy
+- mingw-w64-i686-usbredir "
+- - $env:CHERE_INVOKING = 'yes' # Preserve the current working directory
+- - $env:MSYSTEM = 'MINGW32' # Start a 32-bit MinG environment
+- - $env:MSYS = 'winsymlinks:native' # Enable native Windows symlink
+- - mkdir output
+- - cd output
+- - ..\msys64\usr\bin\bash -lc "../configure --target-list=ppc64-softmmu"
+- - ..\msys64\usr\bin\bash -lc 'make'
+- - ..\msys64\usr\bin\bash -lc 'make check || { cat meson-logs/testlog.txt; exit 1; } ;'
+diff --git a/VERSION b/VERSION
+index 672f66a613..6bfb3a0ba9 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-7.2.9
++7.2.10
+diff --git a/audio/meson.build b/audio/meson.build
+index 34aed78342..ce171f710d 100644
+--- a/audio/meson.build
++++ b/audio/meson.build
+@@ -29,7 +29,8 @@ endforeach
+
+ if dbus_display
+ module_ss = ss.source_set()
+- module_ss.add(when: gio, if_true: files('dbusaudio.c'))
++ module_ss.add(when: [gio, dbus_display1_dep],
++ if_true: files('dbusaudio.c'))
+ audio_modules += {'dbus': module_ss}
+ endif
+
+diff --git a/block/blkio.c b/block/blkio.c
+index 5eae3adfaf..cb66160268 100644
+--- a/block/blkio.c
++++ b/block/blkio.c
+@@ -74,7 +74,7 @@ typedef struct {
+ CoQueue bounce_available;
+
+ /* The value of the "mem-region-alignment" property */
+- size_t mem_region_alignment;
++ uint64_t mem_region_alignment;
+
+ /* Can we skip adding/deleting blkio_mem_regions? */
+ bool needs_mem_regions;
+diff --git a/docs/interop/vhost-user.rst b/docs/interop/vhost-user.rst
+index 3f18ab424e..936de705e1 100644
+--- a/docs/interop/vhost-user.rst
++++ b/docs/interop/vhost-user.rst
+@@ -111,9 +111,9 @@ A vring state description
+ A vring address description
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+-+-------+-------+------+------------+------+-----------+-----+
+-| index | flags | size | descriptor | used | available | log |
+-+-------+-------+------+------------+------+-----------+-----+
+++-------+-------+------------+------+-----------+-----+
++| index | flags | descriptor | used | available | log |
+++-------+-------+------------+------+-----------+-----+
+
+ :index: a 32-bit vring index
+
+diff --git a/docs/system/keys.rst.inc b/docs/system/keys.rst.inc
+index bd9b8e5f6f..59966a3fe7 100644
+--- a/docs/system/keys.rst.inc
++++ b/docs/system/keys.rst.inc
+@@ -1,8 +1,9 @@
+-During the graphical emulation, you can use special key combinations to
+-change modes. The default key mappings are shown below, but if you use
+-``-alt-grab`` then the modifier is Ctrl-Alt-Shift (instead of Ctrl-Alt)
+-and if you use ``-ctrl-grab`` then the modifier is the right Ctrl key
+-(instead of Ctrl-Alt):
++During the graphical emulation, you can use special key combinations from
++the following table to change modes. By default the modifier is Ctrl-Alt
++(used in the table below) which can be changed with ``-display`` suboption
++``mod=`` where appropriate. For example, ``-display sdl,
++grab-mod=lshift-lctrl-lalt`` changes the modifier key to Ctrl-Alt-Shift,
++while ``-display sdl,grab-mod=rctrl`` changes it to the right Ctrl key.
+
+ Ctrl-Alt-f
+ Toggle full screen
+@@ -28,7 +29,7 @@ Ctrl-Alt-n
+ *3*
+ Serial port
+
+-Ctrl-Alt
++Ctrl-Alt-g
+ Toggle mouse and keyboard grab.
+
+ In the virtual consoles, you can use Ctrl-Up, Ctrl-Down, Ctrl-PageUp and
+diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
+index bbca3a8db3..7abc166eb3 100644
+--- a/hw/arm/smmu-common.c
++++ b/hw/arm/smmu-common.c
+@@ -529,6 +529,8 @@ static void smmu_base_reset(DeviceState *dev)
+ {
+ SMMUState *s = ARM_SMMU(dev);
+
++ memset(s->smmu_pcibus_by_bus_num, 0, sizeof(s->smmu_pcibus_by_bus_num));
++
+ g_hash_table_remove_all(s->configs);
+ g_hash_table_remove_all(s->iotlb);
+ }
+diff --git a/hw/cxl/cxl-cdat.c b/hw/cxl/cxl-cdat.c
+index 3653aa56f0..0cde11854e 100644
+--- a/hw/cxl/cxl-cdat.c
++++ b/hw/cxl/cxl-cdat.c
+@@ -49,6 +49,7 @@ static void ct3_build_cdat(CDATObject *cdat, Error **errp)
+ g_autofree CDATTableHeader *cdat_header = NULL;
+ g_autofree CDATEntry *cdat_st = NULL;
+ uint8_t sum = 0;
++ uint8_t *hdr_buf;
+ int ent, i;
+
+ /* Use default table if fopen == NULL */
+@@ -62,7 +63,7 @@ static void ct3_build_cdat(CDATObject *cdat, Error **errp)
+
+ cdat->built_buf_len = cdat->build_cdat_table(&cdat->built_buf, cdat->private);
+
+- if (!cdat->built_buf_len) {
++ if (cdat->built_buf_len <= 0) {
+ /* Build later as not all data available yet */
+ cdat->to_update = true;
+ return;
+@@ -94,8 +95,12 @@ static void ct3_build_cdat(CDATObject *cdat, Error **errp)
+ /* For now, no runtime updates */
+ cdat_header->sequence = 0;
+ cdat_header->length += sizeof(CDATTableHeader);
+- sum += cdat_header->revision + cdat_header->sequence +
+- cdat_header->length;
++
++ hdr_buf = (uint8_t *)cdat_header;
++ for (i = 0; i < sizeof(*cdat_header); i++) {
++ sum += hdr_buf[i];
++ }
++
+ /* Sum of all bytes including checksum must be 0 */
+ cdat_header->checksum = ~sum + 1;
+
+diff --git a/hw/cxl/cxl-component-utils.c b/hw/cxl/cxl-component-utils.c
+index 3edd303a33..5934b95848 100644
+--- a/hw/cxl/cxl-component-utils.c
++++ b/hw/cxl/cxl-component-utils.c
+@@ -126,7 +126,7 @@ void cxl_component_register_block_init(Object *obj,
+ /* io registers controls link which we don't care about in QEMU */
+ memory_region_init_io(&cregs->io, obj, NULL, cregs, ".io",
+ CXL2_COMPONENT_IO_REGION_SIZE);
+- memory_region_init_io(&cregs->cache_mem, obj, &cache_mem_ops, cregs,
++ memory_region_init_io(&cregs->cache_mem, obj, &cache_mem_ops, cxl_cstate,
+ ".cache_mem", CXL2_COMPONENT_CM_REGION_SIZE);
+
+ memory_region_add_subregion(&cregs->component_registers, 0, &cregs->io);
+diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
+index d9eaa5fc4d..f9cdacadb1 100644
+--- a/hw/i386/acpi-build.c
++++ b/hw/i386/acpi-build.c
+@@ -1311,7 +1311,7 @@ static void build_acpi0017(Aml *table)
+ aml_append(dev, aml_name_decl("_HID", aml_string("ACPI0017")));
+
+ method = aml_method("_STA", 0, AML_NOTSERIALIZED);
+- aml_append(method, aml_return(aml_int(0x01)));
++ aml_append(method, aml_return(aml_int(0x0B)));
+ aml_append(dev, method);
+
+ aml_append(scope, dev);
+diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
+index 26833eb233..16b1dfd90b 100644
+--- a/hw/i386/sgx-stub.c
++++ b/hw/i386/sgx-stub.c
+@@ -34,5 +34,5 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
+
+ bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
+ {
+- g_assert_not_reached();
++ return true;
+ }
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 4d29033556..a87f79296c 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -7140,7 +7140,7 @@ static void nvme_init_state(NvmeCtrl *n)
+ n->aer_reqs = g_new0(NvmeRequest *, n->params.aerl + 1);
+ QTAILQ_INIT(&n->aer_queue);
+
+- list->numcntl = cpu_to_le16(max_vfs);
++ list->numcntl = max_vfs;
+ for (i = 0; i < max_vfs; i++) {
+ sctrl = &list->sec[i];
+ sctrl->pcid = cpu_to_le16(n->cntlid);
+diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
+index bde3a343a2..c235b9daa3 100644
+--- a/hw/pci-host/designware.c
++++ b/hw/pci-host/designware.c
+@@ -340,6 +340,8 @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
+ break;
+
+ case DESIGNWARE_PCIE_ATU_VIEWPORT:
++ val &= DESIGNWARE_PCIE_ATU_REGION_INBOUND |
++ (DESIGNWARE_PCIE_NUM_VIEWPORTS - 1);
+ root->atu_viewport = val;
+ break;
+
+diff --git a/hw/rtc/pl031.c b/hw/rtc/pl031.c
+index b01d0e75d1..2f3cd04eeb 100644
+--- a/hw/rtc/pl031.c
++++ b/hw/rtc/pl031.c
+@@ -141,6 +141,7 @@ static void pl031_write(void * opaque, hwaddr offset,
+ g_autofree const char *qom_path = object_get_canonical_path(opaque);
+ struct tm tm;
+
++ s->lr = value;
+ s->tick_offset += value - pl031_get_count(s);
+
+ qemu_get_timedate(&tm, s->tick_offset);
+diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
+index cd43185417..9f4d007d96 100644
+--- a/hw/smbios/smbios.c
++++ b/hw/smbios/smbios.c
+@@ -345,6 +345,11 @@ static const QemuOptDesc qemu_smbios_type4_opts[] = {
+ };
+
+ static const QemuOptDesc qemu_smbios_type8_opts[] = {
++ {
++ .name = "type",
++ .type = QEMU_OPT_NUMBER,
++ .help = "SMBIOS element type",
++ },
+ {
+ .name = "internal_reference",
+ .type = QEMU_OPT_STRING,
+@@ -365,9 +370,15 @@ static const QemuOptDesc qemu_smbios_type8_opts[] = {
+ .type = QEMU_OPT_NUMBER,
+ .help = "port type",
+ },
++ { /* end of list */ }
+ };
+
+ static const QemuOptDesc qemu_smbios_type11_opts[] = {
++ {
++ .name = "type",
++ .type = QEMU_OPT_NUMBER,
++ .help = "SMBIOS element type",
++ },
+ {
+ .name = "value",
+ .type = QEMU_OPT_STRING,
+@@ -378,6 +389,7 @@ static const QemuOptDesc qemu_smbios_type11_opts[] = {
+ .type = QEMU_OPT_STRING,
+ .help = "OEM string data from file",
+ },
++ { /* end of list */ }
+ };
+
+ static const QemuOptDesc qemu_smbios_type17_opts[] = {
+diff --git a/hw/usb/bus.c b/hw/usb/bus.c
+index 92d6ed5626..4d4c671913 100644
+--- a/hw/usb/bus.c
++++ b/hw/usb/bus.c
+@@ -273,13 +273,14 @@ static void usb_qdev_realize(DeviceState *qdev, Error **errp)
+ }
+
+ if (dev->pcap_filename) {
+- int fd = qemu_open_old(dev->pcap_filename, O_CREAT | O_WRONLY | O_TRUNC, 0666);
++ int fd = qemu_open_old(dev->pcap_filename,
++ O_CREAT | O_WRONLY | O_TRUNC | O_BINARY, 0666);
+ if (fd < 0) {
+ error_setg(errp, "open %s failed", dev->pcap_filename);
+ usb_qdev_unrealize(qdev);
+ return;
+ }
+- dev->pcap = fdopen(fd, "w");
++ dev->pcap = fdopen(fd, "wb");
+ usb_pcap_init(dev->pcap);
+ }
+ }
+diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
+index eb82462c95..95db19f144 100644
+--- a/hw/virtio/virtio-iommu.c
++++ b/hw/virtio/virtio-iommu.c
+@@ -1140,6 +1140,8 @@ static void virtio_iommu_system_reset(void *opaque)
+
+ trace_virtio_iommu_system_reset();
+
++ memset(s->iommu_pcibus_by_bus_num, 0, sizeof(s->iommu_pcibus_by_bus_num));
++
+ /*
+ * config.bypass is sticky across device reset, but should be restored on
+ * system reset
+@@ -1156,8 +1158,6 @@ static void virtio_iommu_device_realize(DeviceState *dev, Error **errp)
+
+ virtio_init(vdev, VIRTIO_ID_IOMMU, sizeof(struct virtio_iommu_config));
+
+- memset(s->iommu_pcibus_by_bus_num, 0, sizeof(s->iommu_pcibus_by_bus_num));
+-
+ s->req_vq = virtio_add_queue(vdev, VIOMMU_DEFAULT_QUEUE_SIZE,
+ virtio_iommu_handle_command);
+ s->event_vq = virtio_add_queue(vdev, VIOMMU_DEFAULT_QUEUE_SIZE, NULL);
+diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
+index 907c314146..d9f6648e27 100644
+--- a/linux-user/aarch64/target_prctl.h
++++ b/linux-user/aarch64/target_prctl.h
+@@ -171,21 +171,26 @@ static abi_long do_prctl_set_tagged_addr_ctrl(CPUArchState *env, abi_long arg2)
+ env->tagged_addr_enable = arg2 & PR_TAGGED_ADDR_ENABLE;
+
+ if (cpu_isar_feature(aa64_mte, cpu)) {
+- switch (arg2 & PR_MTE_TCF_MASK) {
+- case PR_MTE_TCF_NONE:
+- case PR_MTE_TCF_SYNC:
+- case PR_MTE_TCF_ASYNC:
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+ /*
+ * Write PR_MTE_TCF to SCTLR_EL1[TCF0].
+- * Note that the syscall values are consistent with hw.
++ *
++ * The kernel has a per-cpu configuration for the sysadmin,
++ * /sys/devices/system/cpu/cpu<N>/mte_tcf_preferred,
++ * which qemu does not implement.
++ *
++ * Because there is no performance difference between the modes, and
++ * because SYNC is most useful for debugging MTE errors, choose SYNC
++ * as the preferred mode. With this preference, and the way the API
++ * uses only two bits, there is no way for the program to select
++ * ASYMM mode.
+ */
+- env->cp15.sctlr_el[1] =
+- deposit64(env->cp15.sctlr_el[1], 38, 2, arg2 >> PR_MTE_TCF_SHIFT);
++ unsigned tcf = 0;
++ if (arg2 & PR_MTE_TCF_SYNC) {
++ tcf = 1;
++ } else if (arg2 & PR_MTE_TCF_ASYNC) {
++ tcf = 2;
++ }
++ env->cp15.sctlr_el[1] = deposit64(env->cp15.sctlr_el[1], 38, 2, tcf);
+
+ /*
+ * Write PR_MTE_TAG to GCR_EL1[Exclude].
+diff --git a/migration/migration.c b/migration/migration.c
+index c8ca7927b4..9b496cce1d 100644
+--- a/migration/migration.c
++++ b/migration/migration.c
+@@ -572,6 +572,7 @@ static void process_incoming_migration_bh(void *opaque)
+ MIGRATION_STATUS_COMPLETED);
+ qemu_bh_delete(mis->bh);
+ migration_incoming_state_destroy();
++ object_unref(OBJECT(migrate_get_current()));
+ }
+
+ static void coroutine_fn
+@@ -638,6 +639,7 @@ process_incoming_migration_co(void *opaque)
+ goto fail;
+ }
+ mis->bh = qemu_bh_new(process_incoming_migration_bh, mis);
++ object_ref(OBJECT(migrate_get_current()));
+ qemu_bh_schedule(mis->bh);
+ mis->migration_incoming_co = NULL;
+ return;
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 379692da86..7f798ce47e 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -3968,7 +3968,8 @@ SRST
+ This option can be used several times to simulate up to 4 serial
+ ports.
+
+- Use ``-serial none`` to disable all serial ports.
++ You can use ``-serial none`` to suppress the creation of default
++ serial devices.
+
+ Available character devices are:
+
+@@ -3990,10 +3991,17 @@ SRST
+ [Linux only] Pseudo TTY (a new PTY is automatically allocated)
+
+ ``none``
+- No device is allocated.
++ No device is allocated. Note that for machine types which
++ emulate systems where a serial device is always present in
++ real hardware, this may be equivalent to the ``null`` option,
++ in that the serial device is still present but all output
++ is discarded. For boards where the number of serial ports is
++ truly variable, this suppresses the creation of the device.
+
+ ``null``
+- void device
++ A guest will see the UART or serial device as present in the
++ machine, but all output is discarded, and there is no input.
++ Conceptually equivalent to redirecting the output to ``/dev/null``.
+
+ ``chardev:id``
+ Use a named character device defined with the ``-chardev``
+diff --git a/softmmu/vl.c b/softmmu/vl.c
+index ce88869618..38d76d6e51 100644
+--- a/softmmu/vl.c
++++ b/softmmu/vl.c
+@@ -856,7 +856,7 @@ static void help(int exitcode)
+ printf("\nDuring emulation, the following keys are useful:\n"
+ "ctrl-alt-f toggle full screen\n"
+ "ctrl-alt-n switch to virtual console 'n'\n"
+- "ctrl-alt toggle mouse and keyboard grab\n"
++ "ctrl-alt-g toggle mouse and keyboard grab\n"
+ "\n"
+ "When using -nographic, press 'ctrl-a h' to get some help.\n"
+ "\n"
+@@ -1363,18 +1363,22 @@ static void qemu_create_default_devices(void)
+ static int serial_parse(const char *devname)
+ {
+ int index = num_serial_hds;
+- char label[32];
+
+- if (strcmp(devname, "none") == 0)
+- return 0;
+- snprintf(label, sizeof(label), "serial%d", index);
+ serial_hds = g_renew(Chardev *, serial_hds, index + 1);
+
+- serial_hds[index] = qemu_chr_new_mux_mon(label, devname, NULL);
+- if (!serial_hds[index]) {
+- error_report("could not connect serial device"
+- " to character backend '%s'", devname);
+- return -1;
++ if (strcmp(devname, "none") == 0) {
++ /* Don't allocate a serial device for this index */
++ serial_hds[index] = NULL;
++ } else {
++ char label[32];
++ snprintf(label, sizeof(label), "serial%d", index);
++
++ serial_hds[index] = qemu_chr_new_mux_mon(label, devname, NULL);
++ if (!serial_hds[index]) {
++ error_report("could not connect serial device"
++ " to character backend '%s'", devname);
++ return -1;
++ }
+ }
+ num_serial_hds++;
+ return 0;
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index 02cfeece45..2e284e048c 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -1125,13 +1125,21 @@ static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
+ bool enabled, prohibited = false, filtered;
+ bool secure = arm_is_secure(env);
+ int el = arm_current_el(env);
+- uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
+- uint8_t hpmn = mdcr_el2 & MDCR_HPMN;
++ uint64_t mdcr_el2;
++ uint8_t hpmn;
+
++ /*
++ * We might be called for M-profile cores where MDCR_EL2 doesn't
++ * exist and arm_mdcr_el2_eff() will assert, so this early-exit check
++ * must be before we read that value.
