!1021 [sync] PR-1017: QEMU update to version 6.2.0-101

From: @openeuler-sync-bot 
Reviewed-by: @imxcc 
Signed-off-by: @imxcc

Hexagon-target-hexagon-remove-unused-encodings.patch

@@ -0,0 +1,70 @@
+From 3be03a8e76551f8065fbe75633f9f0ce5200d8e0 Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 19:02:59 +0800
+Subject: [PATCH] Hexagon (target/hexagon) remove unused encodings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove encodings guarded by ifdef that is not defined
+
+Signed-off-by: Taylor Simpson <tsimpson@quicinc.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
+---
+ target/hexagon/imported/encode_pp.def | 23 -----------------------
+ 1 file changed, 23 deletions(-)
+
+diff --git a/target/hexagon/imported/encode_pp.def b/target/hexagon/imported/encode_pp.def
+index 939c6fc55f..d71c04cd30 100644
+--- a/target/hexagon/imported/encode_pp.def
++++ b/target/hexagon/imported/encode_pp.def
+@@ -944,13 +944,6 @@ MPY_ENC(F2_dfmpyfix,         "1000","ddddd","0","0","1","0","11")
+ MPY_ENC(F2_dfmin,            "1000","ddddd","0","0","1","1","11")
+ MPY_ENC(F2_dfmax,            "1000","ddddd","0","1","0","0","11")
+ MPY_ENC(F2_dfmpyll,          "1000","ddddd","0","1","0","1","11")
+-#ifdef ADD_DP_OPS
+-MPY_ENC(F2_dfdivcheat,       "1000","ddddd","0","0","0","1","00")
+-
+-MPY_ENC(F2_dffixupn,         "1000","ddddd","0","1","0","1","11")
+-MPY_ENC(F2_dffixupd,         "1000","ddddd","0","1","1","0","11")
+-MPY_ENC(F2_dfrecipa,         "1000","ddddd","0","1","1","1","ee")
+-#endif
+ 
+ MPY_ENC(M7_dcmpyrw,          "1000","ddddd","0","0","0","1","10")
+ MPY_ENC(M7_dcmpyrwc,         "1000","ddddd","0","0","1","1","10")
+@@ -1024,15 +1017,6 @@ MPY_ENC(M5_vdmacbsu,         "1010","xxxxx","0","1","0","0","01")
+ 
+ MPY_ENC(F2_dfmpylh,          "1010","xxxxx","0","0","0","0","11")
+ MPY_ENC(F2_dfmpyhh,          "1010","xxxxx","0","0","0","1","11")
+-#ifdef ADD_DP_OPS
+-MPY_ENC(F2_dfmpyhh,          "1010","xxxxx","0","0","1","0","11")
+-MPY_ENC(F2_dffma,            "1010","xxxxx","0","0","0","0","11")
+-MPY_ENC(F2_dffms,            "1010","xxxxx","0","0","0","1","11")
+-
+-MPY_ENC(F2_dffma_lib,        "1010","xxxxx","0","0","1","0","11")
+-MPY_ENC(F2_dffms_lib,        "1010","xxxxx","0","0","1","1","11")
+-MPY_ENC(F2_dffma_sc,         "1010","xxxxx","0","1","1","1","uu")
+-#endif
+ 
+ 
+ MPY_ENC(M7_dcmpyrw_acc,      "1010","xxxxx","0","0","0","1","10")
+@@ -1547,15 +1531,8 @@ SH2_RR_ENC(F2_conv_df2d,      "0000","111","0","0 00","ddddd")
+ SH2_RR_ENC(F2_conv_df2ud,     "0000","111","0","0 01","ddddd")
+ SH2_RR_ENC(F2_conv_ud2df,     "0000","111","0","0 10","ddddd")
+ SH2_RR_ENC(F2_conv_d2df,      "0000","111","0","0 11","ddddd")
+-#ifdef ADD_DP_OPS
+-SH2_RR_ENC(F2_dffixupr,       "0000","111","0","1 00","ddddd")
+-SH2_RR_ENC(F2_dfsqrtcheat,    "0000","111","0","1 01","ddddd")
+-#endif
+ SH2_RR_ENC(F2_conv_df2d_chop, "0000","111","0","1 10","ddddd")
+ SH2_RR_ENC(F2_conv_df2ud_chop,"0000","111","0","1 11","ddddd")
+-#ifdef ADD_DP_OPS
+-SH2_RR_ENC(F2_dfinvsqrta,     "0000","111","1","0 ee","ddddd")
+-#endif
+ 
+ 
+ 
+-- 
+2.41.0.windows.1
+