++ */
+ if (!arm_feature(env, ARM_FEATURE_PMU)) {
+ return false;
+ }
+
++ mdcr_el2 = arm_mdcr_el2_eff(env);
++ hpmn = mdcr_el2 & MDCR_HPMN;
++
+ if (!arm_feature(env, ARM_FEATURE_EL2) ||
+ (counter < hpmn || counter == 31)) {
+ e = env->cp15.c9_pmcr & PMCRE;
+@@ -9836,6 +9844,24 @@ static void arm_cpu_do_interrupt_aarch32(CPUState *cs)
+ }
+
+ if (env->exception.target_el == 2) {
++ /* Debug exceptions are reported differently on AArch32 */
++ switch (syn_get_ec(env->exception.syndrome)) {
++ case EC_BREAKPOINT:
++ case EC_BREAKPOINT_SAME_EL:
++ case EC_AA32_BKPT:
++ case EC_VECTORCATCH:
++ env->exception.syndrome = syn_insn_abort(arm_current_el(env) == 2,
++ 0, 0, 0x22);
++ break;
++ case EC_WATCHPOINT:
++ env->exception.syndrome = syn_set_ec(env->exception.syndrome,
++ EC_DATAABORT);
++ break;
++ case EC_WATCHPOINT_SAME_EL:
++ env->exception.syndrome = syn_set_ec(env->exception.syndrome,
++ EC_DATAABORT_SAME_EL);
++ break;
++ }
+ arm_cpu_do_interrupt_aarch32_hyp(cs);
+ return;
+ }
+diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
+index 8856773635..d592c78ec9 100644
+--- a/target/arm/sme_helper.c
++++ b/target/arm/sme_helper.c
+@@ -606,8 +606,8 @@ void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
+ desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+ /* Perform gross MTE suppression early. */
+- if (!tbi_check(desc, bit55) ||
+- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++ if (!tbi_check(mtedesc, bit55) ||
++ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+ mtedesc = 0;
+ }
+
+@@ -783,8 +783,8 @@ void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
+ desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+ /* Perform gross MTE suppression early. */
+- if (!tbi_check(desc, bit55) ||
+- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++ if (!tbi_check(mtedesc, bit55) ||
++ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+ mtedesc = 0;
+ }
+
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index 27838fb6e2..45a93755fe 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -5803,8 +5803,8 @@ void sve_ldN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,
+ desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+ /* Perform gross MTE suppression early. */
+- if (!tbi_check(desc, bit55) ||
+- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++ if (!tbi_check(mtedesc, bit55) ||
++ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+ mtedesc = 0;
+ }
+
+@@ -6159,8 +6159,8 @@ void sve_ldnfff1_r_mte(CPUARMState *env, void *vg, target_ulong addr,
+ desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+ /* Perform gross MTE suppression early. */
+- if (!tbi_check(desc, bit55) ||
+- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++ if (!tbi_check(mtedesc, bit55) ||
++ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+ mtedesc = 0;
+ }
+
+@@ -6413,8 +6413,8 @@ void sve_stN_r_mte(CPUARMState *env, uint64_t *vg, target_ulong addr,
+ desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+ /* Perform gross MTE suppression early. */
+- if (!tbi_check(desc, bit55) ||
+- tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
++ if (!tbi_check(mtedesc, bit55) ||
++ tcma_check(mtedesc, bit55, allocation_tag_from_addr(addr))) {
+ mtedesc = 0;
+ }
+
+diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
+index 15334a3d15..75a3327a30 100644
+--- a/target/arm/syndrome.h
++++ b/target/arm/syndrome.h
+@@ -25,6 +25,8 @@
+ #ifndef TARGET_ARM_SYNDROME_H
+ #define TARGET_ARM_SYNDROME_H
+
++#include "qemu/bitops.h"
++
+ /* Valid Syndrome Register EC field values */
+ enum arm_exception_class {
+ EC_UNCATEGORIZED = 0x00,
+@@ -76,6 +78,7 @@ typedef enum {
+ SME_ET_InactiveZA,
+ } SMEExceptionType;
+
++#define ARM_EL_EC_LENGTH 6
+ #define ARM_EL_EC_SHIFT 26
+ #define ARM_EL_IL_SHIFT 25
+ #define ARM_EL_ISV_SHIFT 24
+@@ -87,6 +90,11 @@ static inline uint32_t syn_get_ec(uint32_t syn)
+ return syn >> ARM_EL_EC_SHIFT;
+ }
+
++static inline uint32_t syn_set_ec(uint32_t syn, uint32_t ec)
++{
++ return deposit32(syn, ARM_EL_EC_SHIFT, ARM_EL_EC_LENGTH, ec);
++}
++
+ /*
+ * Utility functions for constructing various kinds of syndrome value.
+ * Note that in general we follow the AArch64 syndrome values; in a
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index 621a2abb22..7388e1dbc7 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -4587,11 +4587,7 @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
+ TCGv_ptr t_pg;
+ int desc = 0;
+
+- /*
+- * For e.g. LD4, there are not enough arguments to pass all 4
+- * registers as pointers, so encode the regno into the data field.
+- * For consistency, do this even for LD1.
+- */
++ assert(mte_n >= 1 && mte_n <= 4);
+ if (s->mte_active[0]) {
+ int msz = dtype_msz(dtype);
+
+@@ -4605,6 +4601,11 @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
+ addr = clean_data_tbi(s, addr);
+ }
+
++ /*
++ * For e.g. LD4, there are not enough arguments to pass all 4
++ * registers as pointers, so encode the regno into the data field.
++ * For consistency, do this even for LD1.
++ */
+ desc = simd_desc(vsz, vsz, zt | desc);
+ t_pg = tcg_temp_new_ptr();
+
+@@ -4744,7 +4745,7 @@ static void do_ld_zpa(DisasContext *s, int zt, int pg,
+ * accessible via the instruction encoding.
+ */
+ assert(fn != NULL);
+- do_mem_zpa(s, zt, pg, addr, dtype, nreg, false, fn);
++ do_mem_zpa(s, zt, pg, addr, dtype, nreg + 1, false, fn);
+ }
+
+ static bool trans_LD_zprr(DisasContext *s, arg_rprr_load *a)
+@@ -5320,14 +5321,13 @@ static void do_st_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
+ if (nreg == 0) {
+ /* ST1 */
+ fn = fn_single[s->mte_active[0]][be][msz][esz];
+- nreg = 1;
+ } else {
+ /* ST2, ST3, ST4 -- msz == esz, enforced by encoding */
+ assert(msz == esz);
+ fn = fn_multiple[s->mte_active[0]][be][nreg - 1][msz];
+ }
+ assert(fn != NULL);
+- do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg, true, fn);
++ do_mem_zpa(s, zt, pg, addr, msz_dtype(s, msz), nreg + 1, true, fn);
+ }
+
+ static bool trans_ST_zprr(DisasContext *s, arg_rprr_store *a)
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 0f71ff9fea..52a3020032 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -6114,6 +6114,8 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
+ if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE)) {
+ env->features[FEAT_XSAVE_XCR0_LO] = 0;
+ env->features[FEAT_XSAVE_XCR0_HI] = 0;
++ env->features[FEAT_XSAVE_XSS_LO] = 0;
++ env->features[FEAT_XSAVE_XSS_HI] = 0;
+ return;
+ }
+
+@@ -6132,9 +6134,9 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
+ }
+
+ env->features[FEAT_XSAVE_XCR0_LO] = mask & CPUID_XSTATE_XCR0_MASK;
+- env->features[FEAT_XSAVE_XCR0_HI] = mask >> 32;
++ env->features[FEAT_XSAVE_XCR0_HI] = (mask & CPUID_XSTATE_XCR0_MASK) >> 32;
+ env->features[FEAT_XSAVE_XSS_LO] = mask & CPUID_XSTATE_XSS_MASK;
+- env->features[FEAT_XSAVE_XSS_HI] = mask >> 32;
++ env->features[FEAT_XSAVE_XSS_HI] = (mask & CPUID_XSTATE_XSS_MASK) >> 32;
+ }
+
+ /***** Steps involved on loading and filtering CPUID data
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index f67cee477a..7be047ce33 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2195,6 +2195,12 @@ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+ ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
+ }
+
++static inline bool is_mmu_index_32(int mmu_index)
++{
++ assert(mmu_index < MMU_PHYS_IDX);
++ return mmu_index & 1;
++}
++
+ static inline int cpu_mmu_index_kernel(CPUX86State *env)
+ {
+ return !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP_IDX :
+diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
+index 002b699030..4d83bb5784 100644
+--- a/target/i386/kvm/kvm.c
++++ b/target/i386/kvm/kvm.c
+@@ -1859,6 +1859,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
+ }
+ case 0x1f:
+ if (env->nr_dies < 2) {
++ cpuid_i--;
+ break;
+ }
+ /* fallthrough */
+@@ -1899,7 +1900,6 @@ int kvm_arch_init_vcpu(CPUState *cs)
+ c = &cpuid_data.entries[cpuid_i++];
+ }
+ break;
+- case 0x7:
+ case 0x12:
+ for (j = 0; ; j++) {
+ c->function = i;
+@@ -1919,6 +1919,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
+ c = &cpuid_data.entries[cpuid_i++];
+ }
+ break;
++ case 0x7:
+ case 0x14:
+ case 0x1d:
+ case 0x1e: {
+diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
+index 55bd1194d3..5999cdedf5 100644
+--- a/target/i386/tcg/sysemu/excp_helper.c
++++ b/target/i386/tcg/sysemu/excp_helper.c
+@@ -133,7 +133,6 @@ static inline bool ptw_setl(const PTETranslate *in, uint32_t old, uint32_t set)
+ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ TranslateResult *out, TranslateFault *err)
+ {
+- const int32_t a20_mask = x86_get_a20_mask(env);
+ const target_ulong addr = in->addr;
+ const int pg_mode = in->pg_mode;
+ const bool is_user = (in->mmu_idx == MMU_USER_IDX);
+@@ -162,8 +161,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 5
+ */
+- pte_addr = ((in->cr3 & ~0xfff) +
+- (((addr >> 48) & 0x1ff) << 3)) & a20_mask;
++ pte_addr = (in->cr3 & ~0xfff) + (((addr >> 48) & 0x1ff) << 3);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -187,8 +185,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 4
+ */
+- pte_addr = ((pte & PG_ADDRESS_MASK) +
+- (((addr >> 39) & 0x1ff) << 3)) & a20_mask;
++ pte_addr = (pte & PG_ADDRESS_MASK) + (((addr >> 39) & 0x1ff) << 3);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -208,8 +205,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 3
+ */
+- pte_addr = ((pte & PG_ADDRESS_MASK) +
+- (((addr >> 30) & 0x1ff) << 3)) & a20_mask;
++ pte_addr = (pte & PG_ADDRESS_MASK) + (((addr >> 30) & 0x1ff) << 3);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -236,7 +232,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 3
+ */
+- pte_addr = ((in->cr3 & ~0x1f) + ((addr >> 27) & 0x18)) & a20_mask;
++ pte_addr = (in->cr3 & 0xffffffe0ULL) + ((addr >> 27) & 0x18);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -258,8 +254,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 2
+ */
+- pte_addr = ((pte & PG_ADDRESS_MASK) +
+- (((addr >> 21) & 0x1ff) << 3)) & a20_mask;
++ pte_addr = (pte & PG_ADDRESS_MASK) + (((addr >> 21) & 0x1ff) << 3);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -285,8 +280,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 1
+ */
+- pte_addr = ((pte & PG_ADDRESS_MASK) +
+- (((addr >> 12) & 0x1ff) << 3)) & a20_mask;
++ pte_addr = (pte & PG_ADDRESS_MASK) + (((addr >> 12) & 0x1ff) << 3);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -304,7 +298,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 2
+ */
+- pte_addr = ((in->cr3 & ~0xfff) + ((addr >> 20) & 0xffc)) & a20_mask;
++ pte_addr = (in->cr3 & 0xfffff000ULL) + ((addr >> 20) & 0xffc);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -333,7 +327,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ /*
+ * Page table level 1
+ */
+- pte_addr = ((pte & ~0xfffu) + ((addr >> 10) & 0xffc)) & a20_mask;
++ pte_addr = (pte & ~0xfffu) + ((addr >> 10) & 0xffc);
+ if (!ptw_translate(&pte_trans, pte_addr)) {
+ return false;
+ }
+@@ -420,10 +414,13 @@ do_check_protect_pse36:
+ }
+ }
+
+- /* align to page_size */
+- paddr = (pte & a20_mask & PG_ADDRESS_MASK & ~(page_size - 1))
+- | (addr & (page_size - 1));
++ /* merge offset within page */
++ paddr = (pte & PG_ADDRESS_MASK & ~(page_size - 1)) | (addr & (page_size - 1));
+
++ /*
++ * Note that NPT is walked (for both paging structures and final guest
++ * addresses) using the address with the A20 bit set.
++ */
+ if (in->ptw_idx == MMU_NESTED_IDX) {
+ CPUTLBEntryFull *full;
+ int flags, nested_page_size;
+@@ -462,7 +459,7 @@ do_check_protect_pse36:
+ }
+ }
+
+- out->paddr = paddr;
++ out->paddr = paddr & x86_get_a20_mask(env);
+ out->prot = prot;
+ out->page_size = page_size;
+ return true;
+@@ -556,6 +553,10 @@ static bool get_physical_address(CPUX86State *env, vaddr addr,
+ break;
+
+ default:
++ if (is_mmu_index_32(mmu_idx)) {
++ addr = (uint32_t)addr;
++ }
++
+ if (likely(env->cr[0] & CR0_PG_MASK)) {
+ in.cr3 = env->cr[3];
+ in.mmu_idx = mmu_idx;
+@@ -579,14 +580,8 @@ static bool get_physical_address(CPUX86State *env, vaddr addr,
+ break;
+ }
+
+- /* Translation disabled. */
++ /* No translation needed. */
+ out->paddr = addr & x86_get_a20_mask(env);
+-#ifdef TARGET_X86_64
+- if (!(env->hflags & HF_LMA_MASK)) {
+- /* Without long mode we can only address 32bits in real mode */
+- out->paddr = (uint32_t)out->paddr;
+- }
+-#endif
+ out->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+ out->page_size = TARGET_PAGE_SIZE;
+ return true;
+diff --git a/target/i386/tcg/sysemu/misc_helper.c b/target/i386/tcg/sysemu/misc_helper.c
+index e1528b7f80..1901712ece 100644
+--- a/target/i386/tcg/sysemu/misc_helper.c
++++ b/target/i386/tcg/sysemu/misc_helper.c
+@@ -201,6 +201,9 @@ void helper_wrmsr(CPUX86State *env)
+ tlb_flush(cs);
+ break;
+ case MSR_VM_HSAVE_PA:
++ if (val & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
++ goto error;
++ }
+ env->vm_hsave = val;
+ break;
+ #ifdef TARGET_X86_64
+diff --git a/target/i386/tcg/sysemu/svm_helper.c b/target/i386/tcg/sysemu/svm_helper.c
+index 2d27731b60..744aed4b31 100644
+--- a/target/i386/tcg/sysemu/svm_helper.c
++++ b/target/i386/tcg/sysemu/svm_helper.c
+@@ -164,14 +164,19 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
+ uint64_t new_cr3;
+ uint64_t new_cr4;
+
+- cpu_svm_check_intercept_param(env, SVM_EXIT_VMRUN, 0, GETPC());
+-
+ if (aflag == 2) {
+ addr = env->regs[R_EAX];
+ } else {
+ addr = (uint32_t)env->regs[R_EAX];
+ }
+
++ /* Exceptions are checked before the intercept. */
++ if (addr & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
++ raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
++ }
++
++ cpu_svm_check_intercept_param(env, SVM_EXIT_VMRUN, 0, GETPC());
++
+ qemu_log_mask(CPU_LOG_TB_IN_ASM, "vmrun! " TARGET_FMT_lx "\n", addr);
+
+ env->vm_vmcb = addr;
+@@ -465,14 +470,19 @@ void helper_vmload(CPUX86State *env, int aflag)
+ int mmu_idx = MMU_PHYS_IDX;
+ target_ulong addr;
+
+- cpu_svm_check_intercept_param(env, SVM_EXIT_VMLOAD, 0, GETPC());
+-
+ if (aflag == 2) {
+ addr = env->regs[R_EAX];
+ } else {
+ addr = (uint32_t)env->regs[R_EAX];
+ }
+
++ /* Exceptions are checked before the intercept. */
++ if (addr & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
++ raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
++ }
++
++ cpu_svm_check_intercept_param(env, SVM_EXIT_VMLOAD, 0, GETPC());
++
+ if (virtual_vm_load_save_enabled(env, SVM_EXIT_VMLOAD, GETPC())) {
+ mmu_idx = MMU_NESTED_IDX;
+ }
+@@ -521,14 +531,19 @@ void helper_vmsave(CPUX86State *env, int aflag)
+ int mmu_idx = MMU_PHYS_IDX;
+ target_ulong addr;
+
+- cpu_svm_check_intercept_param(env, SVM_EXIT_VMSAVE, 0, GETPC());
+-
+ if (aflag == 2) {
+ addr = env->regs[R_EAX];
+ } else {
+ addr = (uint32_t)env->regs[R_EAX];
+ }
+
++ /* Exceptions are checked before the intercept. */
++ if (addr & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
++ raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
++ }
++
++ cpu_svm_check_intercept_param(env, SVM_EXIT_VMSAVE, 0, GETPC());
++
+ if (virtual_vm_load_save_enabled(env, SVM_EXIT_VMSAVE, GETPC())) {
+ mmu_idx = MMU_NESTED_IDX;
+ }
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index 68c42fd9ff..abacb91ddf 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -1501,12 +1501,13 @@ static bool check_iopl(DisasContext *s)
+ /* if d == OR_TMP0, it means memory operand (address in A0) */
+ static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
+ {
++ /* Invalid lock prefix when destination is not memory or OP_CMPL. */
++ if ((d != OR_TMP0 || op == OP_CMPL) && s1->prefix & PREFIX_LOCK) {
++ gen_illegal_opcode(s1);
++ return;
++ }
++
+ if (d != OR_TMP0) {
+- if (s1->prefix & PREFIX_LOCK) {
+- /* Lock prefix when destination is not memory. */
+- gen_illegal_opcode(s1);
+- return;
+- }
+ gen_op_mov_v_reg(s1, ot, s1->T0, d);
+ } else if (!(s1->prefix & PREFIX_LOCK)) {
+ gen_op_ld_v(s1, ot, s1->T0, s1->A0);
+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
+index 4deb29ee42..de1709809d 100644
+--- a/target/ppc/translate/vsx-impl.c.inc
++++ b/target/ppc/translate/vsx-impl.c.inc
+@@ -2518,7 +2518,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
+
+ static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
+ {
+- if (paired || a->rt >= 32) {
++ if (paired || a->rt < 32) {
+ REQUIRE_VSX(ctx);
+ } else {
+ REQUIRE_VECTOR(ctx);
+diff --git a/tests/data/acpi/q35/DSDT.cxl b/tests/data/acpi/q35/DSDT.cxl
+index f9c6dd4ee0..267709e4e4 100644
+Binary files a/tests/data/acpi/q35/DSDT.cxl and b/tests/data/acpi/q35/DSDT.cxl differ
+diff --git a/tests/qemu-iotests/144 b/tests/qemu-iotests/144
+index bdcc498fa2..d284a0e442 100755
+--- a/tests/qemu-iotests/144
++++ b/tests/qemu-iotests/144
+@@ -83,12 +83,22 @@ echo
+ echo === Performing block-commit on active layer ===
+ echo
+
++capture_events="BLOCK_JOB_READY JOB_STATUS_CHANGE"
++
+ # Block commit on active layer, push the new overlay into base
+ _send_qemu_cmd $h "{ 'execute': 'block-commit',
+ 'arguments': {
+ 'device': 'virtio0'
+ }
+- }" "READY"
++ }" "return"
++
++_wait_event $h "JOB_STATUS_CHANGE"
++_wait_event $h "JOB_STATUS_CHANGE"
++_wait_event $h "JOB_STATUS_CHANGE"
++
++_wait_event $h "BLOCK_JOB_READY"
++
++capture_events=
+
+ _send_qemu_cmd $h "{ 'execute': 'block-job-complete',
+ 'arguments': {
+diff --git a/tests/qemu-iotests/144.out b/tests/qemu-iotests/144.out
+index b3b4812015..2245ddfa10 100644
+--- a/tests/qemu-iotests/144.out
++++ b/tests/qemu-iotests/144.out
+@@ -25,9 +25,9 @@ Formatting 'TEST_DIR/tmp.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off co
+ 'device': 'virtio0'
+ }
+ }
++{"return": {}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "virtio0"}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "virtio0"}}
+-{"return": {}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "ready", "id": "virtio0"}}
+ {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_READY", "data": {"device": "virtio0", "len": 0, "offset": 0, "speed": 0, "type": "commit"}}
+ { 'execute': 'block-job-complete',
+diff --git a/tests/qtest/display-vga-test.c b/tests/qtest/display-vga-test.c
+index ace3bb28e0..75b341a9c6 100644
+--- a/tests/qtest/display-vga-test.c
++++ b/tests/qtest/display-vga-test.c
+@@ -8,61 +8,46 @@
+ */
+
+ #include "qemu/osdep.h"
+-#include "libqtest-single.h"
+-
+-static void pci_cirrus(void)
+-{
+- qtest_start("-vga none -device cirrus-vga");
+- qtest_end();
+-}
+-
+-static void pci_stdvga(void)
+-{
+- qtest_start("-vga none -device VGA");
+- qtest_end();
+-}
+-
+-static void pci_secondary(void)
+-{
+- qtest_start("-vga none -device secondary-vga");
+- qtest_end();
+-}
++#include "libqtest.h"
+
+ static void pci_multihead(void)
+ {
+- qtest_start("-vga none -device VGA -device secondary-vga");
+- qtest_end();
+-}
++ QTestState *qts;
+
+-static void pci_virtio_gpu(void)
+-{
+- qtest_start("-vga none -device virtio-gpu-pci");
+- qtest_end();
++ qts = qtest_init("-vga none -device VGA -device secondary-vga");
++ qtest_quit(qts);
+ }
+
+-static void pci_virtio_vga(void)
++static void test_vga(gconstpointer data)
+ {
+- qtest_start("-vga none -device virtio-vga");
+- qtest_end();
++ QTestState *qts;
++
++ qts = qtest_initf("-vga none -device %s", (const char *)data);
++ qtest_quit(qts);
+ }
+
+ int main(int argc, char **argv)
+ {
+- const char *arch = qtest_get_arch();
++ static const char *devices[] = {
++ "cirrus-vga",
++ "VGA",
++ "secondary-vga",
++ "virtio-gpu-pci",
++ "virtio-vga"
++ };
+
+ g_test_init(&argc, &argv, NULL);
+
+- if (strcmp(arch, "alpha") == 0 || strcmp(arch, "i386") == 0 ||
+- strcmp(arch, "mips") == 0 || strcmp(arch, "x86_64") == 0) {
+- qtest_add_func("/display/pci/cirrus", pci_cirrus);
++ for (int i = 0; i < ARRAY_SIZE(devices); i++) {
++ if (qtest_has_device(devices[i])) {
++ char *testpath = g_strdup_printf("/display/pci/%s", devices[i]);
++ qtest_add_data_func(testpath, devices[i], test_vga);
++ g_free(testpath);
++ }
+ }
+- qtest_add_func("/display/pci/stdvga", pci_stdvga);
+- qtest_add_func("/display/pci/secondary", pci_secondary);
+- qtest_add_func("/display/pci/multihead", pci_multihead);
+- qtest_add_func("/display/pci/virtio-gpu", pci_virtio_gpu);
+- if (g_str_equal(arch, "i386") || g_str_equal(arch, "x86_64") ||
+- g_str_equal(arch, "hppa") || g_str_equal(arch, "ppc64")) {
+- qtest_add_func("/display/pci/virtio-vga", pci_virtio_vga);
++
++ if (qtest_has_device("secondary-vga")) {
++ qtest_add_func("/display/pci/multihead", pci_multihead);
+ }
+
+ return g_test_run();
+diff --git a/tests/unit/test-blockjob.c b/tests/unit/test-blockjob.c
+index c0426bd10c..a130f6fefb 100644
+--- a/tests/unit/test-blockjob.c
++++ b/tests/unit/test-blockjob.c
+@@ -531,6 +531,13 @@ int main(int argc, char **argv)
+ g_test_add_func("/blockjob/cancel/standby", test_cancel_standby);
+ g_test_add_func("/blockjob/cancel/pending", test_cancel_pending);
+ g_test_add_func("/blockjob/cancel/concluded", test_cancel_concluded);
+- g_test_add_func("/blockjob/complete_in_standby", test_complete_in_standby);
++
++ /*
++ * This test is flaky and sometimes fails in CI and otherwise:
++ * don't run unless user opts in via environment variable.
++ */
++ if (getenv("QEMU_TEST_FLAKY_TESTS")) {
++ g_test_add_func("/blockjob/complete_in_standby", test_complete_in_standby);
++ }
+ return g_test_run();
+ }
+diff --git a/tests/unit/test-util-sockets.c b/tests/unit/test-util-sockets.c
+index 63909ccb2b..4c9dd0b271 100644
+--- a/tests/unit/test-util-sockets.c
++++ b/tests/unit/test-util-sockets.c
+@@ -326,6 +326,7 @@ static void test_socket_unix_abstract(void)
+ test_socket_unix_abstract_row(&matrix[i]);
+ }
+
++ unlink(addr.u.q_unix.path);
+ g_free(addr.u.q_unix.path);
+ }
+
+diff --git a/tests/unit/test-vmstate.c b/tests/unit/test-vmstate.c
+index 541bb4f63e..aae32bbf91 100644
+--- a/tests/unit/test-vmstate.c
++++ b/tests/unit/test-vmstate.c
+@@ -1074,7 +1074,6 @@ static gboolean diff_tree(gpointer key, gpointer value, gpointer data)
+ struct match_node_data d = {tp->tree2, key, value};
+
+ g_tree_foreach(tp->tree2, tp->match_node, &d);
+- g_tree_remove(tp->tree1, key);
+ return false;
+ }
+
+@@ -1083,9 +1082,9 @@ static void compare_trees(GTree *tree1, GTree *tree2,
+ {
+ struct tree_cmp_data tp = {tree1, tree2, function};
+
++ assert(g_tree_nnodes(tree1) == g_tree_nnodes(tree2));
+ g_tree_foreach(tree1, diff_tree, &tp);
+- assert(g_tree_nnodes(tree1) == 0);
+- assert(g_tree_nnodes(tree2) == 0);
++ g_tree_destroy(g_tree_ref(tree1));
+ }
+
+ static void diff_domain(TestGTreeDomain *d1, TestGTreeDomain *d2)
+diff --git a/tests/vm/Makefile.include b/tests/vm/Makefile.include
+index 2cc2203d09..e332fd13c3 100644
+--- a/tests/vm/Makefile.include
++++ b/tests/vm/Makefile.include
+@@ -103,7 +103,7 @@ $(IMAGES_DIR)/%.img: $(SRC_PATH)/tests/vm/% \
+ $(if $(LOG_CONSOLE),--log-console) \
+ --source-path $(SRC_PATH) \
+ --image "$@" \
+- --force \
++ $(if $(filter-out check-venv, $?), --force) \
+ --build-image $@, \
+ " VM-IMAGE $*")
+
+diff --git a/tests/vm/basevm.py b/tests/vm/basevm.py
+index 2276364c42..6a54d9d4e0 100644
+--- a/tests/vm/basevm.py
++++ b/tests/vm/basevm.py
+@@ -634,9 +634,9 @@ def main(vmcls, config=None):
+ vm = vmcls(args, config=config)
+ if args.build_image:
+ if os.path.exists(args.image) and not args.force:
+- sys.stderr.writelines(["Image file exists: %s\n" % args.image,
++ sys.stderr.writelines(["Image file exists, skipping build: %s\n" % args.image,
+ "Use --force option to overwrite\n"])
+- return 1
++ return 0
+ return vm.build_image(args.image)
+ if args.build_qemu:
+ vm.add_source_dir(args.build_qemu)
+diff --git a/tests/vm/openbsd b/tests/vm/openbsd
+index eaeb201e91..f185aa96ab 100755
+--- a/tests/vm/openbsd
++++ b/tests/vm/openbsd
+@@ -22,8 +22,8 @@ class OpenBSDVM(basevm.BaseVM):
+ name = "openbsd"
+ arch = "x86_64"
+
+- link = "https://cdn.openbsd.org/pub/OpenBSD/7.2/amd64/install72.iso";
+- csum = "0369ef40a3329efcb978c578c7fdc7bda71e502aecec930a74b44160928c91d3"
++ link = "https://cdn.openbsd.org/pub/OpenBSD/7.4/amd64/install74.iso";
++ csum = "a1001736ed9fe2307965b5fcdb426ae11f9b80d26eb21e404a705144a0a224a0"
+ size = "20G"
+ pkgs = [
+ # tools
+@@ -97,10 +97,10 @@ class OpenBSDVM(basevm.BaseVM):
+ self.console_wait_send("(I)nstall", "i\n")
+ self.console_wait_send("Terminal type", "xterm\n")
+ self.console_wait_send("System hostname", "openbsd\n")
+- self.console_wait_send("Which network interface", "vio0\n")
++ self.console_wait_send("Network interface to configure", "vio0\n")
+ self.console_wait_send("IPv4 address", "autoconf\n")
+ self.console_wait_send("IPv6 address", "none\n")
+- self.console_wait_send("Which network interface", "done\n")
++ self.console_wait_send("Network interface to configure", "done\n")
+ self.console_wait("Password for root account")
+ self.console_send("%s\n" % self._config["root_pass"])
+ self.console_wait("Password for root account")
+@@ -123,6 +123,7 @@ class OpenBSDVM(basevm.BaseVM):
+ self.console_wait_send("Allow root ssh login", "yes\n")
+ self.console_wait_send("timezone", "UTC\n")
+ self.console_wait_send("root disk", "\n")
++ self.console_wait_send("Encrypt the root disk with a passphrase", "no\n")
+ self.console_wait_send("(W)hole disk", "\n")
+ self.console_wait_send("(A)uto layout", "\n")
+ self.console_wait_send("Location of sets", "cd0\n")
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf8..4264884a6c 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -65,12 +65,24 @@ bool qemu_clipboard_check_serial(QemuClipboardInfo *info, bool client)
+
+ void qemu_clipboard_update(QemuClipboardInfo *info)
+ {
++ uint32_t type;
+ QemuClipboardNotify notify = {
+ .type = QEMU_CLIPBOARD_UPDATE_INFO,
+ .info = info,
+ };
+ assert(info->selection < QEMU_CLIPBOARD_SELECTION__COUNT);
+
++ for (type = 0; type < QEMU_CLIPBOARD_TYPE__COUNT; type++) {
++ /*
++ * If data is missing, the clipboard owner's 'request' callback needs to
++ * be set. Otherwise, there is no way to get the clipboard data and
++ * qemu_clipboard_request() cannot be called.
++ */
++ if (info->types[type].available && !info->types[type].data) {
++ assert(info->owner && info->owner->request);
++ }
++ }
++
+ notifier_list_notify(&clipboard_notifiers, ¬ify);
+
+ if (cbinfo[info->selection] != info) {
+@@ -132,6 +144,8 @@ void qemu_clipboard_request(QemuClipboardInfo *info,
+ !info->owner)
+ return;
+
++ assert(info->owner->request);
++
+ info->types[type].requested = true;
+ info->owner->request(info, type);
+ }
+@@ -163,9 +177,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+ }
+
+ g_free(info->types[type].data);
+- info->types[type].data = g_memdup(data, size);
+- info->types[type].size = size;
+- info->types[type].available = true;
++ if (size) {
++ info->types[type].data = g_memdup2(data, size);
++ info->types[type].size = size;
++ info->types[type].available = true;
++ } else {
++ info->types[type].data = NULL;
++ info->types[type].size = 0;
++ info->types[type].available = false;
++ }
+
+ if (update) {
+ qemu_clipboard_update(info);
+diff --git a/ui/console.c b/ui/console.c
+index 52414d6aa3..269cf27163 100644
+--- a/ui/console.c
++++ b/ui/console.c
+@@ -2583,7 +2583,7 @@ void qemu_console_resize(QemuConsole *s, int width, int height)
+ assert(s->console_type == GRAPHIC_CONSOLE);
+
+ if ((s->scanout.kind != SCANOUT_SURFACE ||
+- (surface && surface->flags & QEMU_ALLOCATED_FLAG)) &&
++ (surface && !is_buffer_shared(surface) && !is_placeholder(surface))) &&
+ qemu_console_get_width(s, -1) == width &&
+ qemu_console_get_height(s, -1) == height) {
+ return;
+diff --git a/ui/meson.build b/ui/meson.build
+index c1b137bf33..76c6644b3f 100644
+--- a/ui/meson.build
++++ b/ui/meson.build
+@@ -81,7 +81,9 @@ if dbus_display
+ '--interface-prefix', 'org.qemu.',
+ '--c-namespace', 'QemuDBus',
+ '--generate-c-code', '@BASENAME@'])
+- dbus_ss.add(when: [gio, pixman, opengl, gbm],
++ dbus_display1_lib = static_library('dbus-display1', dbus_display1, dependencies: gio)
++ dbus_display1_dep = declare_dependency(link_with: dbus_display1_lib, include_directories: include_directories('.'))
++ dbus_ss.add(when: [gio, pixman, opengl, gbm, dbus_display1_dep],
+ if_true: [files(
+ 'dbus-chardev.c',
+ 'dbus-clipboard.c',
+@@ -89,7 +91,7 @@ if dbus_display
+ 'dbus-error.c',
+ 'dbus-listener.c',
+ 'dbus.c',
+- ), dbus_display1])
++ )])
+ ui_modules += {'dbus' : dbus_ss}
+ endif
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 1ca16c0ff6..629a500adc 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2456,6 +2456,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+ }
+
+ if (read_s32(data, 4) < 0) {
++ if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
++ error_report("vnc: extended clipboard message while disabled");
++ vnc_client_error(vs);
++ break;
++ }
+ if (dlen < 4) {
+ error_report("vnc: malformed payload (header less than 4 bytes)"
+ " in extended clipboard pseudo-encoding.");
diff -Nru qemu-7.2+dfsg/debian/patches/v7.2.11.diff qemu-7.2+dfsg/debian/patches/v7.2.11.diff
--- qemu-7.2+dfsg/debian/patches/v7.2.11.diff 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg/debian/patches/v7.2.11.diff 2024-05-03 18:30:51.000000000 +0300
@@ -0,0 +1,2353 @@
+Subject: v7.2.11
+Date: Wed Apr 24 06:02:50 2024 +0300
+From: Michael Tokarev <mjt@tls.msk.ru>
+Forwarded: not-needed
+
+This is a difference between upstream qemu v7.2.10
+and upstream qemu v7.2.11.