Subject-PATCH-kvm-Use-unsigned-long-for-request-argu.patch

@@ -0,0 +1,189 @@
+From d3dcd2635b1830648a1aa95d5653aba6fd20bde6 Mon Sep 17 00:00:00 2001
+From: dinglimin <dinglimin@cmss.chinamobile.com>
+Date: Mon, 16 Sep 2024 16:36:27 +0800
+Subject: [PATCH] Subject: [PATCH] kvm: Use 'unsigned long' for request
+ argument in functions  wrapping ioctl()
+
+Change the data type of the ioctl _request_ argument from 'int' to
+'unsigned long' for the various accel/kvm functions which are
+essentially wrappers around the ioctl() syscall.
+
+The correct type for ioctl()'s 'request' argument is confused:
+ * POSIX defines the request argument as 'int'
+ * glibc uses 'unsigned long' in the prototype in sys/ioctl.h
+ * the glibc info documentation uses 'int'
+ * the Linux manpage uses 'unsigned long'
+ * the Linux implementation of the syscall uses 'unsigned int'
+
+If we wrap ioctl() with another function which uses 'int' as the
+type for the request argument, then requests with the 0x8000_0000
+bit set will be sign-extended when the 'int' is cast to
+'unsigned long' for the call to ioctl().
+
+On x86_64 one such example is the KVM_IRQ_LINE_STATUS request.
+Bit requests with the _IOC_READ direction bit set, will have the high
+bit set.
+
+Fortunately the Linux Kernel truncates the upper 32bit of the request
+on 64bit machines (because it uses 'unsigned int', and see also Linus
+Torvalds' comments in
+  https://sourceware.org/bugzilla/show_bug.cgi?id=14362 )
+so this doesn't cause active problems for us.  However it is more
+consistent to follow the glibc ioctl() prototype when we define
+functions that are essentially wrappers around ioctl().
+
+This resolves a Coverity issue where it points out that in
+kvm_get_xsave() we assign a value (KVM_GET_XSAVE or KVM_GET_XSAVE2)
+to an 'int' variable which can't hold it without overflow.
+
+Resolves: Coverity CID 1547759
+Signed-off-by: Johannes Stoelp <johannes.stoelp@gmail.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20240815122747.3053871-1-peter.maydell@linaro.org
+[PMM: Rebased patch, adjusted commit message, included note about
+ Coverity fix, updated the type of the local var in kvm_get_xsave,
+ updated the comment in the KVMState struct definition]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
+---
+ accel/kvm/kvm-all.c      |  8 ++++----
+ accel/kvm/trace-events   |  8 ++++----
+ include/sysemu/kvm.h     |  8 ++++----
+ include/sysemu/kvm_int.h | 17 +++++++++++++----
+ target/i386/kvm/kvm.c    |  3 ++-
+ 5 files changed, 27 insertions(+), 17 deletions(-)
+
+diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
+index 3a09307a26..2eb0666bd7 100644
+--- a/accel/kvm/kvm-all.c
++++ b/accel/kvm/kvm-all.c
+@@ -2985,7 +2985,7 @@ int kvm_cpu_exec(CPUState *cpu)
+     return ret;
+ }
+ 
+-int kvm_ioctl(KVMState *s, int type, ...)
++int kvm_ioctl(KVMState *s, unsigned long type, ...)
+ {
+     int ret;
+     void *arg;
+@@ -3003,7 +3003,7 @@ int kvm_ioctl(KVMState *s, int type, ...)
+     return ret;
+ }
+ 
+-int kvm_vm_ioctl(KVMState *s, int type, ...)
++int kvm_vm_ioctl(KVMState *s, unsigned long type, ...)
+ {
+     int ret;
+     void *arg;
+@@ -3021,7 +3021,7 @@ int kvm_vm_ioctl(KVMState *s, int type, ...)
+     return ret;
+ }
+ 
+-int kvm_vcpu_ioctl(CPUState *cpu, int type, ...)
++int kvm_vcpu_ioctl(CPUState *cpu, unsigned long type, ...)
+ {
+     int ret;
+     void *arg;
+@@ -3039,7 +3039,7 @@ int kvm_vcpu_ioctl(CPUState *cpu, int type, ...)
+     return ret;
+ }
+ 
+-int kvm_device_ioctl(int fd, int type, ...)
++int kvm_device_ioctl(int fd, unsigned long type, ...)
+ {
+     int ret;
+     void *arg;
+diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
+index 399aaeb0ec..a1905fe985 100644
+--- a/accel/kvm/trace-events
++++ b/accel/kvm/trace-events
+@@ -1,11 +1,11 @@
+ # See docs/devel/tracing.rst for syntax documentation.
+ 
+ # kvm-all.c
+-kvm_ioctl(int type, void *arg) "type 0x%x, arg %p"
+-kvm_vm_ioctl(int type, void *arg) "type 0x%x, arg %p"
+-kvm_vcpu_ioctl(int cpu_index, int type, void *arg) "cpu_index %d, type 0x%x, arg %p"
++kvm_ioctl(unsigned long type, void *arg) "type 0x%lx, arg %p"
++kvm_vm_ioctl(unsigned long type, void *arg) "type 0x%lx, arg %p"
++kvm_vcpu_ioctl(int cpu_index, unsigned long type, void *arg) "cpu_index %d, type 0x%lx, arg %p"
+ kvm_run_exit(int cpu_index, uint32_t reason) "cpu_index %d, reason %d"
+-kvm_device_ioctl(int fd, int type, void *arg) "dev fd %d, type 0x%x, arg %p"
++kvm_device_ioctl(int fd, unsigned long type, void *arg) "dev fd %d, type 0x%lx, arg %p"
+ kvm_failed_reg_get(uint64_t id, const char *msg) "Warning: Unable to retrieve ONEREG %" PRIu64 " from KVM: %s"
+ kvm_failed_reg_set(uint64_t id, const char *msg) "Warning: Unable to set ONEREG %" PRIu64 " to KVM: %s"
+ kvm_init_vcpu(int cpu_index, unsigned long arch_cpu_id) "index: %d id: %lu"
+diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
+index 5860228034..5c06cd3d91 100644
+--- a/include/sysemu/kvm.h
++++ b/include/sysemu/kvm.h
+@@ -258,11 +258,11 @@ int kvm_on_sigbus(int code, void *addr);
+ 
+ /* internal API */
+ 
+-int kvm_ioctl(KVMState *s, int type, ...);
++int kvm_ioctl(KVMState *s, unsigned long type, ...);
+ 
+-int kvm_vm_ioctl(KVMState *s, int type, ...);
++int kvm_vm_ioctl(KVMState *s, unsigned long type, ...);
+ 
+-int kvm_vcpu_ioctl(CPUState *cpu, int type, ...);
++int kvm_vcpu_ioctl(CPUState *cpu, unsigned long type, ...);
+ 
+ /**
+  * kvm_device_ioctl - call an ioctl on a kvm device
+@@ -271,7 +271,7 @@ int kvm_vcpu_ioctl(CPUState *cpu, int type, ...);
+  *
+  * Returns: -errno on error, nonnegative on success
+  */
+-int kvm_device_ioctl(int fd, int type, ...);
++int kvm_device_ioctl(int fd, unsigned long type, ...);
+ 
+ /**
+  * kvm_vm_check_attr - check for existence of a specific vm attribute
+diff --git a/include/sysemu/kvm_int.h b/include/sysemu/kvm_int.h
+index 3b4adcdc10..b332d79ce5 100644
+--- a/include/sysemu/kvm_int.h
++++ b/include/sysemu/kvm_int.h
+@@ -83,10 +83,19 @@ struct KVMState
+     OnOffAuto kernel_irqchip_split;
+     bool sync_mmu;
+     uint64_t manual_dirty_log_protect;
+-    /* The man page (and posix) say ioctl numbers are signed int, but
+-     * they're not.  Linux, glibc and *BSD all treat ioctl numbers as
+-     * unsigned, and treating them as signed here can break things */
+-    unsigned irq_set_ioctl;
++    /*
++     * Older POSIX says that ioctl numbers are signed int, but in
++     * practice they are not. (Newer POSIX doesn't specify ioctl
++     * at all.) Linux, glibc and *BSD all treat ioctl numbers as
++     * unsigned, and real-world ioctl values like KVM_GET_XSAVE have
++     * bit 31 set, which means that passing them via an 'int' will
++     * result in sign-extension when they get converted back to the
++     * 'unsigned long' which the ioctl() prototype uses. Luckily Linux
++     * always treats the argument as an unsigned 32-bit int, so any
++     * possible sign-extension is deliberately ignored, but for
++     * consistency we keep to the same type that glibc is using.
++     */
++    unsigned long irq_set_ioctl;
+     unsigned int sigmask_len;
+     GHashTable *gsimap;
+ #ifdef KVM_CAP_IRQ_ROUTING
+diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
+index 9f3ddd5da2..15755197f4 100644
+--- a/target/i386/kvm/kvm.c
++++ b/target/i386/kvm/kvm.c
+@@ -3360,7 +3360,8 @@ static int kvm_get_xsave(X86CPU *cpu)
+ {
+     CPUX86State *env = &cpu->env;
+     void *xsave = env->xsave_buf;
+-    int type, ret;
++    unsigned long type;
++    int ret;
+ 
+     if (!has_xsave) {
+         return kvm_get_fpu(cpu);
+-- 
+2.41.0.windows.1
+