+
+
+ .gitlab-ci.d/cirrus.yml | 4 +-
+ VERSION | 2 +-
+ backends/cryptodev-builtin.c | 4 +-
+ hw/acpi/hmat.c | 6 +-
+ hw/block/nand.c | 55 +++++++----
+ hw/char/virtio-serial-bus.c | 3 +-
+ hw/core/machine.c | 1 +
+ hw/display/virtio-gpu.c | 6 +-
+ hw/intc/arm_gicv3_cpuif.c | 4 +-
+ hw/misc/applesmc.c | 1 +
+ hw/net/e1000e_core.c | 60 ++----------
+ hw/net/e1000e_core.h | 2 -
+ hw/net/lan9118.c | 28 +++++-
+ hw/net/pcnet.c | 2 +-
+ hw/net/virtio-net.c | 8 +-
+ hw/nvme/ctrl.c | 178 +++++++++++++++++++----------------
+ hw/nvme/nvme.h | 1 +
+ hw/pci/pcie_sriov.c | 8 ++
+ hw/ppc/spapr.c | 9 +-
+ hw/ppc/spapr_irq.c | 6 +-
+ hw/rtc/sun4v-rtc.c | 2 +-
+ hw/scsi/lsi53c895a.c | 60 +++++++++---
+ hw/scsi/scsi-generic.c | 1 -
+ hw/scsi/trace-events | 2 +
+ hw/sd/sdhci.c | 8 ++
+ hw/virtio/virtio-crypto.c | 4 +-
+ hw/virtio/virtio.c | 22 ++++-
+ include/hw/pci/pcie_sriov.h | 3 +
+ include/hw/ppc/spapr_irq.h | 14 ++-
+ include/hw/rtc/sun4v-rtc.h | 2 +-
+ include/hw/virtio/virtio.h | 7 ++
+ linux-user/syscall.c | 22 +++--
+ migration/block.c | 5 +-
+ monitor/misc.c | 2 +-
+ qemu-options.hx | 6 +-
+ scripts/make-release | 2 +-
+ softmmu/qdev-monitor.c | 23 +++--
+ target/arm/helper.c | 96 +++++++++++++++----
+ target/arm/translate-sme.c | 24 +++--
+ target/hppa/translate.c | 1 +
+ target/i386/cpu-param.h | 2 +-
+ target/i386/cpu.h | 50 +++++++---
+ target/i386/helper.c | 2 +-
+ target/i386/tcg/sysemu/excp_helper.c | 7 +-
+ target/loongarch/cpu.c | 72 +++++++-------
+ target/sh4/translate.c | 3 +
+ tcg/optimize.c | 19 ++--
+ tests/tcg/aarch64/Makefile.target | 12 ++-
+ tests/tcg/aarch64/sme-outprod1.c | 83 ++++++++++++++++
+ tests/tcg/aarch64/sysregs.c | 27 ++++--
+ tests/tcg/aarch64/test-2150.c | 12 +++
+ tests/tcg/aarch64/test-2248.c | 28 ++++++
+ tests/unit/meson.build | 8 +-
+ ui/cocoa.m | 7 ++
+ 54 files changed, 708 insertions(+), 318 deletions(-)
+
+diff --git a/.gitlab-ci.d/cirrus.yml b/.gitlab-ci.d/cirrus.yml
+index 634a73a742..c86487da5b 100644
+--- a/.gitlab-ci.d/cirrus.yml
++++ b/.gitlab-ci.d/cirrus.yml
+@@ -13,7 +13,7 @@
+ .cirrus_build_job:
+ extends: .base_job_template
+ stage: build
+- image: registry.gitlab.com/libvirt/libvirt-ci/cirrus-run:master
++ image: registry.gitlab.com/libvirt/libvirt-ci/cirrus-run:latest
+ needs: []
+ timeout: 80m
+ allow_failure: true
+@@ -63,7 +63,7 @@ x64-freebsd-13-build:
+ NAME: freebsd-13
+ CIRRUS_VM_INSTANCE_TYPE: freebsd_instance
+ CIRRUS_VM_IMAGE_SELECTOR: image_family
+- CIRRUS_VM_IMAGE_NAME: freebsd-13-1
++ CIRRUS_VM_IMAGE_NAME: freebsd-13-3
+ CIRRUS_VM_CPUS: 8
+ CIRRUS_VM_RAM: 8G
+ UPDATE_COMMAND: pkg update
+diff --git a/VERSION b/VERSION
+index 6bfb3a0ba9..971381d35b 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-7.2.10
++7.2.11
+diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
+index cda6ca3b71..2e792be756 100644
+--- a/backends/cryptodev-builtin.c
++++ b/backends/cryptodev-builtin.c
+@@ -416,7 +416,9 @@ static int cryptodev_builtin_close_session(
+ CRYPTODEV_BACKEND_BUILTIN(backend);
+ CryptoDevBackendBuiltinSession *session;
+
+- assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]);
++ if (session_id >= MAX_NUM_SESSIONS || !builtin->sessions[session_id]) {
++ return -VIRTIO_CRYPTO_INVSESS;
++ }
+
+ session = builtin->sessions[session_id];
+ if (session->cipher) {
+diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
+index 3a6d51282a..768038e0da 100644
+--- a/hw/acpi/hmat.c
++++ b/hw/acpi/hmat.c
+@@ -77,6 +77,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
+ uint32_t *initiator_list)
+ {
+ int i, index;
++ uint32_t initiator_to_index[MAX_NODES] = {};
+ HMAT_LB_Data *lb_data;
+ uint16_t *entry_list;
+ uint32_t base;
+@@ -120,6 +121,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
+ /* Initiator Proximity Domain List */
+ for (i = 0; i < num_initiator; i++) {
+ build_append_int_noprefix(table_data, initiator_list[i], 4);
++ /* Reverse mapping for array possitions */
++ initiator_to_index[initiator_list[i]] = i;
+ }
+
+ /* Target Proximity Domain List */
+@@ -131,7 +134,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
+ entry_list = g_new0(uint16_t, num_initiator * num_target);
+ for (i = 0; i < hmat_lb->list->len; i++) {
+ lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
+- index = lb_data->initiator * num_target + lb_data->target;
++ index = initiator_to_index[lb_data->initiator] * num_target +
++ lb_data->target;
+
+ entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
+ }
+diff --git a/hw/block/nand.c b/hw/block/nand.c
+index 1aee1cb2b1..d994bfe372 100644
+--- a/hw/block/nand.c
++++ b/hw/block/nand.c
+@@ -84,7 +84,11 @@ struct NANDFlashState {
+
+ void (*blk_write)(NANDFlashState *s);
+ void (*blk_erase)(NANDFlashState *s);
+- void (*blk_load)(NANDFlashState *s, uint64_t addr, int offset);
++ /*
++ * Returns %true when block containing (@addr + @offset) is
++ * successfully loaded, otherwise %false.
++ */
++ bool (*blk_load)(NANDFlashState *s, uint64_t addr, unsigned offset);
+
+ uint32_t ioaddr_vmstate;
+ };
+@@ -243,9 +247,30 @@ static inline void nand_pushio_byte(NANDFlashState *s, uint8_t value)
+ }
+ }
+
++/*
++ * nand_load_block: Load block containing (s->addr + @offset).
++ * Returns length of data available at @offset in this block.
++ */
++static unsigned nand_load_block(NANDFlashState *s, unsigned offset)
++{
++ unsigned iolen;
++
++ if (!s->blk_load(s, s->addr, offset)) {
++ return 0;
++ }
++
++ iolen = (1 << s->page_shift);
++ if (s->gnd) {
++ iolen += 1 << s->oob_shift;
++ }
++ assert(offset <= iolen);
++ iolen -= offset;
++
++ return iolen;
++}
++
+ static void nand_command(NANDFlashState *s)
+ {
+- unsigned int offset;
+ switch (s->cmd) {
+ case NAND_CMD_READ0:
+ s->iolen = 0;
+@@ -271,12 +296,7 @@ static void nand_command(NANDFlashState *s)
+ case NAND_CMD_NOSERIALREAD2:
+ if (!(nand_flash_ids[s->chip_id].options & NAND_SAMSUNG_LP))
+ break;
+- offset = s->addr & ((1 << s->addr_shift) - 1);
+- s->blk_load(s, s->addr, offset);
+- if (s->gnd)
+- s->iolen = (1 << s->page_shift) - offset;
+- else
+- s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset;
++ s->iolen = nand_load_block(s, s->addr & ((1 << s->addr_shift) - 1));
+ break;
+
+ case NAND_CMD_RESET:
+@@ -597,12 +617,7 @@ uint32_t nand_getio(DeviceState *dev)
+ if (!s->iolen && s->cmd == NAND_CMD_READ0) {
+ offset = (int) (s->addr & ((1 << s->addr_shift) - 1)) + s->offset;
+ s->offset = 0;
+-
+- s->blk_load(s, s->addr, offset);
+- if (s->gnd)
+- s->iolen = (1 << s->page_shift) - offset;
+- else
+- s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset;
++ s->iolen = nand_load_block(s, offset);
+ }
+
+ if (s->ce || s->iolen <= 0) {
+@@ -763,11 +778,15 @@ static void glue(nand_blk_erase_, NAND_PAGE_SIZE)(NANDFlashState *s)
+ }
+ }
+
+-static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
+- uint64_t addr, int offset)
++static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
++ uint64_t addr, unsigned offset)
+ {
+ if (PAGE(addr) >= s->pages) {
+- return;
++ return false;
++ }
++
++ if (offset > NAND_PAGE_SIZE + OOB_SIZE) {
++ return false;
+ }
+
+ if (s->blk) {
+@@ -795,6 +814,8 @@ static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
+ offset, NAND_PAGE_SIZE + OOB_SIZE - offset);
+ s->ioaddr = s->io;
+ }
++
++ return true;
+ }
+
+ static void glue(nand_init_, NAND_PAGE_SIZE)(NANDFlashState *s)
+diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
+index dd619f0731..1221fb7f15 100644
+--- a/hw/char/virtio-serial-bus.c
++++ b/hw/char/virtio-serial-bus.c
+@@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp)
+ return;
+ }
+
+- port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port,
+- &dev->mem_reentrancy_guard);
++ port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port);
+ port->elem = NULL;
+ }
+
+diff --git a/hw/core/machine.c b/hw/core/machine.c
+index 19f42450f5..1daaace9a3 100644
+--- a/hw/core/machine.c
++++ b/hw/core/machine.c
+@@ -80,6 +80,7 @@ GlobalProperty hw_compat_5_2[] = {
+ { "PIIX4_PM", "smm-compat", "on"},
+ { "virtio-blk-device", "report-discard-granularity", "off" },
+ { "virtio-net-pci-base", "vectors", "3"},
++ { "nvme", "msix-exclusive-bar", "on"},
+ };
+ const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2);
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 7c13b056b9..d353b99e93 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -1356,10 +1356,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
+
+ g->ctrl_vq = virtio_get_queue(vdev, 0);
+ g->cursor_vq = virtio_get_queue(vdev, 1);
+- g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g,
+- &qdev->mem_reentrancy_guard);
+- g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g,
+- &qdev->mem_reentrancy_guard);
++ g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
++ g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
+ QTAILQ_INIT(&g->reslist);
+ QTAILQ_INIT(&g->cmdq);
+ QTAILQ_INIT(&g->fenceq);
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+index f71b3b07d8..ddfbc69d65 100644
+--- a/hw/intc/arm_gicv3_cpuif.c
++++ b/hw/intc/arm_gicv3_cpuif.c
+@@ -1065,7 +1065,7 @@ static uint64_t icc_hppir0_value(GICv3CPUState *cs, CPUARMState *env)
+ */
+ bool irq_is_secure;
+
+- if (cs->hppi.prio == 0xff) {
++ if (icc_no_enabled_hppi(cs)) {
+ return INTID_SPURIOUS;
+ }
+
+@@ -1102,7 +1102,7 @@ static uint64_t icc_hppir1_value(GICv3CPUState *cs, CPUARMState *env)
+ */
+ bool irq_is_secure;
+
+- if (cs->hppi.prio == 0xff) {
++ if (icc_no_enabled_hppi(cs)) {
+ return INTID_SPURIOUS;
+ }
+
+diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c
+index 5f9c742e50..80642efc57 100644
+--- a/hw/misc/applesmc.c
++++ b/hw/misc/applesmc.c
+@@ -273,6 +273,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev)
+ /* Remove existing entries */
+ QLIST_FOREACH_SAFE(d, &s->data_def, node, next) {
+ QLIST_REMOVE(d, node);
++ g_free(d);
+ }
+ s->status = 0x00;
+ s->status_1e = 0x00;
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index c71d82ce1d..742f5ec800 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -108,14 +108,6 @@ e1000e_intmgr_timer_resume(E1000IntrDelayTimer *timer)
+ }
+ }
+
+-static void
+-e1000e_intmgr_timer_pause(E1000IntrDelayTimer *timer)
+-{
+- if (timer->running) {
+- timer_del(timer->timer);
+- }
+-}
+-
+ static inline void
+ e1000e_intrmgr_stop_timer(E1000IntrDelayTimer *timer)
+ {
+@@ -397,24 +389,6 @@ e1000e_intrmgr_resume(E1000ECore *core)
+ }
+ }
+
+-static void
+-e1000e_intrmgr_pause(E1000ECore *core)
+-{
+- int i;
+-
+- e1000e_intmgr_timer_pause(&core->radv);
+- e1000e_intmgr_timer_pause(&core->rdtr);
+- e1000e_intmgr_timer_pause(&core->raid);
+- e1000e_intmgr_timer_pause(&core->tidv);
+- e1000e_intmgr_timer_pause(&core->tadv);
+-
+- e1000e_intmgr_timer_pause(&core->itr);
+-
+- for (i = 0; i < E1000E_MSIX_VEC_NUM; i++) {
+- e1000e_intmgr_timer_pause(&core->eitr[i]);
+- }
+-}
+-
+ static void
+ e1000e_intrmgr_reset(E1000ECore *core)
+ {
+@@ -3336,12 +3310,6 @@ e1000e_core_read(E1000ECore *core, hwaddr addr, unsigned size)
+ return 0;
+ }
+
+-static inline void
+-e1000e_autoneg_pause(E1000ECore *core)
+-{
+- timer_del(core->autoneg_timer);
+-}
+-
+ static void
+ e1000e_autoneg_resume(E1000ECore *core)
+ {
+@@ -3353,22 +3321,6 @@ e1000e_autoneg_resume(E1000ECore *core)
+ }
+ }
+
+-static void
+-e1000e_vm_state_change(void *opaque, bool running, RunState state)
+-{
+- E1000ECore *core = opaque;
+-
+- if (running) {
+- trace_e1000e_vm_state_running();
+- e1000e_intrmgr_resume(core);
+- e1000e_autoneg_resume(core);
+- } else {
+- trace_e1000e_vm_state_stopped();
+- e1000e_autoneg_pause(core);
+- e1000e_intrmgr_pause(core);
+- }
+-}
+-
+ void
+ e1000e_core_pci_realize(E1000ECore *core,
+ const uint16_t *eeprom_templ,
+@@ -3381,9 +3333,6 @@ e1000e_core_pci_realize(E1000ECore *core,
+ e1000e_autoneg_timer, core);
+ e1000e_intrmgr_pci_realize(core);
+
+- core->vmstate =
+- qemu_add_vm_change_state_handler(e1000e_vm_state_change, core);
+-
+ for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+ net_tx_pkt_init(&core->tx[i].tx_pkt, core->owner,
+ E1000E_MAX_TX_FRAGS, core->has_vnet);
+@@ -3408,8 +3357,6 @@ e1000e_core_pci_uninit(E1000ECore *core)
+
+ e1000e_intrmgr_pci_unint(core);
+
+- qemu_del_vm_change_state_handler(core->vmstate);
+-
+ for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+ net_tx_pkt_reset(core->tx[i].tx_pkt);
+ net_tx_pkt_uninit(core->tx[i].tx_pkt);
+@@ -3561,5 +3508,12 @@ e1000e_core_post_load(E1000ECore *core)
+ */
+ nc->link_down = (core->mac[STATUS] & E1000_STATUS_LU) == 0;
+
++ /*
++ * we need to restart intrmgr timers, as an older version of
++ * QEMU can have stopped them before migration
++ */
++ e1000e_intrmgr_resume(core);
++ e1000e_autoneg_resume(core);
++
+ return 0;
+ }
+diff --git a/hw/net/e1000e_core.h b/hw/net/e1000e_core.h
+index 4ddb4d2c39..f2a8ff4a33 100644
+--- a/hw/net/e1000e_core.h
++++ b/hw/net/e1000e_core.h
+@@ -100,8 +100,6 @@ struct E1000Core {
+ E1000IntrDelayTimer eitr[E1000E_MSIX_VEC_NUM];
+ bool eitr_intr_pending[E1000E_MSIX_VEC_NUM];
+
+- VMChangeStateEntry *vmstate;
+-
+ uint32_t itr_guest_value;
+ uint32_t eitr_guest_value[E1000E_MSIX_VEC_NUM];
+
+diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
+index 00a6d82efb..f269d72d9e 100644
+--- a/hw/net/lan9118.c
++++ b/hw/net/lan9118.c
+@@ -155,6 +155,12 @@ do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
+
+ #define GPT_TIMER_EN 0x20000000
+
++/*
++ * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit
++ * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs.
++ */
++#define MIL_TXFIFO_SIZE 2048
++
+ enum tx_state {
+ TX_IDLE,
+ TX_B,
+@@ -171,7 +177,7 @@ typedef struct {
+ int32_t pad;
+ int32_t fifo_used;
+ int32_t len;
+- uint8_t data[2048];
++ uint8_t data[MIL_TXFIFO_SIZE];
+ } LAN9118Packet;
+
+ static const VMStateDescription vmstate_lan9118_packet = {
+@@ -187,7 +193,7 @@ static const VMStateDescription vmstate_lan9118_packet = {
+ VMSTATE_INT32(pad, LAN9118Packet),
+ VMSTATE_INT32(fifo_used, LAN9118Packet),
+ VMSTATE_INT32(len, LAN9118Packet),
+- VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
++ VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE),
+ VMSTATE_END_OF_LIST()
+ }
+ };
+@@ -549,7 +555,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
+ return -1;
+ }
+
+- if (size >= 2048 || size < 14) {
++ if (size >= MIL_TXFIFO_SIZE || size < 14) {
+ return -1;
+ }
+
+@@ -798,8 +804,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val)
+ /* Documentation is somewhat unclear on the ordering of bytes
+ in FIFO words. Empirical results show it to be little-endian.
+ */
+- /* TODO: FIFO overflow checking. */
+ while (n--) {
++ if (s->txp->len == MIL_TXFIFO_SIZE) {
++ /*
++ * No more space in the FIFO. The datasheet is not
++ * precise about this case. We choose what is easiest
++ * to model: the packet is truncated, and TXE is raised.
++ *
++ * Note, it could be a fragmented packet, but we currently
++ * do not handle that (see earlier TX_B case).
++ */
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "MIL TX FIFO overrun, discarding %u byte%s\n",
++ n, n > 1 ? "s" : "");
++ s->int_sts |= TXE_INT;
++ break;
++ }
+ s->txp->data[s->txp->len] = val & 0xff;
+ s->txp->len++;
+ val >>= 8;
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 56c3d14ad6..05ce8310ef 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -632,7 +632,7 @@ static inline int ladr_match(PCNetState *s, const uint8_t *buf, int size)
+ {
+ struct qemu_ether_header *hdr = (void *)buf;
+ if ((*(hdr->ether_dhost)&0x01) &&
+- ((uint64_t *)&s->csr[8])[0] != 0LL) {
++ (s->csr[8] | s->csr[9] | s->csr[10] | s->csr[11]) != 0) {
+ uint8_t ladr[8] = {
+ s->csr[8] & 0xff, s->csr[8] >> 8,
+ s->csr[9] & 0xff, s->csr[9] >> 8,
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 412cba4927..b6177a6afe 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -2746,6 +2746,10 @@ static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq)
+ VirtIONet *n = VIRTIO_NET(vdev);
+ VirtIONetQueue *q = &n->vqs[vq2q(virtio_get_queue_index(vq))];
+
++ if (unlikely(n->vhost_started)) {
++ return;
++ }
++
+ if (unlikely((n->status & VIRTIO_NET_S_LINK_UP) == 0)) {
+ virtio_net_drop_tx_queue_data(vdev, vq);
+ return;
+@@ -3307,7 +3311,7 @@ static bool virtio_net_guest_notifier_pending(VirtIODevice *vdev, int idx)
+ VirtIONet *n = VIRTIO_NET(vdev);
+ NetClientState *nc;
+ assert(n->vhost_started);
+- if (!virtio_vdev_has_feature(vdev, VIRTIO_NET_F_MQ) && idx == 2) {
++ if (!n->multiqueue && idx == 2) {
+ /* Must guard against invalid features and bogus queue index
+ * from being set by malicious guest, or penetrated through
+ * buggy migration stream.
+@@ -3330,7 +3334,7 @@ static void virtio_net_guest_notifier_mask(VirtIODevice *vdev, int idx,
+ VirtIONet *n = VIRTIO_NET(vdev);
+ NetClientState *nc;
+ assert(n->vhost_started);
+- if (!virtio_vdev_has_feature(vdev, VIRTIO_NET_F_MQ) && idx == 2) {
++ if (!n->multiqueue && idx == 2) {
+ /* Must guard against invalid features and bogus queue index
+ * from being set by malicious guest, or penetrated through
+ * buggy migration stream.
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index a87f79296c..027d67f10b 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -6980,7 +6980,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
+ },
+ };
+
+-static void nvme_check_constraints(NvmeCtrl *n, Error **errp)
++static bool nvme_check_params(NvmeCtrl *n, Error **errp)
+ {
+ NvmeParams *params = &n->params;
+
+@@ -6994,38 +6994,43 @@ static void nvme_check_constraints(NvmeCtrl *n, Error **errp)
+ if (n->namespace.blkconf.blk && n->subsys) {
+ error_setg(errp, "subsystem support is unavailable with legacy "
+ "namespace ('drive' property)");
+- return;
++ return false;
+ }
+
+ if (params->max_ioqpairs < 1 ||
+ params->max_ioqpairs > NVME_MAX_IOQPAIRS) {
+ error_setg(errp, "max_ioqpairs must be between 1 and %d",
+ NVME_MAX_IOQPAIRS);
+- return;
++ return false;
+ }
+
+ if (params->msix_qsize < 1 ||
+ params->msix_qsize > PCI_MSIX_FLAGS_QSIZE + 1) {
+ error_setg(errp, "msix_qsize must be between 1 and %d",
+ PCI_MSIX_FLAGS_QSIZE + 1);
+- return;
++ return false;
+ }
+
+ if (!params->serial) {
+ error_setg(errp, "serial property not set");
+- return;
++ return false;
+ }
+
+ if (n->pmr.dev) {
++ if (params->msix_exclusive_bar) {
++ error_setg(errp, "not enough BARs available to enable PMR");
++ return false;
++ }
++
+ if (host_memory_backend_is_mapped(n->pmr.dev)) {
+ error_setg(errp, "can't use already busy memdev: %s",
+ object_get_canonical_path_component(OBJECT(n->pmr.dev)));
+- return;
++ return false;
+ }
+
+ if (!is_power_of_2(n->pmr.dev->size)) {
+ error_setg(errp, "pmr backend size needs to be power of 2 in size");
+- return;
++ return false;
+ }
+
+ host_memory_backend_set_mapped(n->pmr.dev, true);
+@@ -7034,64 +7039,64 @@ static void nvme_check_constraints(NvmeCtrl *n, Error **errp)
+ if (n->params.zasl > n->params.mdts) {
+ error_setg(errp, "zoned.zasl (Zone Append Size Limit) must be less "
+ "than or equal to mdts (Maximum Data Transfer Size)");
+- return;
++ return false;
+ }
+
+ if (!n->params.vsl) {
+ error_setg(errp, "vsl must be non-zero");
+- return;
++ return false;
+ }
+
+ if (params->sriov_max_vfs) {
+ if (!n->subsys) {
+ error_setg(errp, "subsystem is required for the use of SR-IOV");
+- return;
++ return false;
+ }
+
+ if (params->sriov_max_vfs > NVME_MAX_VFS) {
+ error_setg(errp, "sriov_max_vfs must be between 0 and %d",
+ NVME_MAX_VFS);
+- return;
++ return false;
+ }
+
+ if (params->cmb_size_mb) {
+ error_setg(errp, "CMB is not supported with SR-IOV");
+- return;
++ return false;
+ }
+
+ if (n->pmr.dev) {
+ error_setg(errp, "PMR is not supported with SR-IOV");
+- return;
++ return false;
+ }
+
+ if (!params->sriov_vq_flexible || !params->sriov_vi_flexible) {
+ error_setg(errp, "both sriov_vq_flexible and sriov_vi_flexible"
+ " must be set for the use of SR-IOV");
+- return;
++ return false;
+ }
+
+ if (params->sriov_vq_flexible < params->sriov_max_vfs * 2) {
+ error_setg(errp, "sriov_vq_flexible must be greater than or equal"
+ " to %d (sriov_max_vfs * 2)", params->sriov_max_vfs * 2);
+- return;
++ return false;
+ }
+
+ if (params->max_ioqpairs < params->sriov_vq_flexible + 2) {
+ error_setg(errp, "(max_ioqpairs - sriov_vq_flexible) must be"
+ " greater than or equal to 2");
+- return;
++ return false;
+ }
+
+ if (params->sriov_vi_flexible < params->sriov_max_vfs) {
+ error_setg(errp, "sriov_vi_flexible must be greater than or equal"
+ " to %d (sriov_max_vfs)", params->sriov_max_vfs);
+- return;
++ return false;
+ }
+
+ if (params->msix_qsize < params->sriov_vi_flexible + 1) {
+ error_setg(errp, "(msix_qsize - sriov_vi_flexible) must be"
+ " greater than or equal to 1");
+- return;
++ return false;
+ }
+
+ if (params->sriov_max_vi_per_vf &&
+@@ -7099,7 +7104,7 @@ static void nvme_check_constraints(NvmeCtrl *n, Error **errp)
+ error_setg(errp, "sriov_max_vi_per_vf must meet:"
+ " (sriov_max_vi_per_vf - 1) %% %d == 0 and"
+ " sriov_max_vi_per_vf >= 1", NVME_VF_RES_GRANULARITY);
+- return;
++ return false;
+ }
+
+ if (params->sriov_max_vq_per_vf &&
+@@ -7108,9 +7113,11 @@ static void nvme_check_constraints(NvmeCtrl *n, Error **errp)
+ error_setg(errp, "sriov_max_vq_per_vf must meet:"
+ " (sriov_max_vq_per_vf - 1) %% %d == 0 and"
+ " sriov_max_vq_per_vf >= 2", NVME_VF_RES_GRANULARITY);
+- return;
++ return false;
+ }
+ }
++
++ return true;
+ }
+
+ static void nvme_init_state(NvmeCtrl *n)
+@@ -7219,13 +7226,18 @@ static void nvme_init_pmr(NvmeCtrl *n, PCIDevice *pci_dev)
+ memory_region_set_enabled(&n->pmr.dev->mr, false);
+ }
+
+-static uint64_t nvme_bar_size(unsigned total_queues, unsigned total_irqs,
+- unsigned *msix_table_offset,
+- unsigned *msix_pba_offset)
++static uint64_t nvme_mbar_size(unsigned total_queues, unsigned total_irqs,
++ unsigned *msix_table_offset,
++ unsigned *msix_pba_offset)
+ {
+- uint64_t bar_size, msix_table_size, msix_pba_size;
++ uint64_t bar_size, msix_table_size;
+
+ bar_size = sizeof(NvmeBar) + 2 * total_queues * NVME_DB_SIZE;
++
++ if (total_irqs == 0) {
++ goto out;
++ }
++
+ bar_size = QEMU_ALIGN_UP(bar_size, 4 * KiB);
+
+ if (msix_table_offset) {
+@@ -7240,11 +7252,10 @@ static uint64_t nvme_bar_size(unsigned total_queues, unsigned total_irqs,
+ *msix_pba_offset = bar_size;
+ }
+
+- msix_pba_size = QEMU_ALIGN_UP(total_irqs, 64) / 8;
+- bar_size += msix_pba_size;
++ bar_size += QEMU_ALIGN_UP(total_irqs, 64) / 8;
+
+- bar_size = pow2ceil(bar_size);
+- return bar_size;
++out:
++ return pow2ceil(bar_size);
+ }
+
+ static void nvme_init_sriov(NvmeCtrl *n, PCIDevice *pci_dev, uint16_t offset)
+@@ -7252,7 +7263,7 @@ static void nvme_init_sriov(NvmeCtrl *n, PCIDevice *pci_dev, uint16_t offset)
+ uint16_t vf_dev_id = n->params.use_intel_id ?
+ PCI_DEVICE_ID_INTEL_NVME : PCI_DEVICE_ID_REDHAT_NVME;
+ NvmePriCtrlCap *cap = &n->pri_ctrl_cap;
+- uint64_t bar_size = nvme_bar_size(le16_to_cpu(cap->vqfrsm),
++ uint64_t bar_size = nvme_mbar_size(le16_to_cpu(cap->vqfrsm),
+ le16_to_cpu(cap->vifrsm),
+ NULL, NULL);
+
+@@ -7286,15 +7297,14 @@ static int nvme_add_pm_capability(PCIDevice *pci_dev, uint8_t offset)
+ return 0;
+ }
+
+-static int nvme_init_pci(NvmeCtrl *n, PCIDevice *pci_dev, Error **errp)
++static bool nvme_init_pci(NvmeCtrl *n, PCIDevice *pci_dev, Error **errp)
+ {
++ ERRP_GUARD();
+ uint8_t *pci_conf = pci_dev->config;
+ uint64_t bar_size;
+- unsigned msix_table_offset, msix_pba_offset;
++ unsigned msix_table_offset = 0, msix_pba_offset = 0;
+ int ret;
+
+- Error *err = NULL;
+-
+ pci_conf[PCI_INTERRUPT_PIN] = 1;
+ pci_config_set_prog_interface(pci_conf, 0x2);
+
+@@ -7314,31 +7324,45 @@ static int nvme_init_pci(NvmeCtrl *n, PCIDevice *pci_dev, Error **errp)
+ pcie_ari_init(pci_dev, 0x100, 1);
+ }
+
+- /* add one to max_ioqpairs to account for the admin queue pair */
+- bar_size = nvme_bar_size(n->params.max_ioqpairs + 1, n->params.msix_qsize,
+- &msix_table_offset, &msix_pba_offset);
++ if (n->params.msix_exclusive_bar && !pci_is_vf(pci_dev)) {
++ bar_size = nvme_mbar_size(n->params.max_ioqpairs + 1, 0, NULL, NULL);
++ memory_region_init_io(&n->iomem, OBJECT(n), &nvme_mmio_ops, n, "nvme",
++ bar_size);
++ pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY |
++ PCI_BASE_ADDRESS_MEM_TYPE_64, &n->iomem);
++ ret = msix_init_exclusive_bar(pci_dev, n->params.msix_qsize, 4, errp);
++ } else {
++ assert(n->params.msix_qsize >= 1);
+
+- memory_region_init(&n->bar0, OBJECT(n), "nvme-bar0", bar_size);
+- memory_region_init_io(&n->iomem, OBJECT(n), &nvme_mmio_ops, n, "nvme",
+- msix_table_offset);
+- memory_region_add_subregion(&n->bar0, 0, &n->iomem);
++ /* add one to max_ioqpairs to account for the admin queue pair */
++ bar_size = nvme_mbar_size(n->params.max_ioqpairs + 1,
++ n->params.msix_qsize, &msix_table_offset,
++ &msix_pba_offset);
+
+- if (pci_is_vf(pci_dev)) {
+- pcie_sriov_vf_register_bar(pci_dev, 0, &n->bar0);
+- } else {
+- pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY |
+- PCI_BASE_ADDRESS_MEM_TYPE_64, &n->bar0);
+- }
+- ret = msix_init(pci_dev, n->params.msix_qsize,
+- &n->bar0, 0, msix_table_offset,
+- &n->bar0, 0, msix_pba_offset, 0, &err);
+- if (ret < 0) {
+- if (ret == -ENOTSUP) {
+- warn_report_err(err);
++ memory_region_init(&n->bar0, OBJECT(n), "nvme-bar0", bar_size);
++ memory_region_init_io(&n->iomem, OBJECT(n), &nvme_mmio_ops, n, "nvme",
++ msix_table_offset);
++ memory_region_add_subregion(&n->bar0, 0, &n->iomem);
++
++ if (pci_is_vf(pci_dev)) {
++ pcie_sriov_vf_register_bar(pci_dev, 0, &n->bar0);
+ } else {
+- error_propagate(errp, err);
+- return ret;
++ pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY |
++ PCI_BASE_ADDRESS_MEM_TYPE_64, &n->bar0);
+ }
++
++ ret = msix_init(pci_dev, n->params.msix_qsize,
++ &n->bar0, 0, msix_table_offset,
++ &n->bar0, 0, msix_pba_offset, 0, errp);
++ }
++
++ if (ret == -ENOTSUP) {
++ /* report that msix is not supported, but do not error out */
++ warn_report_err(*errp);
++ *errp = NULL;
++ } else if (ret < 0) {
++ /* propagate error to caller */
++ return false;
+ }
+
+ nvme_update_msixcap_ts(pci_dev, n->conf_msix_qsize);
+@@ -7355,7 +7379,7 @@ static int nvme_init_pci(NvmeCtrl *n, PCIDevice *pci_dev, Error **errp)
+ nvme_init_sriov(n, pci_dev, 0x120);
+ }
+
+- return 0;
++ return true;
+ }
+
+ static void nvme_init_subnqn(NvmeCtrl *n)
+@@ -7509,21 +7533,24 @@ static void nvme_realize(PCIDevice *pci_dev, Error **errp)
+ {
+ NvmeCtrl *n = NVME(pci_dev);
+ NvmeNamespace *ns;
+- Error *local_err = NULL;
+ NvmeCtrl *pn = NVME(pcie_sriov_get_pf(pci_dev));
+
+ if (pci_is_vf(pci_dev)) {
+ /*
+ * VFs derive settings from the parent. PF's lifespan exceeds
+- * that of VF's, so it's safe to share params.serial.
++ * that of VF's.
+ */
+ memcpy(&n->params, &pn->params, sizeof(NvmeParams));
++
++ /*
++ * Set PF's serial value to a new string memory to prevent 'serial'
++ * property object release of PF when a VF is removed from the system.
++ */
++ n->params.serial = g_strdup(pn->params.serial);
+ n->subsys = pn->subsys;
+ }
+
+- nvme_check_constraints(n, &local_err);
+- if (local_err) {
+- error_propagate(errp, local_err);
++ if (!nvme_check_params(n, errp)) {
+ return;
+ }
+
+@@ -7531,11 +7558,10 @@ static void nvme_realize(PCIDevice *pci_dev, Error **errp)
+ &pci_dev->qdev, n->parent_obj.qdev.id);
+
+ if (nvme_init_subsys(n, errp)) {
+- error_propagate(errp, local_err);
+ return;
+ }
+ nvme_init_state(n);
+- if (nvme_init_pci(n, pci_dev, errp)) {
++ if (!nvme_init_pci(n, pci_dev, errp)) {
+ return;
+ }
+ nvme_init_ctrl(n, pci_dev);
+@@ -7622,6 +7648,8 @@ static Property nvme_props[] = {
+ params.sriov_max_vi_per_vf, 0),
+ DEFINE_PROP_UINT8("sriov_max_vq_per_vf", NvmeCtrl,
+ params.sriov_max_vq_per_vf, 0),
++ DEFINE_PROP_BOOL("msix-exclusive-bar", NvmeCtrl, params.msix_exclusive_bar,
++ false),
+ DEFINE_PROP_END_OF_LIST(),
+ };
+
+@@ -7676,36 +7704,26 @@ static void nvme_pci_reset(DeviceState *qdev)
+ nvme_ctrl_reset(n, NVME_RESET_FUNCTION);
+ }
+
+-static void nvme_sriov_pre_write_ctrl(PCIDevice *dev, uint32_t address,
+- uint32_t val, int len)
++static void nvme_sriov_post_write_config(PCIDevice *dev, uint16_t old_num_vfs)
+ {
+ NvmeCtrl *n = NVME(dev);
+ NvmeSecCtrlEntry *sctrl;
+- uint16_t sriov_cap = dev->exp.sriov_cap;
+- uint32_t off = address - sriov_cap;
+- int i, num_vfs;
+-
+- if (!sriov_cap) {
+- return;
+- }
++ int i;
+
+- if (range_covers_byte(off, len, PCI_SRIOV_CTRL)) {
+- if (!(val & PCI_SRIOV_CTRL_VFE)) {
+- num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+- for (i = 0; i < num_vfs; i++) {
+- sctrl = &n->sec_ctrl_list.sec[i];
+- nvme_virt_set_state(n, le16_to_cpu(sctrl->scid), false);
+- }
+- }
++ for (i = pcie_sriov_num_vfs(dev); i < old_num_vfs; i++) {
++ sctrl = &n->sec_ctrl_list.sec[i];
++ nvme_virt_set_state(n, le16_to_cpu(sctrl->scid), false);
+ }
+ }
+
+ static void nvme_pci_write_config(PCIDevice *dev, uint32_t address,
+ uint32_t val, int len)
+ {
+- nvme_sriov_pre_write_ctrl(dev, address, val, len);
++ uint16_t old_num_vfs = pcie_sriov_num_vfs(dev);
++
+ pci_default_write_config(dev, address, val, len);
+ pcie_cap_flr_write_config(dev, address, val, len);
++ nvme_sriov_post_write_config(dev, old_num_vfs);
+ }
+
+ static const VMStateDescription nvme_vmstate = {
+diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h
+index 7adf042ec3..4d5e42b669 100644
+--- a/hw/nvme/nvme.h
++++ b/hw/nvme/nvme.h
+@@ -427,6 +427,7 @@ typedef struct NvmeParams {
+ uint16_t sriov_vi_flexible;
+ uint8_t sriov_max_vq_per_vf;
+ uint8_t sriov_max_vi_per_vf;
++ bool msix_exclusive_bar;
+ } NvmeParams;
+
+ typedef struct NvmeCtrl {
+diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
+index 61a4e06768..0d58e4db43 100644
+--- a/hw/pci/pcie_sriov.c
++++ b/hw/pci/pcie_sriov.c
+@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
+
+ assert(sriov_cap > 0);
+ num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
++ if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
++ return;
++ }
+
+ dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
+
+@@ -299,3 +302,8 @@ PCIDevice *pcie_sriov_get_vf_at_index(PCIDevice *dev, int n)
+ }
+ return NULL;
+ }
++
++uint16_t pcie_sriov_num_vfs(PCIDevice *dev)
++{
++ return dev->exp.sriov_pf.num_vfs;
++}
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
+index 66b414d2e9..9e860f5047 100644
+--- a/hw/ppc/spapr.c
++++ b/hw/ppc/spapr.c
+@@ -4602,13 +4602,10 @@ static void spapr_machine_class_init(ObjectClass *oc, void *data)
+ mc->block_default_type = IF_SCSI;
+
+ /*
+- * Setting max_cpus to INT32_MAX. Both KVM and TCG max_cpus values
+- * should be limited by the host capability instead of hardcoded.