bios-tables-test-Make-oem-fields-tests-be-consistent.patch

@@ -0,0 +1,102 @@
+From 2a9e30e5cd8d838a367175a0c1bad0e79764063f Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 15:09:30 +0800
+Subject: [PATCH] bios-tables-test: Make oem-fields tests be consistent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Every other test function is named:
+
+        test_acpi_<machine>_<test>()
+
+Just make this test the same.  Once there, rename "acpi/oem-fields" to
+"acpi/piix4/oem-fields" so it is consistent with everything else.
+
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+Message-Id: <20220902173452.1904-2-quintela@redhat.com>
+Reviewed-by: Ani Sinha <ani@anisinha.ca>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Liu Jing <liujing@cmss.chinamobile.com>
+---
+ tests/qtest/bios-tables-test.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
+index ff8f13199d..0b89cae577 100644
+--- a/tests/qtest/bios-tables-test.c
++++ b/tests/qtest/bios-tables-test.c
+@@ -1501,7 +1501,7 @@ static void test_oem_fields(test_data *data)
+     }
+ }
+ 
+-static void test_acpi_oem_fields_pc(void)
++static void test_acpi_piix4_oem_fields(void)
+ {
+     test_data data;
+     char *args;
+@@ -1521,7 +1521,7 @@ static void test_acpi_oem_fields_pc(void)
+     g_free(args);
+ }
+ 
+-static void test_acpi_oem_fields_q35(void)
++static void test_acpi_q35_oem_fields(void)
+ {
+     test_data data;
+     char *args;
+@@ -1541,7 +1541,7 @@ static void test_acpi_oem_fields_q35(void)
+     g_free(args);
+ }
+ 
+-static void test_acpi_oem_fields_microvm(void)
++static void test_acpi_microvm_oem_fields(void)
+ {
+     test_data data;
+     char *args;
+@@ -1558,7 +1558,7 @@ static void test_acpi_oem_fields_microvm(void)
+     g_free(args);
+ }
+ 
+-static void test_acpi_oem_fields_virt(void)
++static void test_acpi_virt_oem_fields(void)
+ {
+     test_data data = {
+         .machine = "virt",
+@@ -1596,13 +1596,13 @@ int main(int argc, char *argv[])
+         if (ret) {
+             return ret;
+         }
+-        qtest_add_func("acpi/q35/oem-fields", test_acpi_oem_fields_q35);
++        qtest_add_func("acpi/q35/oem-fields", test_acpi_q35_oem_fields);
+         if (tpm_model_is_available("-machine q35", "tpm-tis")) {
+             qtest_add_func("acpi/q35/tpm2-tis", test_acpi_q35_tcg_tpm2_tis);
+             qtest_add_func("acpi/q35/tpm12-tis", test_acpi_q35_tcg_tpm12_tis);
+         }
+         qtest_add_func("acpi/piix4", test_acpi_piix4_tcg);
+-        qtest_add_func("acpi/oem-fields", test_acpi_oem_fields_pc);
++        qtest_add_func("acpi/piix4/oem-fields", test_acpi_piix4_oem_fields);
+         qtest_add_func("acpi/piix4/bridge", test_acpi_piix4_tcg_bridge);
+         qtest_add_func("acpi/piix4/pci-hotplug/no_root_hotplug",
+                        test_acpi_piix4_no_root_hotplug);
+@@ -1642,7 +1642,7 @@ int main(int argc, char *argv[])
+         qtest_add_func("acpi/microvm/usb", test_acpi_microvm_usb_tcg);
+         qtest_add_func("acpi/microvm/rtc", test_acpi_microvm_rtc_tcg);
+         qtest_add_func("acpi/microvm/ioapic2", test_acpi_microvm_ioapic2_tcg);
+-        qtest_add_func("acpi/microvm/oem-fields", test_acpi_oem_fields_microvm);
++        qtest_add_func("acpi/microvm/oem-fields", test_acpi_microvm_oem_fields);
+         if (has_tcg) {
+             qtest_add_func("acpi/q35/ivrs", test_acpi_q35_tcg_ivrs);
+             if (strcmp(arch, "x86_64") == 0) {
+@@ -1660,7 +1660,7 @@ int main(int argc, char *argv[])
+             qtest_add_func("acpi/virt/numamem", test_acpi_virt_tcg_numamem);
+             qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
+             qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
+-            qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
++            qtest_add_func("acpi/virt/oem-fields", test_acpi_virt_oem_fields);
+         }
+     }
+     ret = g_test_run();
+-- 
+2.41.0.windows.1
+

configure-Symlink-binaries-using-.exe-suffix-with-Mi.patch

@@ -0,0 +1,40 @@
+From c66c944a2caf4a457d542c843e5215bd7d673887 Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 10:28:30 +0800
+Subject: [PATCH] configure: Symlink binaries using .exe suffix with MinGW
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 57a93f16e8dad554720edcc5ed1fe613d68bf230
+
+When using the MinGW toolchain, we use the .exe suffix for the
+executable name. We also need to use it for the symlinks in the
+build directory.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Stefan Weil <sw@weilnetz.de>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <20211109144504.1541206-1-philmd@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index 991fe67886..7d508b2e72 100755
+--- a/configure
++++ b/configure
+@@ -3685,7 +3685,7 @@ fi
+ 
+ for target in $target_list; do
+     target_dir="$target"
+-    target_name=$(echo $target | cut -d '-' -f 1)
++    target_name=$(echo $target | cut -d '-' -f 1)$EXESUF
+     mkdir -p "$target_dir"
+     case $target in
+         *-user) symlink "../qemu-$target_name" "$target_dir/qemu-$target_name" ;;
+-- 
+2.41.0.windows.1
+

hw-avr-Realize-AVRCPU-qdev-object-using-qdev_realize.patch

@@ -0,0 +1,39 @@
+From 21d4f71e7ad312a86b83cfa7dc9eb5bf6ef240ee Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 10:48:54 +0800
+Subject: [PATCH] hw/avr: Realize AVRCPU qdev object using qdev_realize()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 74fb2f4f4c47c966ab54687392e6561b4de4bb8a
+
+TYPE_AVR_CPU inherits TYPE_CPU, which itself inherits TYPE_DEVICE.
+TYPE_DEVICE instances are realized using qdev_realize(), we don't
+need to access QOM internal values.
+
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
+Message-Id: <20211205224109.322152-1-f4bug@amsat.org>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ hw/avr/atmega.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/avr/atmega.c b/hw/avr/atmega.c
+index 0608e2d475..a34803e642 100644
+--- a/hw/avr/atmega.c
++++ b/hw/avr/atmega.c
+@@ -233,7 +233,7 @@ static void atmega_realize(DeviceState *dev, Error **errp)
+ 
+     /* CPU */
+     object_initialize_child(OBJECT(dev), "cpu", &s->cpu, mc->cpu_type);
+-    object_property_set_bool(OBJECT(&s->cpu), "realized", true, &error_abort);
++    qdev_realize(DEVICE(&s->cpu), NULL, &error_abort);
+     cpudev = DEVICE(&s->cpu);
+ 
+     /* SRAM */
+-- 
+2.41.0.windows.1
+