+- * max_cpus for KVM guests will be checked in kvm_init(), and TCG
+- * guests are welcome to have as many CPUs as the host are capable
+- * of emulate.
++ * While KVM determines max cpus in kvm_init() using kvm_max_vcpus(),
++ * In TCG the limit is restricted by the range of CPU IPIs available.
+ */
+- mc->max_cpus = INT32_MAX;
++ mc->max_cpus = SPAPR_IRQ_NR_IPIS;
+
+ mc->no_parallel = 1;
+ mc->default_boot_order = "";
+diff --git a/hw/ppc/spapr_irq.c b/hw/ppc/spapr_irq.c
+index a0d1e1298e..97b2fc42ab 100644
+--- a/hw/ppc/spapr_irq.c
++++ b/hw/ppc/spapr_irq.c
+@@ -23,6 +23,8 @@
+
+ #include "trace.h"
+
++QEMU_BUILD_BUG_ON(SPAPR_IRQ_NR_IPIS > SPAPR_XIRQ_BASE);
++
+ static const TypeInfo spapr_intc_info = {
+ .name = TYPE_SPAPR_INTC,
+ .parent = TYPE_INTERFACE,
+@@ -329,7 +331,7 @@ void spapr_irq_init(SpaprMachineState *spapr, Error **errp)
+ int i;
+
+ dev = qdev_new(TYPE_SPAPR_XIVE);
+- qdev_prop_set_uint32(dev, "nr-irqs", smc->nr_xirqs + SPAPR_XIRQ_BASE);
++ qdev_prop_set_uint32(dev, "nr-irqs", smc->nr_xirqs + SPAPR_IRQ_NR_IPIS);
+ /*
+ * 8 XIVE END structures per CPU. One for each available
+ * priority
+@@ -356,7 +358,7 @@ void spapr_irq_init(SpaprMachineState *spapr, Error **errp)
+ }
+
+ spapr->qirqs = qemu_allocate_irqs(spapr_set_irq, spapr,
+- smc->nr_xirqs + SPAPR_XIRQ_BASE);
++ smc->nr_xirqs + SPAPR_IRQ_NR_IPIS);
+
+ /*
+ * Mostly we don't actually need this until reset, except that not
+diff --git a/hw/rtc/sun4v-rtc.c b/hw/rtc/sun4v-rtc.c
+index e037acd1b5..ffcc0aa25d 100644
+--- a/hw/rtc/sun4v-rtc.c
++++ b/hw/rtc/sun4v-rtc.c
+@@ -5,7 +5,7 @@
+ *
+ * Copyright (c) 2016 Artyom Tarasenko
+ *
+- * This code is licensed under the GNU GPL v3 or (at your option) any later
++ * This code is licensed under the GNU GPL v2 or (at your option) any later
+ * version.
+ */
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index ca619ed564..48c85d479c 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -188,7 +188,7 @@ static const char *names[] = {
+ #define LSI_TAG_VALID (1 << 16)
+
+ /* Maximum instructions to process. */
+-#define LSI_MAX_INSN 10000
++#define LSI_MAX_INSN 100
+
+ typedef struct lsi_request {
+ SCSIRequest *req;
+@@ -205,6 +205,7 @@ enum {
+ LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
+ LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
+ LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
++ LSI_WAIT_SCRIPTS, /* SCRIPTS stopped because of instruction count limit */
+ };
+
+ enum {
+@@ -224,6 +225,7 @@ struct LSIState {
+ MemoryRegion ram_io;
+ MemoryRegion io_io;
+ AddressSpace pci_io_as;
++ QEMUTimer *scripts_timer;
+
+ int carry; /* ??? Should this be an a visible register somewhere? */
+ int status;
+@@ -415,6 +417,7 @@ static void lsi_soft_reset(LSIState *s)
+ s->sbr = 0;
+ assert(QTAILQ_EMPTY(&s->queue));
+ assert(!s->current);
++ timer_del(s->scripts_timer);
+ }
+
+ static int lsi_dma_40bit(LSIState *s)
+@@ -570,8 +573,9 @@ static inline void lsi_set_phase(LSIState *s, int phase)
+ s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
+ }
+
+-static void lsi_bad_phase(LSIState *s, int out, int new_phase)
++static int lsi_bad_phase(LSIState *s, int out, int new_phase)
+ {
++ int ret = 0;
+ /* Trigger a phase mismatch. */
+ if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
+ if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
+@@ -584,8 +588,10 @@ static void lsi_bad_phase(LSIState *s, int out, int new_phase)
+ trace_lsi_bad_phase_interrupt();
+ lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
+ lsi_stop_script(s);
++ ret = 1;
+ }
+ lsi_set_phase(s, new_phase);
++ return ret;
+ }
+
+
+@@ -789,7 +795,7 @@ static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
+ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+ {
+ LSIState *s = LSI53C895A(req->bus->qbus.parent);
+- int out;
++ int out, stop = 0;
+
+ out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
+ trace_lsi_command_complete(req->status);
+@@ -797,7 +803,10 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+ s->command_complete = 2;
+ if (s->waiting && s->dbc != 0) {
+ /* Raise phase mismatch for short transfers. */
+- lsi_bad_phase(s, out, PHASE_ST);
++ stop = lsi_bad_phase(s, out, PHASE_ST);
++ if (stop) {
++ s->waiting = 0;
++ }
+ } else {
+ lsi_set_phase(s, PHASE_ST);
+ }
+@@ -807,7 +816,9 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
+ lsi_request_free(s, s->current);
+ scsi_req_unref(req);
+ }
+- lsi_resume_script(s);
++ if (!stop) {
++ lsi_resume_script(s);
++ }
+ }
+
+ /* Callback to indicate that the SCSI layer has completed a transfer. */
+@@ -1127,6 +1138,12 @@ static void lsi_wait_reselect(LSIState *s)
+ }
+ }
+
++static void lsi_scripts_timer_start(LSIState *s)
++{
++ trace_lsi_scripts_timer_start();
++ timer_mod(s->scripts_timer, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 500);
++}
++
+ static void lsi_execute_script(LSIState *s)
+ {
+ PCIDevice *pci_dev = PCI_DEVICE(s);
+@@ -1136,6 +1153,11 @@ static void lsi_execute_script(LSIState *s)
+ int insn_processed = 0;
+ static int reentrancy_level;
+
++ if (s->waiting == LSI_WAIT_SCRIPTS) {
++ timer_del(s->scripts_timer);
++ s->waiting = LSI_NOWAIT;
++ }
++
+ reentrancy_level++;
+
+ s->istat1 |= LSI_ISTAT1_SRUN;
+@@ -1143,8 +1165,8 @@ again:
+ /*
+ * Some windows drivers make the device spin waiting for a memory location
+ * to change. If we have executed more than LSI_MAX_INSN instructions then
+- * assume this is the case and force an unexpected device disconnect. This
+- * is apparently sufficient to beat the drivers into submission.
++ * assume this is the case and start a timer. Until the timer fires, the
++ * host CPU has a chance to run and change the memory location.
+ *
+ * Another issue (CVE-2023-0330) can occur if the script is programmed to
+ * trigger itself again and again. Avoid this problem by stopping after
+@@ -1152,13 +1174,9 @@ again:
+ * which should be enough for all valid use cases).
+ */
+ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+- if (!(s->sien0 & LSI_SIST0_UDC)) {
+- qemu_log_mask(LOG_GUEST_ERROR,
+- "lsi_scsi: inf. loop with UDC masked");
+- }
+- lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+- lsi_disconnect(s);
+- trace_lsi_execute_script_stop();
++ s->waiting = LSI_WAIT_SCRIPTS;
++ lsi_scripts_timer_start(s);
++ reentrancy_level--;
+ return;
+ }
+ insn = read_dword(s, s->dsp);
+@@ -2196,6 +2214,9 @@ static int lsi_post_load(void *opaque, int version_id)
+ return -EINVAL;
+ }
+
++ if (s->waiting == LSI_WAIT_SCRIPTS) {
++ lsi_scripts_timer_start(s);
++ }
+ return 0;
+ }
+
+@@ -2293,6 +2314,15 @@ static const struct SCSIBusInfo lsi_scsi_info = {
+ .cancel = lsi_request_cancelled
+ };
+
++static void scripts_timer_cb(void *opaque)
++{
++ LSIState *s = opaque;
++
++ trace_lsi_scripts_timer_triggered();
++ s->waiting = LSI_NOWAIT;
++ lsi_execute_script(s);
++}
++
+ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
+ {
+ LSIState *s = LSI53C895A(dev);
+@@ -2312,6 +2342,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
+ "lsi-ram", 0x2000);
+ memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
+ "lsi-io", 256);
++ s->scripts_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, scripts_timer_cb, s);
+
+ /*
+ * Since we use the address-space API to interact with ram_io, disable the
+@@ -2336,6 +2367,7 @@ static void lsi_scsi_exit(PCIDevice *dev)
+ LSIState *s = LSI53C895A(dev);
+
+ address_space_destroy(&s->pci_io_as);
++ timer_del(s->scripts_timer);
+ }
+
+ static void lsi_class_init(ObjectClass *klass, void *data)
+diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
+index d513870181..87d84ee68e 100644
+--- a/hw/scsi/scsi-generic.c
++++ b/hw/scsi/scsi-generic.c
+@@ -765,7 +765,6 @@ static void scsi_generic_realize(SCSIDevice *s, Error **errp)
+
+ /* Only used by scsi-block, but initialize it nevertheless to be clean. */
+ s->default_scsi_version = -1;
+- s->io_timeout = DEFAULT_IO_TIMEOUT;
+ scsi_generic_read_device_inquiry(s);
+ }
+
+diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
+index ab238293f0..131af99d91 100644
+--- a/hw/scsi/trace-events
++++ b/hw/scsi/trace-events
+@@ -299,6 +299,8 @@ lsi_execute_script_stop(void) "SCRIPTS execution stopped"
+ lsi_awoken(void) "Woken by SIGP"
+ lsi_reg_read(const char *name, int offset, uint8_t ret) "Read reg %s 0x%x = 0x%02x"
+ lsi_reg_write(const char *name, int offset, uint8_t val) "Write reg %s 0x%x = 0x%02x"
++lsi_scripts_timer_triggered(void) "SCRIPTS timer triggered"
++lsi_scripts_timer_start(void) "SCRIPTS timer started"
+
+ # virtio-scsi.c
+ virtio_scsi_cmd_req(int lun, uint32_t tag, uint8_t cmd) "virtio_scsi_cmd_req lun=%u tag=0x%x cmd=0x%x"
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index ef60badc6b..abd503d168 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size)
+ }
+
+ for (i = 0; i < size; i++) {
++ assert(s->data_count < s->buf_maxsz);
+ value |= s->fifo_buffer[s->data_count] << i * 8;
+ s->data_count++;
+ /* check if we've read all valid data (blksize bytes) from buffer */
+@@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size)
+ }
+
+ for (i = 0; i < size; i++) {
++ assert(s->data_count < s->buf_maxsz);
+ s->fifo_buffer[s->data_count] = value & 0xFF;
+ s->data_count++;
+ value >>= 8;
+@@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) {
+ value &= ~SDHC_TRNS_DMA;
+ }
++
++ /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */
++ if (s->prnsts & SDHC_DATA_INHIBIT) {
++ mask |= 0xffff;
++ }
++
+ MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK);
+ MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index b2e0646d9a..ce995c66d8 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -1057,8 +1057,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp)
+ vcrypto->vqs[i].dataq =
+ virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
+ vcrypto->vqs[i].dataq_bh =
+- qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
+- &dev->mem_reentrancy_guard);
++ virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
++ &vcrypto->vqs[i]);
+ vcrypto->vqs[i].vcrypto = vcrypto;
+ }
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index b7da7f074d..4a35d7cb0c 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -1367,12 +1367,20 @@ static void virtqueue_packed_flush(VirtQueue *vq, unsigned int count)
+ return;
+ }
+
++ /*
++ * For indirect element's 'ndescs' is 1.
++ * For all other elemment's 'ndescs' is the
++ * number of descriptors chained by NEXT (as set in virtqueue_packed_pop).
++ * So When the 'elem' be filled into the descriptor ring,
++ * The 'idx' of this 'elem' shall be
++ * the value of 'vq->used_idx' plus the 'ndescs'.
++ */
++ ndescs += vq->used_elems[0].ndescs;
+ for (i = 1; i < count; i++) {
+- virtqueue_packed_fill_desc(vq, &vq->used_elems[i], i, false);
++ virtqueue_packed_fill_desc(vq, &vq->used_elems[i], ndescs, false);
+ ndescs += vq->used_elems[i].ndescs;
+ }
+ virtqueue_packed_fill_desc(vq, &vq->used_elems[0], 0, true);
+- ndescs += vq->used_elems[0].ndescs;
+
+ vq->inuse -= ndescs;
+ vq->used_idx += ndescs;
+@@ -5021,3 +5029,13 @@ static void virtio_register_types(void)
+ }
+
+ type_init(virtio_register_types)
++
++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
++ QEMUBHFunc *cb, void *opaque,
++ const char *name)
++{
++ DeviceState *transport = qdev_get_parent_bus(dev)->parent;
++
++ return qemu_bh_new_full(cb, opaque, name,
++ &transport->mem_reentrancy_guard);
++}
+diff --git a/include/hw/pci/pcie_sriov.h b/include/hw/pci/pcie_sriov.h
+index 80f5c84e75..072a583405 100644
+--- a/include/hw/pci/pcie_sriov.h
++++ b/include/hw/pci/pcie_sriov.h
+@@ -74,4 +74,7 @@ PCIDevice *pcie_sriov_get_pf(PCIDevice *dev);
+ */
+ PCIDevice *pcie_sriov_get_vf_at_index(PCIDevice *dev, int n);
+
++/* Returns the current number of virtual functions. */
++uint16_t pcie_sriov_num_vfs(PCIDevice *dev);
++
+ #endif /* QEMU_PCIE_SRIOV_H */
+diff --git a/include/hw/ppc/spapr_irq.h b/include/hw/ppc/spapr_irq.h
+index c22a72c9e2..4fd2d5853d 100644
+--- a/include/hw/ppc/spapr_irq.h
++++ b/include/hw/ppc/spapr_irq.h
+@@ -14,9 +14,21 @@
+ #include "qom/object.h"
+
+ /*
+- * IRQ range offsets per device type
++ * The XIVE IRQ backend uses the same layout as the XICS backend but
++ * covers the full range of the IRQ number space. The IRQ numbers for
++ * the CPU IPIs are allocated at the bottom of this space, below 4K,
++ * to preserve compatibility with XICS which does not use that range.
++ */
++
++/*
++ * CPU IPI range (XIVE only)
+ */
+ #define SPAPR_IRQ_IPI 0x0
++#define SPAPR_IRQ_NR_IPIS 0x1000
++
++/*
++ * IRQ range offsets per device type
++ */
+
+ #define SPAPR_XIRQ_BASE XICS_IRQ_BASE /* 0x1000 */
+ #define SPAPR_IRQ_EPOW (SPAPR_XIRQ_BASE + 0x0000)
+diff --git a/include/hw/rtc/sun4v-rtc.h b/include/hw/rtc/sun4v-rtc.h
+index fc54dfcba4..26a9eb6196 100644
+--- a/include/hw/rtc/sun4v-rtc.h
++++ b/include/hw/rtc/sun4v-rtc.h
+@@ -5,7 +5,7 @@
+ *
+ * Copyright (c) 2016 Artyom Tarasenko
+ *
+- * This code is licensed under the GNU GPL v3 or (at your option) any later
++ * This code is licensed under the GNU GPL v2 or (at your option) any later
+ * version.
+ */
+
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index 96a56430a6..c1a7c9bd3b 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -23,6 +23,7 @@
+ #include "standard-headers/linux/virtio_ring.h"
+ #include "qom/object.h"
+ #include "hw/virtio/vhost.h"
++#include "block/aio.h"
+
+ /*
+ * A guest should never accept this. It implies negotiation is broken
+@@ -463,4 +464,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
+ bool virtio_legacy_allowed(VirtIODevice *vdev);
+ bool virtio_legacy_check_disabled(VirtIODevice *vdev);
+
++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
++ QEMUBHFunc *cb, void *opaque,
++ const char *name);
++#define virtio_bh_new_guarded(dev, cb, opaque) \
++ virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
++
+ #endif
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index aead0f6ac9..41017b0df2 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -8759,14 +8759,24 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
+ #ifdef TARGET_NR_waitid
+ case TARGET_NR_waitid:
+ {
++ struct rusage ru;
+ siginfo_t info;
+- info.si_pid = 0;
+- ret = get_errno(safe_waitid(arg1, arg2, &info, arg4, NULL));
+- if (!is_error(ret) && arg3 && info.si_pid != 0) {
+- if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_siginfo_t), 0)))
++
++ ret = get_errno(safe_waitid(arg1, arg2, (arg3 ? &info : NULL),
++ arg4, (arg5 ? &ru : NULL)));
++ if (!is_error(ret)) {
++ if (arg3) {
++ p = lock_user(VERIFY_WRITE, arg3,
++ sizeof(target_siginfo_t), 0);
++ if (!p) {
++ return -TARGET_EFAULT;
++ }
++ host_to_target_siginfo(p, &info);
++ unlock_user(p, arg3, sizeof(target_siginfo_t));
++ }
++ if (arg5 && host_to_target_rusage(arg5, &ru)) {
+ return -TARGET_EFAULT;
+- host_to_target_siginfo(p, &info);
+- unlock_user(p, arg3, sizeof(target_siginfo_t));
++ }
+ }
+ }
+ return ret;
+diff --git a/migration/block.c b/migration/block.c
+index 4026b73f75..867901d2b1 100644
+--- a/migration/block.c
++++ b/migration/block.c
+@@ -415,7 +415,10 @@ static int init_blk_migration(QEMUFile *f)
+ }
+
+ sectors = bdrv_nb_sectors(bs);
+- if (sectors <= 0) {
++ if (sectors == 0) {
++ continue;
++ }
++ if (sectors < 0) {
+ ret = sectors;
+ bdrv_next_cleanup(&it);
+ goto out;
+diff --git a/monitor/misc.c b/monitor/misc.c
+index 205487e2b9..80dd1fa8e6 100644
+--- a/monitor/misc.c
++++ b/monitor/misc.c
+@@ -668,7 +668,7 @@ void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error **errp)
+ }
+
+ if (!memory_region_is_ram(mrs.mr) && !memory_region_is_romd(mrs.mr)) {
+- error_setg(errp, "Memory at address 0x%" HWADDR_PRIx "is not RAM", addr);
++ error_setg(errp, "Memory at address 0x%" HWADDR_PRIx " is not RAM", addr);
+ memory_region_unref(mrs.mr);
+ return NULL;
+ }
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 7f798ce47e..2c00ceac83 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -149,14 +149,14 @@ SRST
+ platform and configuration dependent.
+
+ ``interleave-granularity=granularity`` sets the granularity of
+- interleave. Default 256KiB. Only 256KiB, 512KiB, 1024KiB, 2048KiB
+- 4096KiB, 8192KiB and 16384KiB granularities supported.
++ interleave. Default 256 (bytes). Only 256, 512, 1k, 2k,
++ 4k, 8k and 16k granularities supported.
+
+ Example:
+
+ ::
+
+- -machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512k
++ -machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512
+ ERST
+
+ DEF("M", HAS_ARG, QEMU_OPTION_M,
+diff --git a/scripts/make-release b/scripts/make-release
+index 05b14ecc95..43689064fb 100755
+--- a/scripts/make-release
++++ b/scripts/make-release
+@@ -34,5 +34,5 @@ git submodule update --init
+ CryptoPkg/Library/OpensslLib/openssl \
+ MdeModulePkg/Library/BrotliCustomDecompressLib/brotli)
+ popd
+-tar --exclude=.git -cjf ${destination}.tar.bz2 ${destination}
++tar --exclude=.git -cJf ${destination}.tar.xz ${destination}
+ rm -rf ${destination}
+diff --git a/softmmu/qdev-monitor.c b/softmmu/qdev-monitor.c
+index 4b0ef65780..f4348443b0 100644
+--- a/softmmu/qdev-monitor.c
++++ b/softmmu/qdev-monitor.c
+@@ -853,19 +853,18 @@ void qmp_device_add(QDict *qdict, QObject **ret_data, Error **errp)
+ return;
+ }
+ dev = qdev_device_add(opts, errp);
+-
+- /*
+- * Drain all pending RCU callbacks. This is done because
+- * some bus related operations can delay a device removal
+- * (in this case this can happen if device is added and then
+- * removed due to a configuration error)
+- * to a RCU callback, but user might expect that this interface
+- * will finish its job completely once qmp command returns result
+- * to the user
+- */
+- drain_call_rcu();
+-
+ if (!dev) {
++ /*
++ * Drain all pending RCU callbacks. This is done because
++ * some bus related operations can delay a device removal
++ * (in this case this can happen if device is added and then
++ * removed due to a configuration error)
++ * to a RCU callback, but user might expect that this interface
++ * will finish its job completely once qmp command returns result
++ * to the user
++ */
++ drain_call_rcu();
++
+ qemu_opts_del(opts);
+ return;
+ }
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index 2e284e048c..acc0470e86 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -7852,31 +7852,89 @@ void register_cp_regs_for_features(ARMCPU *cpu)
+ #ifdef CONFIG_USER_ONLY
+ static const ARMCPRegUserSpaceInfo v8_user_idregs[] = {
+ { .name = "ID_AA64PFR0_EL1",
+- .exported_bits = 0x000f000f00ff0000,
+- .fixed_bits = 0x0000000000000011 },
++ .exported_bits = R_ID_AA64PFR0_FP_MASK |
++ R_ID_AA64PFR0_ADVSIMD_MASK |
++ R_ID_AA64PFR0_SVE_MASK |
++ R_ID_AA64PFR0_DIT_MASK,
++ .fixed_bits = (0x1u << R_ID_AA64PFR0_EL0_SHIFT) |
++ (0x1u << R_ID_AA64PFR0_EL1_SHIFT) },
+ { .name = "ID_AA64PFR1_EL1",
+- .exported_bits = 0x00000000000000f0 },
++ .exported_bits = R_ID_AA64PFR1_BT_MASK |
++ R_ID_AA64PFR1_SSBS_MASK |
++ R_ID_AA64PFR1_MTE_MASK |
++ R_ID_AA64PFR1_SME_MASK },
+ { .name = "ID_AA64PFR*_EL1_RESERVED",
+- .is_glob = true },
+- { .name = "ID_AA64ZFR0_EL1" },
++ .is_glob = true },
++ { .name = "ID_AA64ZFR0_EL1",
++ .exported_bits = R_ID_AA64ZFR0_SVEVER_MASK |
++ R_ID_AA64ZFR0_AES_MASK |
++ R_ID_AA64ZFR0_BITPERM_MASK |
++ R_ID_AA64ZFR0_BFLOAT16_MASK |
++ R_ID_AA64ZFR0_SHA3_MASK |
++ R_ID_AA64ZFR0_SM4_MASK |
++ R_ID_AA64ZFR0_I8MM_MASK |
++ R_ID_AA64ZFR0_F32MM_MASK |
++ R_ID_AA64ZFR0_F64MM_MASK },
++ { .name = "ID_AA64SMFR0_EL1",
++ .exported_bits = R_ID_AA64SMFR0_F32F32_MASK |
++ R_ID_AA64SMFR0_B16F32_MASK |
++ R_ID_AA64SMFR0_F16F32_MASK |
++ R_ID_AA64SMFR0_I8I32_MASK |
++ R_ID_AA64SMFR0_F64F64_MASK |
++ R_ID_AA64SMFR0_I16I64_MASK |
++ R_ID_AA64SMFR0_FA64_MASK },
+ { .name = "ID_AA64MMFR0_EL1",
+- .fixed_bits = 0x00000000ff000000 },
+- { .name = "ID_AA64MMFR1_EL1" },
++ .exported_bits = R_ID_AA64MMFR0_ECV_MASK,
++ .fixed_bits = (0xfu << R_ID_AA64MMFR0_TGRAN64_SHIFT) |
++ (0xfu << R_ID_AA64MMFR0_TGRAN4_SHIFT) },
++ { .name = "ID_AA64MMFR1_EL1",
++ .exported_bits = R_ID_AA64MMFR1_AFP_MASK },
++ { .name = "ID_AA64MMFR2_EL1",
++ .exported_bits = R_ID_AA64MMFR2_AT_MASK },
+ { .name = "ID_AA64MMFR*_EL1_RESERVED",
+- .is_glob = true },
++ .is_glob = true },
+ { .name = "ID_AA64DFR0_EL1",
+- .fixed_bits = 0x0000000000000006 },
+- { .name = "ID_AA64DFR1_EL1" },
++ .fixed_bits = (0x6u << R_ID_AA64DFR0_DEBUGVER_SHIFT) },
++ { .name = "ID_AA64DFR1_EL1" },
+ { .name = "ID_AA64DFR*_EL1_RESERVED",
+- .is_glob = true },
++ .is_glob = true },
+ { .name = "ID_AA64AFR*",
+- .is_glob = true },
++ .is_glob = true },
+ { .name = "ID_AA64ISAR0_EL1",
+- .exported_bits = 0x00fffffff0fffff0 },
++ .exported_bits = R_ID_AA64ISAR0_AES_MASK |
++ R_ID_AA64ISAR0_SHA1_MASK |
++ R_ID_AA64ISAR0_SHA2_MASK |
++ R_ID_AA64ISAR0_CRC32_MASK |
++ R_ID_AA64ISAR0_ATOMIC_MASK |
++ R_ID_AA64ISAR0_RDM_MASK |
++ R_ID_AA64ISAR0_SHA3_MASK |
++ R_ID_AA64ISAR0_SM3_MASK |
++ R_ID_AA64ISAR0_SM4_MASK |
++ R_ID_AA64ISAR0_DP_MASK |
++ R_ID_AA64ISAR0_FHM_MASK |
++ R_ID_AA64ISAR0_TS_MASK |
++ R_ID_AA64ISAR0_RNDR_MASK },
+ { .name = "ID_AA64ISAR1_EL1",
+- .exported_bits = 0x000000f0ffffffff },
++ .exported_bits = R_ID_AA64ISAR1_DPB_MASK |
++ R_ID_AA64ISAR1_APA_MASK |
++ R_ID_AA64ISAR1_API_MASK |
++ R_ID_AA64ISAR1_JSCVT_MASK |
++ R_ID_AA64ISAR1_FCMA_MASK |
++ R_ID_AA64ISAR1_LRCPC_MASK |
++ R_ID_AA64ISAR1_GPA_MASK |
++ R_ID_AA64ISAR1_GPI_MASK |
++ R_ID_AA64ISAR1_FRINTTS_MASK |
++ R_ID_AA64ISAR1_SB_MASK |
++ R_ID_AA64ISAR1_BF16_MASK |
++ R_ID_AA64ISAR1_DGH_MASK |
++ R_ID_AA64ISAR1_I8MM_MASK },
++ { .name = "ID_AA64ISAR2_EL1",
++ .exported_bits = R_ID_AA64ISAR2_WFXT_MASK |
++ R_ID_AA64ISAR2_RPRES_MASK |
++ R_ID_AA64ISAR2_GPA3_MASK |
++ R_ID_AA64ISAR2_APA3_MASK },
+ { .name = "ID_AA64ISAR*_EL1_RESERVED",
+- .is_glob = true },
++ .is_glob = true },
+ };
+ modify_arm_cp_regs(v8_idregs, v8_user_idregs);
+ #endif
+@@ -8194,8 +8252,12 @@ void register_cp_regs_for_features(ARMCPU *cpu)
+ #ifdef CONFIG_USER_ONLY
+ static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
+ { .name = "MIDR_EL1",
+- .exported_bits = 0x00000000ffffffff },
+- { .name = "REVIDR_EL1" },
++ .exported_bits = R_MIDR_EL1_REVISION_MASK |
++ R_MIDR_EL1_PARTNUM_MASK |
++ R_MIDR_EL1_ARCHITECTURE_MASK |
++ R_MIDR_EL1_VARIANT_MASK |
++ R_MIDR_EL1_IMPLEMENTER_MASK },
++ { .name = "REVIDR_EL1" },
+ };
+ modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
+ #endif
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+index 7b87a9df63..65f8495bdd 100644
+--- a/target/arm/translate-sme.c
++++ b/target/arm/translate-sme.c
+@@ -103,6 +103,21 @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
+ return addr;
+ }
+
++/*
++ * Resolve tile.size[0] to a host pointer.
++ * Used by e.g. outer product insns where we require the entire tile.
++ */
++static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)
++{
++ TCGv_ptr addr = tcg_temp_new_ptr();
++ int offset;
++
++ offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);
++
++ tcg_gen_addi_ptr(addr, cpu_env, offset);
++ return addr;
++}
++
+ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
+ {
+ if (!dc_isar_feature(aa64_sme, s)) {
+@@ -279,8 +294,7 @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,
+ return true;
+ }
+
+- /* Sum XZR+zad to find ZAd. */
+- za = get_tile_rowcol(s, esz, 31, a->zad, false);
++ za = get_tile(s, esz, a->zad);
+ zn = vec_full_reg_ptr(s, a->zn);
+ pn = pred_full_reg_ptr(s, a->pn);
+ pm = pred_full_reg_ptr(s, a->pm);
+@@ -310,8 +324,7 @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
+ return true;
+ }
+
+- /* Sum XZR+zad to find ZAd. */
+- za = get_tile_rowcol(s, esz, 31, a->zad, false);
++ za = get_tile(s, esz, a->zad);
+ zn = vec_full_reg_ptr(s, a->zn);
+ zm = vec_full_reg_ptr(s, a->zm);
+ pn = pred_full_reg_ptr(s, a->pn);
+@@ -337,8 +350,7 @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+ return true;
+ }
+
+- /* Sum XZR+zad to find ZAd. */
+- za = get_tile_rowcol(s, esz, 31, a->zad, false);
++ za = get_tile(s, esz, a->zad);
+ zn = vec_full_reg_ptr(s, a->zn);
+ zm = vec_full_reg_ptr(s, a->zm);
+ pn = pred_full_reg_ptr(s, a->pn);
+diff --git a/target/hppa/translate.c b/target/hppa/translate.c
+index 1af77473da..ee68d2f834 100644
+--- a/target/hppa/translate.c
++++ b/target/hppa/translate.c
+@@ -3473,6 +3473,7 @@ static bool trans_be(DisasContext *ctx, arg_be *a)
+ tcg_gen_addi_reg(cpu_iaoq_b, cpu_iaoq_f, 4);
+ tcg_gen_mov_i64(cpu_iasq_f, new_spc);
+ tcg_gen_mov_i64(cpu_iasq_b, cpu_iasq_f);
++ nullify_set(ctx, 0);
+ } else {
+ copy_iaoq_entry(cpu_iaoq_f, ctx->iaoq_b, cpu_iaoq_b);
+ if (ctx->iaoq_b == -1) {
+diff --git a/target/i386/cpu-param.h b/target/i386/cpu-param.h
+index f579b16bd2..e21e472e1e 100644
+--- a/target/i386/cpu-param.h
++++ b/target/i386/cpu-param.h
+@@ -23,7 +23,7 @@
+ # define TARGET_VIRT_ADDR_SPACE_BITS 32
+ #endif
+ #define TARGET_PAGE_BITS 12
+-#define NB_MMU_MODES 5
++#define NB_MMU_MODES 8
+
+ #ifndef CONFIG_USER_ONLY
+ # define TARGET_TB_PCREL 1
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 7be047ce33..326649ca99 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -2182,17 +2182,42 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+ #define cpu_list x86_cpu_list
+
+ /* MMU modes definitions */
+-#define MMU_KSMAP_IDX 0
+-#define MMU_USER_IDX 1
+-#define MMU_KNOSMAP_IDX 2
+-#define MMU_NESTED_IDX 3
+-#define MMU_PHYS_IDX 4
++#define MMU_KSMAP64_IDX 0
++#define MMU_KSMAP32_IDX 1
++#define MMU_USER64_IDX 2
++#define MMU_USER32_IDX 3
++#define MMU_KNOSMAP64_IDX 4
++#define MMU_KNOSMAP32_IDX 5
++#define MMU_PHYS_IDX 6
++#define MMU_NESTED_IDX 7
++
++#ifdef CONFIG_USER_ONLY
++#ifdef TARGET_X86_64
++#define MMU_USER_IDX MMU_USER64_IDX
++#else
++#define MMU_USER_IDX MMU_USER32_IDX
++#endif
++#endif
+
+ static inline int cpu_mmu_index(CPUX86State *env, bool ifetch)
+ {
+- return (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER_IDX :
+- (!(env->hflags & HF_SMAP_MASK) || (env->eflags & AC_MASK))
+- ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
++ int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 0 : 1;
++ int mmu_index_base =
++ (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER64_IDX :
++ !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
++ (env->eflags & AC_MASK) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
++
++ return mmu_index_base + mmu_index_32;
++}
++
++static inline bool is_mmu_index_smap(int mmu_index)
++{
++ return (mmu_index & ~1) == MMU_KSMAP64_IDX;
++}
++
++static inline bool is_mmu_index_user(int mmu_index)
++{
++ return (mmu_index & ~1) == MMU_USER64_IDX;
+ }
+
+ static inline bool is_mmu_index_32(int mmu_index)
+@@ -2203,9 +2228,12 @@ static inline bool is_mmu_index_32(int mmu_index)
+
+ static inline int cpu_mmu_index_kernel(CPUX86State *env)
+ {
+- return !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP_IDX :
+- ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK))
+- ? MMU_KNOSMAP_IDX : MMU_KSMAP_IDX;
++ int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 0 : 1;
++ int mmu_index_base =
++ !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
++ ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK)) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
++
++ return mmu_index_base + mmu_index_32;
+ }
+
+ #define CC_DST (env->cc_dst)
+diff --git a/target/i386/helper.c b/target/i386/helper.c
+index 0ac2da066d..290d9d309c 100644
+--- a/target/i386/helper.c
++++ b/target/i386/helper.c
+@@ -427,7 +427,7 @@ static void do_inject_x86_mce(CPUState *cs, run_on_cpu_data data)
+ if (need_reset) {
+ emit_guest_memory_failure(MEMORY_FAILURE_ACTION_RESET, ar,
+ recursive);
+- monitor_puts(params->mon, msg);
++ monitor_printf(params->mon, "%s", msg);
+ qemu_log_mask(CPU_LOG_RESET, "%s\n", msg);
+ qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+ return;
+diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c
+index 5999cdedf5..5f13252d68 100644
+--- a/target/i386/tcg/sysemu/excp_helper.c
++++ b/target/i386/tcg/sysemu/excp_helper.c
+@@ -135,7 +135,7 @@ static bool mmu_translate(CPUX86State *env, const TranslateParams *in,
+ {
+ const target_ulong addr = in->addr;
+ const int pg_mode = in->pg_mode;
+- const bool is_user = (in->mmu_idx == MMU_USER_IDX);
++ const bool is_user = is_mmu_index_user(in->mmu_idx);
+ const MMUAccessType access_type = in->access_type;
+ uint64_t ptep, pte, rsvd_mask;
+ PTETranslate pte_trans = {
+@@ -355,7 +355,7 @@ do_check_protect_pse36:
+ }
+
+ int prot = 0;
+- if (in->mmu_idx != MMU_KSMAP_IDX || !(ptep & PG_USER_MASK)) {
++ if (!is_mmu_index_smap(in->mmu_idx) || !(ptep & PG_USER_MASK)) {
+ prot |= PAGE_READ;
+ if ((ptep & PG_RW_MASK) || !(is_user || (pg_mode & PG_MODE_WP))) {
+ prot |= PAGE_WRITE;
+@@ -541,7 +541,8 @@ static bool get_physical_address(CPUX86State *env, vaddr addr,
+ if (likely(use_stage2)) {
+ in.cr3 = env->nested_cr3;
+ in.pg_mode = env->nested_pg_mode;
+- in.mmu_idx = MMU_USER_IDX;
++ in.mmu_idx =
++ env->nested_pg_mode & PG_MODE_LMA ? MMU_USER64_IDX : MMU_USER32_IDX;
+ in.ptw_idx = MMU_PHYS_IDX;
+
+ if (!mmu_translate(env, &in, out, err)) {
+diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
+index 46b04cbdad..92dd50e15e 100644
+--- a/target/loongarch/cpu.c
++++ b/target/loongarch/cpu.c
+@@ -33,31 +33,45 @@ const char * const fregnames[32] = {
+ "f24", "f25", "f26", "f27", "f28", "f29", "f30", "f31",
+ };
+
+-static const char * const excp_names[] = {
+- [EXCCODE_INT] = "Interrupt",
+- [EXCCODE_PIL] = "Page invalid exception for load",
+- [EXCCODE_PIS] = "Page invalid exception for store",
+- [EXCCODE_PIF] = "Page invalid exception for fetch",
+- [EXCCODE_PME] = "Page modified exception",
+- [EXCCODE_PNR] = "Page Not Readable exception",
+- [EXCCODE_PNX] = "Page Not Executable exception",
+- [EXCCODE_PPI] = "Page Privilege error",
+- [EXCCODE_ADEF] = "Address error for instruction fetch",