hw-i386-vmmouse-Require-i8042-property-to-be-set.patch

@@ -0,0 +1,48 @@
+From 12756f09bddf7e31b9bf846bd5301ddbdcadfedf Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 11:15:58 +0800
+Subject: [PATCH] hw/i386/vmmouse: Require 'i8042' property to be set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 5a3a2eb3b1096a52580c1b8c3eb0739714e7d941
+
+If the 'i8042' property is not set, mouse events handled by
+vmmouse_mouse_event() end calling i8042_isa_mouse_fake_event()
+with a NULL argument, resulting in ps2_mouse_fake_event() being
+called with invalid PS2MouseState pointer. Fix by requiring
+the 'i8042' property to be always set:
+
+  $ qemu-system-x86_64 -device vmmouse
+  qemu-system-x86_64: -device vmmouse: 'i8042' link is not set
+
+Fixes: 91c9e09147b ("vmmouse: convert to qdev")
+Reported-by: Calvin Buckley <calvin@cmpct.info>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/752
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20211201223253.36080-1-f4bug@amsat.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ hw/i386/vmmouse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/i386/vmmouse.c b/hw/i386/vmmouse.c
+index 3d66368286..a56c185f15 100644
+--- a/hw/i386/vmmouse.c
++++ b/hw/i386/vmmouse.c
+@@ -286,6 +286,10 @@ static void vmmouse_realizefn(DeviceState *dev, Error **errp)
+ 
+     DPRINTF("vmmouse_init\n");
+ 
++    if (!s->i8042) {
++        error_setg(errp, "'i8042' link is not set");
++        return;
++    }
+     if (!object_resolve_path_type("", TYPE_VMPORT, NULL)) {
+         error_setg(errp, "vmmouse needs a machine with vmport");
+         return;
+-- 
+2.41.0.windows.1
+

hw-scsi-megasas-Fails-command-if-SGL-buffer-overflow.patch

@@ -0,0 +1,40 @@
+From 4524c893498ef2c8d2fa5da69ccefe167011ed3d Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 10:52:25 +0800
+Subject: [PATCH] hw/scsi/megasas: Fails command if SGL buffer overflows
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 97a2b074d150918a7a3a4065b946a52d4d0be8a3
+
+If we detect an overflow on the SGL buffer, do not
+keep processing the command: discard it. TARGET_FAILURE
+sense code will be returned (MFI_STAT_SCSI_DONE_WITH_ERROR).
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/521
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Message-Id: <20211119201141.532377-2-philmd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ hw/scsi/megasas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 946050bf83..dc9bbdb740 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -310,6 +310,7 @@ static int megasas_map_sgl(MegasasState *s, MegasasCmd *cmd, union mfi_sgl *sgl)
+     }
+     if (cmd->iov_size > iov_size) {
+         trace_megasas_iovec_overflow(cmd->index, iov_size, cmd->iov_size);
++        goto unmap;
+     } else if (cmd->iov_size < iov_size) {
+         trace_megasas_iovec_underflow(cmd->index, iov_size, cmd->iov_size);
+     }
+-- 
+2.41.0.windows.1
+

io-channel-websock-Replace-strlen-const_str-by-sizeo.patch

@@ -0,0 +1,46 @@
+From f9d4fad347970ddff4252312a71565a3f0be5305 Mon Sep 17 00:00:00 2001
+From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+Date: Thu, 19 Sep 2024 10:00:08 +0000
+Subject: [PATCH] io/channel-websock: Replace strlen(const_str) by
+ sizeof(const_str) - 1 mainline inclusion commit
+ 5e689840a10e01dc2ab87defc5347337db8103da category: bugfix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---------------------------------------------------------------
+
+he combined_key[... QIO_CHANNEL_WEBSOCK_GUID_LEN ...] array in
+qio_channel_websock_handshake_send_res_ok() expands to a call
+to strlen(QIO_CHANNEL_WEBSOCK_GUID), and the compiler doesn't
+realize the string is const, so consider combined_key[] being
+a variable-length array.
+
+To remove the variable-length array, we provide it a hint to
+the compiler by using sizeof() - 1 instead of strlen().
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
+---
+ io/channel-websock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/io/channel-websock.c b/io/channel-websock.c
+index 70889bb54d..d9fc27a003 100644
+--- a/io/channel-websock.c
++++ b/io/channel-websock.c
+@@ -32,7 +32,7 @@
+ 
+ #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
+ #define QIO_CHANNEL_WEBSOCK_GUID "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
+-#define QIO_CHANNEL_WEBSOCK_GUID_LEN strlen(QIO_CHANNEL_WEBSOCK_GUID)
++#define QIO_CHANNEL_WEBSOCK_GUID_LEN (sizeof(QIO_CHANNEL_WEBSOCK_GUID) - 1)
+ 
+ #define QIO_CHANNEL_WEBSOCK_HEADER_PROTOCOL "sec-websocket-protocol"
+ #define QIO_CHANNEL_WEBSOCK_HEADER_VERSION "sec-websocket-version"
+-- 
+2.41.0.windows.1
+

monitor-hmp-cmds-Avoid-displaying-bogus-size-in-info.patch

@@ -0,0 +1,97 @@
+From 0ccf41541a2c2a65196327fc5466af611aa9f929 Mon Sep 17 00:00:00 2001
+From: dinglimin <dinglimin@cmss.chinamobile.com>
+Date: Mon, 16 Sep 2024 17:07:55 +0800
+Subject: [PATCH]  monitor/hmp-cmds: Avoid displaying bogus size in 'info pci'
+ When BAR aren't mapped, we get:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+  (qemu) info pci
+    Bus  0, device   0, function 0:
+      Host bridge: PCI device dead:beef
+        ...
+        BAR4: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
+        BAR5: I/O at 0xffffffffffffffff [0x0ffe].
+
+Check the BAR is mapped comparing its address to PCI_BAR_UNMAPPED
+which is what the PCI layer uses for unmapped BARs.
+See pci_bar_address and pci_update_mappings implementations and
+in "hw/pci/pci.h":
+
+  typedef struct PCIIORegion {
+      pcibus_t addr; /* current PCI mapping address. -1 means not mapped */
+  #define PCI_BAR_UNMAPPED (~(pcibus_t)0)
+      ...
+
+This improves the logging, not displaying bogus sizes:
+
+  (qemu) info pci
+    Bus  0, device   0, function 0:
+      Host bridge: PCI device dead:beef
+        ...
+      BAR4: 32 bit memory (not mapped)
+      BAR5: I/O (not mapped)
+
+Remove trailing dot which is not used in other commands format.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-Id: <20240801131449.51328-1-philmd@linaro.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
+---
+ monitor/hmp-cmds.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
+index c139e8087e..4abd4a8aa0 100644
+--- a/monitor/hmp-cmds.c
++++ b/monitor/hmp-cmds.c
+@@ -60,6 +60,8 @@
+ #include <spice/enums.h>
+ #endif
+ 
++#include "hw/pci/pci.h"
++
+ bool hmp_handle_error(Monitor *mon, Error *err)
+ {
+     if (err) {
+@@ -781,15 +783,25 @@ static void hmp_info_pci_device(Monitor *mon, const PciDeviceInfo *dev)
+         monitor_printf(mon, "      BAR%" PRId64 ": ", region->value->bar);
+ 
+         if (!strcmp(region->value->type, "io")) {
+-            monitor_printf(mon, "I/O at 0x%04" PRIx64
+-                                " [0x%04" PRIx64 "].\n",
+-                           addr, addr + size - 1);
+-        } else {
+-            monitor_printf(mon, "%d bit%s memory at 0x%08" PRIx64
+-                               " [0x%08" PRIx64 "].\n",
+-                           region->value->mem_type_64 ? 64 : 32,
+-                           region->value->prefetch ? " prefetchable" : "",
+-                           addr, addr + size - 1);
++            if (addr != PCI_BAR_UNMAPPED) {
++                monitor_printf(mon, "I/O at 0x%04" PRIx64
++                                    " [0x%04" PRIx64 "]\n",
++                               addr, addr + size - 1);
++            } else {
++                monitor_printf(mon, "I/O (not mapped)\n");
++            }
++	} else {
++            if (addr != PCI_BAR_UNMAPPED) {
++                monitor_printf(mon, "%d bit%s memory at 0x%08" PRIx64
++                                   " [0x%08" PRIx64 "]\n",
++                               region->value->mem_type_64 ? 64 : 32,
++                               region->value->prefetch ? " prefetchable" : "",
++                               addr, addr + size - 1);
++            } else {
++                monitor_printf(mon, "%d bit%s memory (not mapped)\n",
++                               region->value->mem_type_64 ? 64 : 32,
++                               region->value->prefetch ? " prefetchable" : "");
++            }
+         }
+     }
+ 
+-- 
+2.41.0.windows.1
+

python-aqmp-use-absolute-import-statement.patch

@@ -0,0 +1,41 @@
+From 81ab64fe4c328b3981290afe4860f9bcd8f8750c Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 16:07:19 +0800
+Subject: [PATCH] python/aqmp: use absolute import statement
+
+cherry picked from commit f75b20e4f16663af4c65657821c5727b1d1c2493
+
+pylint's dependency astroid appears to have bugs in 2.9.1 and 2.9.2 (Dec
+31 and Jan 3) that appear to erroneously expect the qemu namespace to
+have an __init__.py file. astroid 2.9.3 (Jan 9) avoids that problem, but
+appears to not understand a relative import within a namespace package.
+
+Update the relative import - it was worth changing anyway, because these
+packages will eventually be packaged and distributed separately.
+
+Signed-off-by: John Snow <jsnow@redhat.com>
+Reviewed-by: Beraldo Leal <bleal@redhat.com>
+Message-id: 20220110191349.1841027-2-jsnow@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ python/qemu/aqmp/aqmp_tui.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/python/qemu/aqmp/aqmp_tui.py b/python/qemu/aqmp/aqmp_tui.py
+index a2929f771c..f1e926dd75 100644
+--- a/python/qemu/aqmp/aqmp_tui.py
++++ b/python/qemu/aqmp/aqmp_tui.py
+@@ -35,7 +35,8 @@
+ import urwid
+ import urwid_readline
+ 
+-from ..qmp import QEMUMonitorProtocol, QMPBadPortError
++from qemu.qmp import QEMUMonitorProtocol, QMPBadPortError
++
+ from .error import ProtocolError
+ from .message import DeserializationError, Message, UnexpectedTypeError
+ from .protocol import ConnectError, Runstate
+-- 
+2.41.0.windows.1
+

qemu-keymap-Add-license-in-generated-files.patch

@@ -0,0 +1,34 @@
+From db089183c5aff11b3dae7d3893477c8abbb8d863 Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 10:44:55 +0800
+Subject: [PATCH] qemu-keymap: Add license in generated files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 4455922f7bb8fef2f5aa0a4d3901041bcc4b659d
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Warner Losh <imp@bsdimp.com>
+Message-Id: <20211117174533.1900570-1-philmd@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ qemu-keymap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qemu-keymap.c b/qemu-keymap.c
+index 536e8f2385..4095b654a6 100644
+--- a/qemu-keymap.c
++++ b/qemu-keymap.c
+@@ -187,6 +187,7 @@ int main(int argc, char *argv[])
+     }
+ 
+     fprintf(outfile,
++            "# SPDX-License-Identifier: GPL-2.0-or-later\n"
+             "#\n"
+             "# generated by qemu-keymap\n"
+             "#    model   : %s\n"
+-- 
+2.41.0.windows.1
+

qemu.spec

@@ -3,7 +3,7 @@
 
 Name: qemu
 Version: 6.2.0
-Release: 100
+Release: 101
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -1048,7 +1048,28 @@ Patch1033: system-physmem-Propagate-AddressSpace-to-MapClient-h.patch
 Patch1034: system-physmem-Per-AddressSpace-bounce-buffering.patch
 Patch1035: softmmu-Support-concurrent-bounce-buffers-CVE-2024-8.patch
 Patch1036: mac_dbdma-Remove-leftover-dma_memory_unmap-calls-CVE.patch
-
+Patch1037: Subject-PATCH-kvm-Use-unsigned-long-for-request-argu.patch
+Patch1038: virtio-mem-don-t-warn-about-THP-sizes-on-a-kernel-wi.patch
+Patch1039: monitor-hmp-cmds-Avoid-displaying-bogus-size-in-info.patch
+Patch1040: tests-vm-update-NetBSD-to-9.3.patch
+Patch1041: bios-tables-test-Make-oem-fields-tests-be-consistent.patch
+Patch1042: target-i386-correctly-mask-SSE4a-bit-indices-in-regi.patch
+Patch1043: target-i386-REPZ-and-REPNZ-are-mutually-exclusive.patch
+Patch1044: target-i386-introduce-insn_get_addr.patch
+Patch1045: Hexagon-target-hexagon-remove-unused-encodings.patch
+Patch1046: tests-Fix-error-strings.patch
+Patch1047: target-ppc-Add-HASHKEYR-and-HASHPKEYR-SPRs.patch
+Patch1048: io-channel-websock-Replace-strlen-const_str-by-sizeo.patch
+Patch1049: ui-remove-break-after-g_assert_not_reached.patch
+Patch1050: configure-Symlink-binaries-using-.exe-suffix-with-Mi.patch
+Patch1051: qemu-keymap-Add-license-in-generated-files.patch
+Patch1052: hw-avr-Realize-AVRCPU-qdev-object-using-qdev_realize.patch
+Patch1053: target-i386-kvm-Replace-use-of-__u32-type.patch
+Patch1054: hw-scsi-megasas-Fails-command-if-SGL-buffer-overflow.patch
+Patch1055: hw-i386-vmmouse-Require-i8042-property-to-be-set.patch
+Patch1056: vhost-backend-avoid-overflow-on-memslots_limit.patch
+Patch1057: sysemu-Cleanup-qemu_run_machine_init_done_notifiers.patch
+Patch1058: python-aqmp-use-absolute-import-statement.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -1647,6 +1668,30 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Mon Oct 21 2024 <fengjiabo1@huawei.com> - 10:6.2.0-101
+- python/aqmp: use absolute import statement
+- sysemu: Cleanup qemu_run_machine_init_done_notifiers()
+- vhost-backend: avoid overflow on memslots_limit
+- hw/i386/vmmouse: Require 'i8042' property to be set
+- hw/scsi/megasas: Fails command if SGL buffer overflows
+- target/i386/kvm: Replace use of __u32 type
+- hw/avr: Realize AVRCPU qdev object using qdev_realize()
+- qemu-keymap: Add license in generated files
+- configure: Symlink binaries using .exe suffix with MinGW
+- ui: remove break after g_assert_not_reached()
+- io/channel-websock: Replace strlen(const_str) by sizeof(const_str) - 1
+- target/ppc: Add HASHKEYR and HASHPKEYR SPRs
+- tests: Fix error strings
+- Hexagon (target/hexagon) remove unused encodings
+- target/i386: introduce insn_get_addr
+- target/i386: REPZ and REPNZ are mutually exclusive
+- target/i386: correctly mask SSE4a bit indices in register operands
+- bios-tables-test: Make oem-fields tests be consistent
+- tests/vm: update NetBSD to 9.3
+- monitor/hmp-cmds: Avoid displaying bogus size in 'info pci' When BAR aren't mapped, we get:
+- virtio-mem: don't warn about THP sizes on a kernel without THP Support
+- Subject: [PATCH] kvm: Use 'unsigned long' for request argument in functions  wrapping ioctl()
+
 * Mon Oct 14 2024 <fengjiabo1@huawei.com> - 10:6.2.0-100
 - mac_dbdma: Remove leftover `dma_memory_unmap` calls(CVE-2024-8612)
 - softmmu: Support concurrent bounce buffers(CVE-2024-8612)

sysemu-Cleanup-qemu_run_machine_init_done_notifiers.patch

@@ -0,0 +1,38 @@
+From f9cd46b75aa937498b956cb32aef9232bef86cc9 Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 14:12:57 +0800
+Subject: [PATCH] sysemu: Cleanup qemu_run_machine_init_done_notifiers()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit 9de225a1c27500c2d80a916d1c2a41d8e2a5f6e8
+
+Remove qemu_run_machine_init_done_notifiers() since no implementation
+and user.
+
+Fixes: f66dc8737c9 ("vl: move all generic initialization out of vl.c")
+Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20220104024136.1433545-1-xiaoyao.li@intel.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ include/sysemu/sysemu.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
+index 8fae667172..b9421e03ff 100644
+--- a/include/sysemu/sysemu.h
++++ b/include/sysemu/sysemu.h
+@@ -16,7 +16,6 @@ extern bool qemu_uuid_set;
+ void qemu_add_exit_notifier(Notifier *notify);
+ void qemu_remove_exit_notifier(Notifier *notify);
+ 
+-void qemu_run_machine_init_done_notifiers(void);
+ void qemu_add_machine_init_done_notifier(Notifier *notify);
+ void qemu_remove_machine_init_done_notifier(Notifier *notify);
+ 
+-- 
+2.41.0.windows.1
+

target-i386-REPZ-and-REPNZ-are-mutually-exclusive.patch

@@ -0,0 +1,33 @@
+From 216483f975d268d1bba93e5a44c06b080f515a97 Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 16:58:59 +0800
+Subject: [PATCH] target/i386: REPZ and REPNZ are mutually exclusive
+
+The later prefix wins if both are present, make it show in s->prefix too.
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
+---
+ target/i386/tcg/translate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index 82f77b52fb..0b035df68e 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -4587,9 +4587,11 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
+     switch (b) {
+     case 0xf3:
+         prefixes |= PREFIX_REPZ;
++        prefixes &= ~PREFIX_REPNZ;
+         goto next_byte;
+     case 0xf2:
+         prefixes |= PREFIX_REPNZ;
++        prefixes &= ~PREFIX_REPZ;
+         goto next_byte;
+     case 0xf0:
+         prefixes |= PREFIX_LOCK;
+-- 
+2.41.0.windows.1
+

target-i386-correctly-mask-SSE4a-bit-indices-in-regi.patch

@@ -0,0 +1,43 @@
+From 4d18374e62d3206d564d9a6a7154e7eb4b48ecb2 Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 16:44:18 +0800
+Subject: [PATCH] target/i386: correctly mask SSE4a bit indices in register
+ operands
+
+SSE4a instructions EXTRQ and INSERTQ have two bit index operands, that can be
+immediates or taken from an XMM register.  In both cases, the fields are
+6-bit wide and the top two bits in the byte are ignored.  translate.c is
+doing that correctly for the immediate case, but not for the XMM case, so
+fix it.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
+---
+ target/i386/ops_sse.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/ops_sse.h b/target/i386/ops_sse.h
+index 6f1fc174b3..898b7e4292 100644
+--- a/target/i386/ops_sse.h
++++ b/target/i386/ops_sse.h
+@@ -899,7 +899,7 @@ static inline uint64_t helper_extrq(uint64_t src, int shift, int len)
+ 
+ void helper_extrq_r(CPUX86State *env, ZMMReg *d, ZMMReg *s)
+ {
+-    d->ZMM_Q(0) = helper_extrq(d->ZMM_Q(0), s->ZMM_B(1), s->ZMM_B(0));
++    d->ZMM_Q(0) = helper_extrq(d->ZMM_Q(0), s->ZMM_B(1) & 63, s->ZMM_B(0) & 63);
+ }
+ 
+ void helper_extrq_i(CPUX86State *env, ZMMReg *d, int index, int length)
+@@ -921,7 +921,7 @@ static inline uint64_t helper_insertq(uint64_t src, int shift, int len)
+ 
+ void helper_insertq_r(CPUX86State *env, ZMMReg *d, ZMMReg *s)
+ {
+-    d->ZMM_Q(0) = helper_insertq(s->ZMM_Q(0), s->ZMM_B(9), s->ZMM_B(8));
++    d->ZMM_Q(0) = helper_insertq(s->ZMM_Q(0), s->ZMM_B(9) & 63, s->ZMM_B(8) & 63);
+ }
+ 
+ void helper_insertq_i(CPUX86State *env, ZMMReg *d, int index, int length)
+-- 
+2.41.0.windows.1
+

target-i386-introduce-insn_get_addr.patch

@@ -0,0 +1,73 @@
+From 45e03e38593db8583788a53f08735199f203a370 Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 17:54:50 +0800
+Subject: [PATCH] target/i386: introduce insn_get_addr
+
+The "O" operand type in the Intel SDM needs to load an 8- to 64-bit
+unsigned value, while insn_get is limited to 32 bits.  Extract the code
+out of disas_insn and into a separate function.
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
+---
+ target/i386/tcg/translate.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index 82f77b52fb..44cea102eb 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -2282,6 +2282,31 @@ static void gen_ldst_modrm(CPUX86State *env, DisasContext *s, int modrm,
+     }
+ }
+ 
++static target_ulong insn_get_addr(CPUX86State *env, DisasContext *s, MemOp ot)
++{
++    target_ulong ret;
++
++    switch (ot) {
++    case MO_8:
++        ret = x86_ldub_code(env, s);
++        break;
++    case MO_16:
++        ret = x86_lduw_code(env, s);
++        break;
++    case MO_32:
++        ret = x86_ldl_code(env, s);
++        break;
++#ifdef TARGET_X86_64
++    case MO_64:
++        ret = x86_ldq_code(env, s);
++        break;
++#endif
++    default:
++        g_assert_not_reached();
++    }
++    return ret;
++}
++
+ static inline uint32_t insn_get(CPUX86State *env, DisasContext *s, MemOp ot)
+ {
+     uint32_t ret;
+@@ -5703,16 +5728,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
+             target_ulong offset_addr;
+ 
+             ot = mo_b_d(b, dflag);
+-            switch (s->aflag) {
+-#ifdef TARGET_X86_64
+-            case MO_64:
+-                offset_addr = x86_ldq_code(env, s);
+-                break;
+-#endif
+-            default:
+-                offset_addr = insn_get(env, s, s->aflag);
+-                break;
+-            }
++            offset_addr = insn_get_addr(env, s, s->aflag);
+             tcg_gen_movi_tl(s->A0, offset_addr);
+             gen_add_A0_ds_seg(s);
+             if ((b & 2) == 0) {
+-- 
+2.41.0.windows.1
+

target-i386-kvm-Replace-use-of-__u32-type.patch

@@ -0,0 +1,38 @@
+From 91ffc3ebae439ac3de19a5f494e9319101e6d532 Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 10:40:33 +0800
+Subject: [PATCH] target/i386/kvm: Replace use of __u32 type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cherry picked from commit dc7d6cafce8a7d36d2ebc03be3b6162e0eb98c22
+
+QEMU coding style mandates to not use Linux kernel internal
+types for scalars types. Replace __u32 by uint32_t.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20211116193955.2793171-1-philmd@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ target/i386/kvm/kvm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
+index 15755197f4..1c019f2f98 100644
+--- a/target/i386/kvm/kvm.c
++++ b/target/i386/kvm/kvm.c
+@@ -1452,7 +1452,7 @@ static int hyperv_fill_cpuids(CPUState *cs,
+     c->edx = cpu->hyperv_limits[2];
+ 
+     if (hyperv_feat_enabled(cpu, HYPERV_FEAT_EVMCS)) {
+-        __u32 function;
++        uint32_t function;
+ 
+         /* Create zeroed 0x40000006..0x40000009 leaves */
+         for (function = HV_CPUID_IMPLEMENT_LIMITS + 1;
+-- 
+2.41.0.windows.1
+

target-ppc-Add-HASHKEYR-and-HASHPKEYR-SPRs.patch

@@ -0,0 +1,89 @@
+From c7a2780e7e3ff001d3651c20767011d1f5bfbfd5 Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Thu, 19 Sep 2024 10:14:22 +0800
+Subject: [PATCH] target/ppc: Add HASHKEYR and HASHPKEYR SPRs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add the Special Purpose Registers HASHKEYR and HASHPKEYR, which were
+introduced by the Power ISA 3.1B. They are used by the new instructions
+hashchk(p) and hashst(p).
+
+The ISA states that the Operating System should generate the value for
+these registers when creating a process, so it's its responsability to
+do so. We initialize it with 0 for qemu-softmmu, and set a random 64
+bits value for linux-user.
+
+Signed-off-by: Víctor Colombo <victor.colombo@eldorado.org.br>
+Reviewed-by: Lucas Mateus Castro <lucas.araujo@eldorado.org.br>
+Message-Id: <20220715205439.161110-2-victor.colombo@eldorado.org.br>
+Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
+Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
+---
+ target/ppc/cpu.h      |  2 ++
+ target/ppc/cpu_init.c | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
+index 8b214b2cc1..1281323c02 100644
+--- a/target/ppc/cpu.h
++++ b/target/ppc/cpu.h
+@@ -1623,6 +1623,8 @@ typedef PowerPCCPU ArchCPU;
+ #define SPR_BOOKE_GIVOR14     (0x1BD)
+ #define SPR_TIR               (0x1BE)
+ #define SPR_PTCR              (0x1D0)
++#define SPR_HASHKEYR          (0x1D4)
++#define SPR_HASHPKEYR         (0x1D5)
+ #define SPR_BOOKE_SPEFSCR     (0x200)
+ #define SPR_Exxx_BBEAR        (0x201)
+ #define SPR_Exxx_BBTAR        (0x202)
+diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c
+index a220d0dc51..211759508f 100644
+--- a/target/ppc/cpu_init.c
++++ b/target/ppc/cpu_init.c
+@@ -2098,6 +2098,33 @@ static void register_8xx_sprs(CPUPPCState *env)
+                  0x00000000);
+ }
+ 
++static void register_power10_hash_sprs(CPUPPCState *env)
++{
++    /*
++     * it's the OS responsability to generate a random value for the registers
++     * in each process' context. So, initialize it with 0 here.
++     */
++    uint64_t hashkeyr_initial_value = 0, hashpkeyr_initial_value = 0;
++#if defined(CONFIG_USER_ONLY)
++    /* in linux-user, setup the hash register with a random value */
++    GRand *rand = g_rand_new();
++    hashkeyr_initial_value =
++        ((uint64_t)g_rand_int(rand) << 32) | (uint64_t)g_rand_int(rand);
++    hashpkeyr_initial_value =
++        ((uint64_t)g_rand_int(rand) << 32) | (uint64_t)g_rand_int(rand);
++    g_rand_free(rand);
++#endif
++    spr_register(env, SPR_HASHKEYR, "HASHKEYR",
++            SPR_NOACCESS, SPR_NOACCESS,
++            &spr_read_generic, &spr_write_generic,
++            hashkeyr_initial_value);
++    spr_register_hv(env, SPR_HASHPKEYR, "HASHPKEYR",
++            SPR_NOACCESS, SPR_NOACCESS,
++            SPR_NOACCESS, SPR_NOACCESS,
++            &spr_read_generic, &spr_write_generic,
++            hashpkeyr_initial_value);
++}
++
+ /*
+  * AMR     => SPR 29 (Power 2.04)
+  * CTRL    => SPR 136 (Power 2.04)
+@@ -8107,6 +8134,7 @@ static void init_proc_POWER10(CPUPPCState *env)
+     register_power8_book4_sprs(env);
+     register_power8_rpr_sprs(env);
+     register_power9_mmu_sprs(env);
++    register_power10_hash_sprs(env);
+ 
+     /* FIXME: Filter fields properly based on privilege level */
+     spr_register_kvm_hv(env, SPR_PSSCR, "PSSCR", NULL, NULL, NULL, NULL,
+-- 
+2.41.0.windows.1
+

tests-Fix-error-strings.patch

@@ -0,0 +1,49 @@
+From deb4c3c20a63d0b61ba291a8edb237c2d065a04e Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 19:24:00 +0800
+Subject: [PATCH] tests: Fix error strings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+They were copy-pasted from e1000e and never changed.
+
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+Message-Id: <20220902165126.1482-7-quintela@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
+---
+ tests/qtest/e1000-test.c  | 2 +-
+ tests/qtest/es1370-test.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/qtest/e1000-test.c b/tests/qtest/e1000-test.c
+index ea286d1793..1bd25d584b 100644
+--- a/tests/qtest/e1000-test.c
++++ b/tests/qtest/e1000-test.c
+@@ -35,7 +35,7 @@ static void *e1000_get_driver(void *obj, const char *interface)
+         return &e1000->dev;
+     }
+ 
+-    fprintf(stderr, "%s not present in e1000e\n", interface);
++    fprintf(stderr, "%s not present in e1000\n", interface);
+     g_assert_not_reached();
+ }
+ 
+diff --git a/tests/qtest/es1370-test.c b/tests/qtest/es1370-test.c
+index 2fd7fd2d3d..861656d572 100644
+--- a/tests/qtest/es1370-test.c
++++ b/tests/qtest/es1370-test.c
+@@ -28,7 +28,7 @@ static void *es1370_get_driver(void *obj, const char *interface)
+         return &es1370->dev;
+     }
+ 
+-    fprintf(stderr, "%s not present in e1000e\n", interface);
++    fprintf(stderr, "%s not present in es1370\n", interface);
+     g_assert_not_reached();
+ }
+ 
+-- 
+2.41.0.windows.1
+

tests-vm-update-NetBSD-to-9.3.patch

@@ -0,0 +1,33 @@
+From 20df6de2677d05cd6efafb94b97ddf6eb4671aa3 Mon Sep 17 00:00:00 2001
+From: liujing <liujing_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 14:29:26 +0800
+Subject: [PATCH] tests/vm: update NetBSD to 9.3
+
+Update NetBSD to 9.3
+
+Signed-off-by: Brad Smith <brad@comstyle.com>
+Message-Id: <YxacoSbT1cZR4SKr@humpty.home.comstyle.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Liu Jing <liujing@cmss.chinamobile.com>
+---
+ tests/vm/netbsd | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/vm/netbsd b/tests/vm/netbsd
+index 4cc58df130..df4769c63d 100755
+--- a/tests/vm/netbsd
++++ b/tests/vm/netbsd
+@@ -22,8 +22,8 @@ class NetBSDVM(basevm.BaseVM):
+     name = "netbsd"
+     arch = "x86_64"
+ 
+-    link = "https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.2/images/NetBSD-9.2-amd64.iso"
+-    csum = "5ee0ea101f73386b9b424f5d1041e371db3c42fdd6f4e4518dc79c4a08f31d43091ebe93425c9f0dcaaed2b51131836fe6774f33f89030b58d64709b35fda72f"
++    link = "https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.3/images/NetBSD-9.3-amd64.iso"
++    csum = "2bfce544f762a579f61478e7106c436fc48731ff25cf6f79b392ba5752e6f5ec130364286f7471716290a5f033637cf56aacee7fedb91095face59adf36300c3"
+     size = "20G"
+     pkgs = [
+         # tools
+-- 
+2.41.0.windows.1
+

ui-remove-break-after-g_assert_not_reached.patch

@@ -0,0 +1,47 @@
+From 9949490829e5f4d0a0f3700025501e8cb5afc4d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E5=BC=A0=E6=A5=9A=E5=90=9B?=
+ <zhangchujun@cmss.chinamobile.com>
+Date: Tue, 24 Sep 2024 18:07:34 +0800
+Subject: [PATCH] ui: remove break after g_assert_not_reached()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use of assert(false) can trip spurious control flow warnings from
+some versions of GCC (i.e. using -fsanitize=thread with gcc-12):
+
+  error: control reaches end of non-void function [-Werror=return-type]
+        default:
+            g_assert_not_reached();
+            break;
+          | ^^^^^
+
+Solve that by removing the unreachable 'break' statement, unifying
+the code base on g_assert_not_reached() instead.
+
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-ID: <20240910221606.1817478-37-pierrick.bouvier@linaro.org>
+[PMD: Add description suggested by Eric Blake]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: zhangchujun <zhangchujun@cmss.chinamobile.com>
+---
+ ui/qemu-pixman.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/ui/qemu-pixman.c b/ui/qemu-pixman.c
+index 3ab7e2e958..67a88bf8dd 100644
+--- a/ui/qemu-pixman.c
++++ b/ui/qemu-pixman.c
+@@ -48,7 +48,6 @@ PixelFormat qemu_pixelformat_from_pixman(pixman_format_code_t format)
+         break;
+     default:
+         g_assert_not_reached();
+-        break;
+     }
+ 
+     pf.amax = (1 << pf.abits) - 1;
+-- 
+2.41.0.windows.1
+

vhost-backend-avoid-overflow-on-memslots_limit.patch

@@ -0,0 +1,36 @@
+From dae2e53c30574daff59c7ddf651b730a750a3623 Mon Sep 17 00:00:00 2001
+From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Sep 2024 11:23:32 +0800
+Subject: [PATCH] vhost-backend: avoid overflow on memslots_limit
+
+cherry picked from commit 6dcae534e82520aa2280009de4b78a19059e8bbb
+
+Fix the (hypothetical) potential problem when the value parsed out of
+the vhost module parameter in sysfs overflows the return value from
+vhost_kernel_memslots_limit.
+
+Signed-off-by: Roman Kagan <rvkagan@yandex-team.ru>
+Message-Id: <20211111153354.18807-6-rvkagan@yandex-team.ru>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
+---
+ hw/virtio/vhost-backend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/virtio/vhost-backend.c b/hw/virtio/vhost-backend.c
+index 2acfb750fd..5787775c91 100644
+--- a/hw/virtio/vhost-backend.c
++++ b/hw/virtio/vhost-backend.c
+@@ -60,7 +60,7 @@ static int vhost_kernel_memslots_limit(struct vhost_dev *dev)
+     if (g_file_get_contents("/sys/module/vhost/parameters/max_mem_regions",
+                             &s, NULL, NULL)) {
+         uint64_t val = g_ascii_strtoull(s, NULL, 10);
+-        if (!((val == G_MAXUINT64 || !val) && errno)) {
++        if (val < INT_MAX && val > 0) {
+             g_free(s);
+             return val;
+         }
+-- 
+2.41.0.windows.1
+

virtio-mem-don-t-warn-about-THP-sizes-on-a-kernel-wi.patch

@@ -0,0 +1,50 @@
+From 2fc1b97a5acd19c52d8af4bfd8bcf4824db48fb9 Mon Sep 17 00:00:00 2001
+From: dinglimin <dinglimin@cmss.chinamobile.com>
+Date: Mon, 16 Sep 2024 16:53:58 +0800
+Subject: [PATCH] virtio-mem: don't warn about THP sizes on a kernel without
+ THP support cheery-pick from 95b717a8154b955de2782305f305b63f357b0576 If the
+ config directory in sysfs does not exist at all, we are dealing with a system
+ that does not support THPs. Simply use 1 MiB block size then, instead of
+ warning "Could not detect THP size, falling back to ..." and falling back to
+ the default THP size.
+
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Gavin Shan <gshan@redhat.com>
+Cc: Juraj Marcin <jmarcin@redhat.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Message-Id: <20240910163433.2100295-1-david@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
+---
+ hw/virtio/virtio-mem.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
+index 49749349e0..452f60266a 100644
+--- a/hw/virtio/virtio-mem.c
++++ b/hw/virtio/virtio-mem.c
+@@ -61,6 +61,7 @@
+ static uint32_t thp_size;
+ 
+ #define HPAGE_PMD_SIZE_PATH "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size"
++#define HPAGE_PATH "/sys/kernel/mm/transparent_hugepage/"
+ static uint32_t virtio_mem_thp_size(void)
+ {
+     gchar *content = NULL;
+@@ -71,6 +72,12 @@ static uint32_t virtio_mem_thp_size(void)
+         return thp_size;
+     }
+ 
++    /* No THP -> no restrictions. */
++    if (!g_file_test(HPAGE_PATH, G_FILE_TEST_EXISTS)) {
++        thp_size = VIRTIO_MEM_MIN_BLOCK_SIZE;
++        return thp_size;
++    }
++
+     /*
+      * Try to probe the actual THP size, fallback to (sane but eventually
+      * incorrect) default sizes.
+-- 
+2.41.0.windows.1
+