+- [EXCCODE_ADEM] = "Address error for Memory access",
+- [EXCCODE_SYS] = "Syscall",
+- [EXCCODE_BRK] = "Break",
+- [EXCCODE_INE] = "Instruction Non-Existent",
+- [EXCCODE_IPE] = "Instruction privilege error",
+- [EXCCODE_FPD] = "Floating Point Disabled",
+- [EXCCODE_FPE] = "Floating Point Exception",
+- [EXCCODE_DBP] = "Debug breakpoint",
+- [EXCCODE_BCE] = "Bound Check Exception",
++struct TypeExcp {
++ int32_t exccode;
++ const char * const name;
++};
++
++static const struct TypeExcp excp_names[] = {
++ {EXCCODE_INT, "Interrupt"},
++ {EXCCODE_PIL, "Page invalid exception for load"},
++ {EXCCODE_PIS, "Page invalid exception for store"},
++ {EXCCODE_PIF, "Page invalid exception for fetch"},
++ {EXCCODE_PME, "Page modified exception"},
++ {EXCCODE_PNR, "Page Not Readable exception"},
++ {EXCCODE_PNX, "Page Not Executable exception"},
++ {EXCCODE_PPI, "Page Privilege error"},
++ {EXCCODE_ADEF, "Address error for instruction fetch"},
++ {EXCCODE_ADEM, "Address error for Memory access"},
++ {EXCCODE_SYS, "Syscall"},
++ {EXCCODE_BRK, "Break"},
++ {EXCCODE_INE, "Instruction Non-Existent"},
++ {EXCCODE_IPE, "Instruction privilege error"},
++ {EXCCODE_FPD, "Floating Point Disabled"},
++ {EXCCODE_FPE, "Floating Point Exception"},
++ {EXCCODE_DBP, "Debug breakpoint"},
++ {EXCCODE_BCE, "Bound Check Exception"},
++ {EXCCODE_SXD, "128 bit vector instructions Disable exception"},
++ {EXCCODE_ASXD, "256 bit vector instructions Disable exception"},
++ {EXCP_HLT, "EXCP_HLT"},
+ };
+
+ const char *loongarch_exception_name(int32_t exception)
+ {
+- assert(excp_names[exception]);
+- return excp_names[exception];
++ int i;
++
++ for (i = 0; i < ARRAY_SIZE(excp_names); i++) {
++ if (excp_names[i].exccode == exception) {
++ return excp_names[i].name;
++ }
++ }
++ return "Unknown";
+ }
+
+ void G_NORETURN do_raise_exception(CPULoongArchState *env,
+@@ -66,7 +80,7 @@ void G_NORETURN do_raise_exception(CPULoongArchState *env,
+ {
+ CPUState *cs = env_cpu(env);
+
+- qemu_log_mask(CPU_LOG_INT, "%s: %d (%s)\n",
++ qemu_log_mask(CPU_LOG_INT, "%s: expection: %d (%s)\n",
+ __func__,
+ exception,
+ loongarch_exception_name(exception));
+@@ -143,22 +157,16 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
+ CPULoongArchState *env = &cpu->env;
+ bool update_badinstr = 1;
+ int cause = -1;
+- const char *name;
+ bool tlbfill = FIELD_EX64(env->CSR_TLBRERA, CSR_TLBRERA, ISTLBR);
+ uint32_t vec_size = FIELD_EX64(env->CSR_ECFG, CSR_ECFG, VS);
+
+ if (cs->exception_index != EXCCODE_INT) {
+- if (cs->exception_index < 0 ||
+- cs->exception_index >= ARRAY_SIZE(excp_names)) {
+- name = "unknown";
+- } else {
+- name = excp_names[cs->exception_index];
+- }
+-
+ qemu_log_mask(CPU_LOG_INT,
+ "%s enter: pc " TARGET_FMT_lx " ERA " TARGET_FMT_lx
+- " TLBRERA " TARGET_FMT_lx " %s exception\n", __func__,
+- env->pc, env->CSR_ERA, env->CSR_TLBRERA, name);
++ " TLBRERA " TARGET_FMT_lx " exception: %d (%s)\n",
++ __func__, env->pc, env->CSR_ERA, env->CSR_TLBRERA,
++ cs->exception_index,
++ loongarch_exception_name(cs->exception_index));
+ }
+
+ switch (cs->exception_index) {
+diff --git a/target/sh4/translate.c b/target/sh4/translate.c
+index 7db3468b01..8d6eae7ddf 100644
+--- a/target/sh4/translate.c
++++ b/target/sh4/translate.c
+@@ -528,6 +528,7 @@ static void _decode_opc(DisasContext * ctx)
+ tcg_gen_movi_i32(REG(B11_8), B7_0s);
+ return;
+ case 0x9000: /* mov.w @(disp,PC),Rn */
++ CHECK_NOT_DELAY_SLOT
+ {
+ TCGv addr = tcg_const_i32(ctx->base.pc_next + 4 + B7_0 * 2);
+ tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx, MO_TESW);
+@@ -535,6 +536,7 @@ static void _decode_opc(DisasContext * ctx)
+ }
+ return;
+ case 0xd000: /* mov.l @(disp,PC),Rn */
++ CHECK_NOT_DELAY_SLOT
+ {
+ TCGv addr = tcg_const_i32((ctx->base.pc_next + 4 + B7_0 * 4) & ~3);
+ tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx, MO_TESL);
+@@ -1295,6 +1297,7 @@ static void _decode_opc(DisasContext * ctx)
+ }
+ return;
+ case 0xc700: /* mova @(disp,PC),R0 */
++ CHECK_NOT_DELAY_SLOT
+ tcg_gen_movi_i32(REG(0), ((ctx->base.pc_next & 0xfffffffc) +
+ 4 + B7_0 * 4) & ~3);
+ return;
+diff --git a/tcg/optimize.c b/tcg/optimize.c
+index ae081ab29c..100b75efd8 100644
+--- a/tcg/optimize.c
++++ b/tcg/optimize.c
+@@ -1634,16 +1634,10 @@ static bool fold_nand(OptContext *ctx, TCGOp *op)
+ return false;
+ }
+
+-static bool fold_neg(OptContext *ctx, TCGOp *op)
++static bool fold_neg_no_const(OptContext *ctx, TCGOp *op)
+ {
+- uint64_t z_mask;
+-
+- if (fold_const1(ctx, op)) {
+- return true;
+- }
+-
+ /* Set to 1 all bits to the left of the rightmost. */
+- z_mask = arg_info(op->args[1])->z_mask;
++ uint64_t z_mask = arg_info(op->args[1])->z_mask;
+ ctx->z_mask = -(z_mask & -z_mask);
+
+ /*
+@@ -1654,6 +1648,11 @@ static bool fold_neg(OptContext *ctx, TCGOp *op)
+ return true;
+ }
+
++static bool fold_neg(OptContext *ctx, TCGOp *op)
++{
++ return fold_const1(ctx, op) || fold_neg_no_const(ctx, op);
++}
++
+ static bool fold_nor(OptContext *ctx, TCGOp *op)
+ {
+ if (fold_const2_commutative(ctx, op) ||
+@@ -1907,7 +1906,7 @@ static bool fold_shift(OptContext *ctx, TCGOp *op)
+ * will not reduced the number of input sign repetitions.
+ */
+ sign = (s_mask & -s_mask) >> 1;
+- if (!(z_mask & sign)) {
++ if (sign && !(z_mask & sign)) {
+ ctx->s_mask = s_mask;
+ }
+ break;
+@@ -1949,7 +1948,7 @@ static bool fold_sub_to_neg(OptContext *ctx, TCGOp *op)
+ if (have_neg) {
+ op->opc = neg_op;
+ op->args[1] = op->args[2];
+- return fold_neg(ctx, op);
++ return fold_neg_no_const(ctx, op);
+ }
+ return false;
+ }
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index a72578fccb..bd29446835 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -10,6 +10,7 @@ VPATH += $(AARCH64_SRC)
+
+ # Base architecture tests
+ AARCH64_TESTS=fcvt pcalign-a64
++AARCH64_TESTS += test-2248 test-2150
+
+ fcvt: LDFLAGS+=-lm
+
+@@ -23,7 +24,8 @@ config-cc.mak: Makefile
+ $(call cc-option,-march=armv8.1-a+sve2, CROSS_CC_HAS_SVE2); \
+ $(call cc-option,-march=armv8.3-a, CROSS_CC_HAS_ARMV8_3); \
+ $(call cc-option,-mbranch-protection=standard, CROSS_CC_HAS_ARMV8_BTI); \
+- $(call cc-option,-march=armv8.5-a+memtag, CROSS_CC_HAS_ARMV8_MTE)) 3> config-cc.mak
++ $(call cc-option,-march=armv8.5-a+memtag, CROSS_CC_HAS_ARMV8_MTE); \
++ $(call cc-option,-Wa$(COMMA)-march=armv9-a+sme, CROSS_AS_HAS_ARMV9_SME)) 3> config-cc.mak
+ -include config-cc.mak
+
+ # Pauth Tests
+@@ -50,11 +52,15 @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7
+ mte-%: CFLAGS += -march=armv8.5-a+memtag
+ endif
+
+-ifneq ($(CROSS_CC_HAS_SVE),)
++# SME Tests
++ifneq ($(CROSS_AS_HAS_ARMV9_SME),)
++AARCH64_TESTS += sme-outprod1
++endif
++
+ # System Registers Tests
+ AARCH64_TESTS += sysregs
+-sysregs: CFLAGS+=-march=armv8.1-a+sve
+
++ifneq ($(CROSS_CC_HAS_SVE),)
+ # SVE ioctl test
+ AARCH64_TESTS += sve-ioctls
+ sve-ioctls: CFLAGS+=-march=armv8.1-a+sve
+diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c
+new file mode 100644
+index 0000000000..6e5972d75e
+--- /dev/null
++++ b/tests/tcg/aarch64/sme-outprod1.c
+@@ -0,0 +1,83 @@
++/*
++ * SME outer product, 1 x 1.
++ * SPDX-License-Identifier: GPL-2.0-or-later
++ */
++
++#include <stdio.h>
++
++extern void foo(float *dst);
++
++asm(
++" .arch_extension sme\n"
++" .type foo, @function\n"
++"foo:\n"
++" stp x29, x30, [sp, -80]!\n"
++" mov x29, sp\n"
++" stp d8, d9, [sp, 16]\n"
++" stp d10, d11, [sp, 32]\n"
++" stp d12, d13, [sp, 48]\n"
++" stp d14, d15, [sp, 64]\n"
++" smstart\n"
++" ptrue p0.s, vl4\n"
++" fmov z0.s, #1.0\n"
++/*
++ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.
++ * Note that we are using tile 1 here (za1.s) rather than tile 0.
++ */
++" zero {za}\n"
++" fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"
++/*
++ * Read the first 4x4 sub-matrix of elements from tile 1:
++ * Note that za1h should be interchangable here.
++ */
++" mov w12, #0\n"
++" mova z0.s, p0/m, za1v.s[w12, #0]\n"
++" mova z1.s, p0/m, za1v.s[w12, #1]\n"
++" mova z2.s, p0/m, za1v.s[w12, #2]\n"
++" mova z3.s, p0/m, za1v.s[w12, #3]\n"
++/*
++ * And store them to the input pointer (dst in the C code):
++ */
++" st1w {z0.s}, p0, [x0]\n"
++" add x0, x0, #16\n"
++" st1w {z1.s}, p0, [x0]\n"
++" add x0, x0, #16\n"
++" st1w {z2.s}, p0, [x0]\n"
++" add x0, x0, #16\n"
++" st1w {z3.s}, p0, [x0]\n"
++" smstop\n"
++" ldp d8, d9, [sp, 16]\n"
++" ldp d10, d11, [sp, 32]\n"
++" ldp d12, d13, [sp, 48]\n"
++" ldp d14, d15, [sp, 64]\n"
++" ldp x29, x30, [sp], 80\n"
++" ret\n"
++" .size foo, . - foo"
++);
++
++int main()
++{
++ float dst[16];
++ int i, j;
++
++ foo(dst);
++
++ for (i = 0; i < 16; i++) {
++ if (dst[i] != 1.0f) {
++ break;
++ }
++ }
++
++ if (i == 16) {
++ return 0; /* success */
++ }
++
++ /* failure */
++ for (i = 0; i < 4; ++i) {
++ for (j = 0; j < 4; ++j) {
++ printf("%f ", (double)dst[i * 4 + j]);
++ }
++ printf("\n");
++ }
++ return 1;
++}
+diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
+index 40cf8d2877..d8eb06abcf 100644
+--- a/tests/tcg/aarch64/sysregs.c
++++ b/tests/tcg/aarch64/sysregs.c
+@@ -22,6 +22,18 @@
+ #define HWCAP_CPUID (1 << 11)
+ #endif
+
++/*
++ * Older assemblers don't recognize newer system register names,
++ * but we can still access them by the Sn_n_Cn_Cn_n syntax.
++ * This also means we don't need to specifically request that the
++ * assembler enables whatever architectural features the ID registers
++ * syntax might be gated behind.
++ */
++#define SYS_ID_AA64ISAR2_EL1 S3_0_C0_C6_2
++#define SYS_ID_AA64MMFR2_EL1 S3_0_C0_C7_2
++#define SYS_ID_AA64ZFR0_EL1 S3_0_C0_C4_4
++#define SYS_ID_AA64SMFR0_EL1 S3_0_C0_C4_5
++
+ int failed_bit_count;
+
+ /* Read and print system register `id' value */
+@@ -112,18 +124,21 @@ int main(void)
+ * minimum valid fields - for the purposes of this check allowed
+ * to have non-zero values.
+ */
+- get_cpu_reg_check_mask(id_aa64isar0_el1, _m(00ff,ffff,f0ff,fff0));
+- get_cpu_reg_check_mask(id_aa64isar1_el1, _m(0000,00f0,ffff,ffff));
++ get_cpu_reg_check_mask(id_aa64isar0_el1, _m(f0ff,ffff,f0ff,fff0));
++ get_cpu_reg_check_mask(id_aa64isar1_el1, _m(00ff,f0ff,ffff,ffff));
++ get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(0000,0000,0000,ffff));
+ /* TGran4 & TGran64 as pegged to -1 */
+- get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(0000,0000,ff00,0000));
+- get_cpu_reg_check_zero(id_aa64mmfr1_el1);
++ get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(f000,0000,ff00,0000));
++ get_cpu_reg_check_mask(id_aa64mmfr1_el1, _m(0000,f000,0000,0000));
++ get_cpu_reg_check_mask(SYS_ID_AA64MMFR2_EL1, _m(0000,000f,0000,0000));
+ /* EL1/EL0 reported as AA64 only */
+ get_cpu_reg_check_mask(id_aa64pfr0_el1, _m(000f,000f,00ff,0011));
+- get_cpu_reg_check_mask(id_aa64pfr1_el1, _m(0000,0000,0000,00f0));
++ get_cpu_reg_check_mask(id_aa64pfr1_el1, _m(0000,0000,0f00,0fff));
+ /* all hidden, DebugVer fixed to 0x6 (ARMv8 debug architecture) */
+ get_cpu_reg_check_mask(id_aa64dfr0_el1, _m(0000,0000,0000,0006));
+ get_cpu_reg_check_zero(id_aa64dfr1_el1);
+- get_cpu_reg_check_zero(id_aa64zfr0_el1);
++ get_cpu_reg_check_mask(SYS_ID_AA64ZFR0_EL1, _m(0ff0,ff0f,00ff,00ff));
++ get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(80f1,00fd,0000,0000));
+
+ get_cpu_reg_check_zero(id_aa64afr0_el1);
+ get_cpu_reg_check_zero(id_aa64afr1_el1);
+diff --git a/tests/tcg/aarch64/test-2150.c b/tests/tcg/aarch64/test-2150.c
+new file mode 100644
+index 0000000000..fb86c11958
+--- /dev/null
++++ b/tests/tcg/aarch64/test-2150.c
+@@ -0,0 +1,12 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++/* See https://gitlab.com/qemu-project/qemu/-/issues/2150 */
++
++int main()
++{
++ asm volatile(
++ "movi v6.4s, #1\n"
++ "movi v7.4s, #0\n"
++ "sub v6.2d, v7.2d, v6.2d\n"
++ : : : "v6", "v7");
++ return 0;
++}
+diff --git a/tests/tcg/aarch64/test-2248.c b/tests/tcg/aarch64/test-2248.c
+new file mode 100644
+index 0000000000..aac2e17836
+--- /dev/null
++++ b/tests/tcg/aarch64/test-2248.c
+@@ -0,0 +1,28 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++/* See https://gitlab.com/qemu-project/qemu/-/issues/2248 */
++
++#include <assert.h>
++
++__attribute__((noinline))
++long test(long x, long y, long sh)
++{
++ long r;
++ asm("cmp %1, %2\n\t"
++ "cset x12, lt\n\t"
++ "and w11, w12, #0xff\n\t"
++ "cmp w11, #0\n\t"
++ "csetm x14, ne\n\t"
++ "lsr x13, x14, %3\n\t"
++ "sxtb %0, w13"
++ : "=r"(r)
++ : "r"(x), "r"(y), "r"(sh)
++ : "x11", "x12", "x13", "x14");
++ return r;
++}
++
++int main()
++{
++ long r = test(0, 1, 2);
++ assert(r == -1);
++ return 0;
++}
+diff --git a/tests/unit/meson.build b/tests/unit/meson.build
+index b497a41378..ca44f45232 100644
+--- a/tests/unit/meson.build
++++ b/tests/unit/meson.build
+@@ -166,8 +166,12 @@ test_env.set('G_TEST_SRCDIR', meson.current_source_dir())
+ test_env.set('G_TEST_BUILDDIR', meson.current_build_dir())
+
+ slow_tests = {
+- 'test-crypto-tlscredsx509': 45,
+- 'test-crypto-tlssession': 45
++ 'test-aio-multithread' : 120,
++ 'test-bufferiszero': 60,
++ 'test-crypto-block' : 300,
++ 'test-crypto-tlscredsx509': 90,
++ 'test-crypto-tlssession': 90,
++ 'test-replication': 60,
+ }
+
+ foreach test_name, extra: tests
+diff --git a/ui/cocoa.m b/ui/cocoa.m
+index 660d3e0935..c41689e951 100644
+--- a/ui/cocoa.m
++++ b/ui/cocoa.m
+@@ -53,6 +53,10 @@
+ #define MAC_OS_X_VERSION_10_13 101300
+ #endif
+
++#ifndef MAC_OS_VERSION_14_0
++#define MAC_OS_VERSION_14_0 140000
++#endif
++
+ /* 10.14 deprecates NSOnState and NSOffState in favor of
+ * NSControlStateValueOn/Off, which were introduced in 10.13.
+ * Define for older versions
+@@ -361,6 +365,9 @@ - (id)initWithFrame:(NSRect)frameRect
+ screen.width = frameRect.size.width;
+ screen.height = frameRect.size.height;
+ kbd = qkbd_state_init(dcl.con);
++#if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_14_0
++ [self setClipsToBounds:YES];
++#endif
+
+ }
+ return self;
Reply to: