stable fixes for QEMU 9.2.0

Most notabbly, there now is an upstream workaround for the "Windows
PCI Label bug" [0] and the revert of QEMU commit 44d975ef34 ("x86:
acpi: workaround Windows not handling name references in Package
properly") can be dropped.

Pick up some other fixes already merged in current master, for
emulation as well as x86(_64) KVM, some PCI/USB fixes and a pair of
regression fixes for the net subsystem.

[0]: https://gitlab.com/qemu-project/qemu/-/issues/774

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>

debian/patches/extra/0003-Revert-x86-acpi-workaround-Windows-not-handling-name.patch

@@ -1,45 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Fri, 17 Nov 2023 11:18:06 +0100
-Subject: [PATCH] Revert "x86: acpi: workaround Windows not handling name
- references in Package properly"
-
-This reverts commit 44d975ef340e2f21f236f9520c53e1b30d2213a4.
-
-As reported in the community forum [0] and reproduced locally this
-breaks VirtIO network adapters in (at least) the German ISO of Windows
-Server 2022. The fix itself was for
-
-> Issue is not fatal but as result acpi-index/"PCI Label ID" property
-> is either not shown in device details page or shows incorrect value.
-
-so revert and tolerate that as a stop-gap, rather than have the
-devices not working at all.
-
-[0]: https://forum.proxmox.com/threads/92094/post-605684
-
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/acpi-build.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
-index 9fcc2897b8..45a3392d04 100644
---- a/hw/i386/acpi-build.c
-+++ b/hw/i386/acpi-build.c
-@@ -345,13 +345,9 @@ Aml *aml_pci_device_dsm(void)
-     {
-         Aml *params = aml_local(0);
-         Aml *pkg = aml_package(2);
--        aml_append(pkg, aml_int(0));
--        aml_append(pkg, aml_int(0));
-+        aml_append(pkg, aml_name("BSEL"));
-+        aml_append(pkg, aml_name("ASUN"));
-         aml_append(method, aml_store(pkg, params));
--        aml_append(method,
--            aml_store(aml_name("BSEL"), aml_index(params, aml_int(0))));
--        aml_append(method,
--            aml_store(aml_name("ASUN"), aml_index(params, aml_int(1))));
-         aml_append(method,
-             aml_return(aml_call5("PDSM", aml_arg(0), aml_arg(1),
-                                  aml_arg(2), aml_arg(3), params))

debian/patches/extra/0003-tcg-Reset-free_temps-before-tcg_optimize.patch

@@ -0,0 +1,82 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Sat, 7 Dec 2024 18:14:45 +0000
+Subject: [PATCH] tcg: Reset free_temps before tcg_optimize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When allocating new temps during tcg_optmize, do not re-use
+any EBB temps that were used within the TB.  We do not have
+any idea what span of the TB in which the temp was live.
+
+Introduce tcg_temp_ebb_reset_freed and use before tcg_optimize,
+as well as replacing the equivalent in plugin_gen_inject and
+tcg_func_start.
+
+Cc: qemu-stable@nongnu.org
+Fixes: fb04ab7ddd8 ("tcg/optimize: Lower TCG_COND_TST{EQ,NE} if unsupported")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2711
+Reported-by: wannacu <wannacu2049@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+(cherry picked from commit 04e006ab36a8565b92d4e21dd346367fbade7d74)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ accel/tcg/plugin-gen.c          | 2 +-
+ include/tcg/tcg-temp-internal.h | 6 ++++++
+ tcg/tcg.c                       | 5 ++++-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/accel/tcg/plugin-gen.c b/accel/tcg/plugin-gen.c
+index 0f47bfbb48..1ef075552c 100644
+--- a/accel/tcg/plugin-gen.c
++++ b/accel/tcg/plugin-gen.c
+@@ -275,7 +275,7 @@ static void plugin_gen_inject(struct qemu_plugin_tb *plugin_tb)
+      * that might be live within the existing opcode stream.
+      * The simplest solution is to release them all and create new.
+      */
+-    memset(tcg_ctx->free_temps, 0, sizeof(tcg_ctx->free_temps));
++    tcg_temp_ebb_reset_freed(tcg_ctx);
+ 
+     QTAILQ_FOREACH_SAFE(op, &tcg_ctx->ops, link, next) {
+         switch (op->opc) {
+diff --git a/include/tcg/tcg-temp-internal.h b/include/tcg/tcg-temp-internal.h
+index 44192c55a9..98f91e68b7 100644
+--- a/include/tcg/tcg-temp-internal.h
++++ b/include/tcg/tcg-temp-internal.h
+@@ -42,4 +42,10 @@ TCGv_i64 tcg_temp_ebb_new_i64(void);
+ TCGv_ptr tcg_temp_ebb_new_ptr(void);
+ TCGv_i128 tcg_temp_ebb_new_i128(void);
+ 
++/* Forget all freed EBB temps, so that new allocations produce new temps. */
++static inline void tcg_temp_ebb_reset_freed(TCGContext *s)
++{
++    memset(s->free_temps, 0, sizeof(s->free_temps));
++}
++
+ #endif /* TCG_TEMP_FREE_H */
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index 0babae1b88..4578b185be 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -1489,7 +1489,7 @@ void tcg_func_start(TCGContext *s)
+     s->nb_temps = s->nb_globals;
+ 
+     /* No temps have been previously allocated for size or locality.  */
+-    memset(s->free_temps, 0, sizeof(s->free_temps));
++    tcg_temp_ebb_reset_freed(s);
+ 
+     /* No constant temps have been previously allocated. */
+     for (int i = 0; i < TCG_TYPE_COUNT; ++i) {
+@@ -6120,6 +6120,9 @@ int tcg_gen_code(TCGContext *s, TranslationBlock *tb, uint64_t pc_start)
+     }
+ #endif
+ 
++    /* Do not reuse any EBB that may be allocated within the TB. */
++    tcg_temp_ebb_reset_freed(s);
++
+     tcg_optimize(s);
+ 
+     reachable_code_pass(s);

debian/patches/extra/0004-target-i386-Reset-TSCs-of-parked-vCPUs-too-on-VM-res.patch

@@ -0,0 +1,149 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
+Date: Thu, 12 Dec 2024 15:51:15 +0100
+Subject: [PATCH] target/i386: Reset TSCs of parked vCPUs too on VM reset
+
+Since commit 5286c3662294 ("target/i386: properly reset TSC on reset")
+QEMU writes the special value of "1" to each online vCPU TSC on VM reset
+to reset it.
+
+However parked vCPUs don't get that handling and due to that their TSCs
+get desynchronized when the VM gets reset.
+This in turn causes KVM to turn off PVCLOCK_TSC_STABLE_BIT in its exported
+PV clock.
+Note that KVM has no understanding of vCPU being currently parked.
+
+Without PVCLOCK_TSC_STABLE_BIT the sched clock is marked unstable in
+the guest's kvm_sched_clock_init().
+This causes a performance regressions to show in some tests.
+
+Fix this issue by writing the special value of "1" also to TSCs of parked
+vCPUs on VM reset.
+
+Reproducing the issue:
+1) Boot a VM with "-smp 2,maxcpus=3" or similar
+
+2) device_add host-x86_64-cpu,id=vcpu,node-id=0,socket-id=0,core-id=2,thread-id=0
+
+3) Wait a few seconds
+
+4) device_del vcpu
+
+5) Inside the VM run:
+# echo "t" >/proc/sysrq-trigger; dmesg | grep sched_clock_stable
+Observe the sched_clock_stable() value is 1.
+
+6) Reboot the VM
+
+7) Once the VM boots once again run inside it:
+# echo "t" >/proc/sysrq-trigger; dmesg | grep sched_clock_stable
+Observe the sched_clock_stable() value is now 0.
+
+Fixes: 5286c3662294 ("target/i386: properly reset TSC on reset")
+Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
+Link: https://lore.kernel.org/r/5a605a88e9a231386dc803c60f5fed9b48108139.1734014926.git.maciej.szmigiero@oracle.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3f2a05b31ee9ce2ddb6c75a9bc3f5e7f7af9a76f)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ accel/kvm/kvm-all.c                | 11 +++++++++++
+ configs/targets/i386-softmmu.mak   |  1 +
+ configs/targets/x86_64-softmmu.mak |  1 +
+ include/sysemu/kvm.h               |  8 ++++++++
+ target/i386/kvm/kvm.c              | 15 +++++++++++++++
+ 5 files changed, 36 insertions(+)
+
+diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
+index 801cff16a5..dec1d1c16a 100644
+--- a/accel/kvm/kvm-all.c
++++ b/accel/kvm/kvm-all.c
+@@ -437,6 +437,16 @@ int kvm_unpark_vcpu(KVMState *s, unsigned long vcpu_id)
+     return kvm_fd;
+ }
+ 
++static void kvm_reset_parked_vcpus(void *param)
++{
++    KVMState *s = param;
++    struct KVMParkedVcpu *cpu;
++
++    QLIST_FOREACH(cpu, &s->kvm_parked_vcpus, node) {
++        kvm_arch_reset_parked_vcpu(cpu->vcpu_id, cpu->kvm_fd);
++    }
++}
++
+ int kvm_create_vcpu(CPUState *cpu)
+ {
+     unsigned long vcpu_id = kvm_arch_vcpu_id(cpu);
+@@ -2728,6 +2738,7 @@ static int kvm_init(MachineState *ms)
+     }
+ 
+     qemu_register_reset(kvm_unpoison_all, NULL);
++    qemu_register_reset(kvm_reset_parked_vcpus, s);
+ 
+     if (s->kernel_irqchip_allowed) {
+         kvm_irqchip_create(s);
+diff --git a/configs/targets/i386-softmmu.mak b/configs/targets/i386-softmmu.mak
+index 2ac69d5ba3..2eb0e86250 100644
+--- a/configs/targets/i386-softmmu.mak
++++ b/configs/targets/i386-softmmu.mak
+@@ -1,4 +1,5 @@
+ TARGET_ARCH=i386
+ TARGET_SUPPORTS_MTTCG=y
+ TARGET_KVM_HAVE_GUEST_DEBUG=y
++TARGET_KVM_HAVE_RESET_PARKED_VCPU=y
+ TARGET_XML_FILES= gdb-xml/i386-32bit.xml
+diff --git a/configs/targets/x86_64-softmmu.mak b/configs/targets/x86_64-softmmu.mak
+index e12ac3dc59..920e9a4200 100644
+--- a/configs/targets/x86_64-softmmu.mak
++++ b/configs/targets/x86_64-softmmu.mak
+@@ -2,4 +2,5 @@ TARGET_ARCH=x86_64
+ TARGET_BASE_ARCH=i386
+ TARGET_SUPPORTS_MTTCG=y
+ TARGET_KVM_HAVE_GUEST_DEBUG=y
++TARGET_KVM_HAVE_RESET_PARKED_VCPU=y
+ TARGET_XML_FILES= gdb-xml/i386-64bit.xml
+diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
+index c3a60b2890..ab17c09a55 100644
+--- a/include/sysemu/kvm.h
++++ b/include/sysemu/kvm.h
+@@ -377,6 +377,14 @@ int kvm_arch_init(MachineState *ms, KVMState *s);
+ int kvm_arch_init_vcpu(CPUState *cpu);
+ int kvm_arch_destroy_vcpu(CPUState *cpu);
+ 
++#ifdef TARGET_KVM_HAVE_RESET_PARKED_VCPU
++void kvm_arch_reset_parked_vcpu(unsigned long vcpu_id, int kvm_fd);
++#else
++static inline void kvm_arch_reset_parked_vcpu(unsigned long vcpu_id, int kvm_fd)
++{
++}
++#endif
++
+ bool kvm_vcpu_id_is_valid(int vcpu_id);
+ 
+ /* Returns VCPU ID to be used on KVM_CREATE_VCPU ioctl() */
+diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
+index 8e17942c3b..2ff618fbf1 100644
+--- a/target/i386/kvm/kvm.c
++++ b/target/i386/kvm/kvm.c
+@@ -2415,6 +2415,21 @@ void kvm_arch_after_reset_vcpu(X86CPU *cpu)
+     }
+ }
+ 
++void kvm_arch_reset_parked_vcpu(unsigned long vcpu_id, int kvm_fd)
++{
++    g_autofree struct kvm_msrs *msrs = NULL;
++
++    msrs = g_malloc0(sizeof(*msrs) + sizeof(msrs->entries[0]));
++    msrs->entries[0].index = MSR_IA32_TSC;
++    msrs->entries[0].data = 1; /* match the value in x86_cpu_reset() */
++    msrs->nmsrs++;
++
++    if (ioctl(kvm_fd, KVM_SET_MSRS, msrs) != 1) {
++        warn_report("parked vCPU %lu TSC reset failed: %d",
++                    vcpu_id, errno);
++    }
++}
++
+ void kvm_arch_do_init_vcpu(X86CPU *cpu)
+ {
+     CPUX86State *env = &cpu->env;

debian/patches/extra/0005-i386-cpu-Mark-avx10_version-filtered-when-prefix-is-.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhao Liu <zhao1.liu@intel.com>
+Date: Wed, 6 Nov 2024 11:07:18 +0800
+Subject: [PATCH] i386/cpu: Mark avx10_version filtered when prefix is NULL
+
+In x86_cpu_filter_features(), if host doesn't support AVX10, the
+configured avx10_version should be marked as filtered regardless of
+whether prefix is NULL or not.
+
+Check prefix before warn_report() instead of checking for
+have_filtered_features.
+
+Cc: qemu-stable@nongnu.org
+Fixes: commit bccfb846fd52 ("target/i386: add AVX10 feature and AVX10 version property")
+Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
+Reviewed-by: Tao Su <tao1.su@linux.intel.com>
+Link: https://lore.kernel.org/r/20241106030728.553238-2-zhao1.liu@intel.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit cf4c263551886964c5d58bd7b675b13fd497b402)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/cpu.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 3725dbbc4b..1981aeaba5 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -7718,8 +7718,10 @@ static bool x86_cpu_filter_features(X86CPU *cpu, bool verbose)
+             env->avx10_version = version;
+             have_filtered_features = true;
+         }
+-    } else if (env->avx10_version && prefix) {
+-        warn_report("%s: avx10.%d.", prefix, env->avx10_version);
++    } else if (env->avx10_version) {
++        if (prefix) {
++            warn_report("%s: avx10.%d.", prefix, env->avx10_version);
++        }
+         have_filtered_features = true;
+     }
+ 

debian/patches/extra/0006-net-Fix-announce_self.patch

@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Fri, 17 Jan 2025 12:17:08 +0100
+Subject: [PATCH] net: Fix announce_self
+
+b9ad513e1876 ("net: Remove receive_raw()") adds an iovec entry
+in qemu_deliver_packet_iov() to add the virtio-net header
+in the data when QEMU_NET_PACKET_FLAG_RAW is set but forgets
+to increase the number of iovec entries in the array, so
+receive_iov() will only send the first entry (the virtio-net
+entry, full of 0) and no data. The packet will be discarded.
+
+The only user of QEMU_NET_PACKET_FLAG_RAW is announce_self.
+
+We can see the problem with tcpdump:
+
+- QEMU parameters:
+
+  .. -monitor stdio \
+     -netdev bridge,id=netdev0,br=virbr0 \
+     -device virtio-net,mac=9a:2b:2c:2d:2e:2f,netdev=netdev0 \
+
+- HMP command:
+
+  (qemu) announce_self
+
+- TCP dump:
+
+  $ sudo tcpdump -nxi virbr0
+
+  without the fix:
+
+    <nothing>
+
+  with the fix:
+
+   ARP, Reverse Request who-is 9a:2b:2c:2d:2e:2f tell 9a:2b:2c:2d:2e:2f, length 46
+        0x0000:  0001 0800 0604 0003 9a2b 2c2d 2e2f 0000
+        0x0010:  0000 9a2b 2c2d 2e2f 0000 0000 0000 0000
+        0x0020:  0000 0000 0000 0000 0000 0000 0000
+
+Reported-by: Xiaohui Li <xiaohli@redhat.com>
+Bug: https://issues.redhat.com/browse/RHEL-73891
+Fixes: b9ad513e1876 ("net: Remove receive_raw()")
+Cc: akihiko.odaki@daynix.com
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+(picked from https://lore.kernel.org/qemu-devel/20250117111709.970789-2-lvivier@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/net.c b/net/net.c
+index 7ef6885876..fefa701bb2 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -822,6 +822,7 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
+         iov_copy[0].iov_len =  nc->vnet_hdr_len;
+         memcpy(&iov_copy[1], iov, iovcnt * sizeof(*iov));
+         iov = iov_copy;
++        iovcnt++;
+     }
+ 
+     if (nc->info->receive_iov) {

debian/patches/extra/0007-net-dump-Correctly-compute-Ethernet-packet-offset.patch

@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Fri, 17 Jan 2025 12:17:09 +0100
+Subject: [PATCH] net/dump: Correctly compute Ethernet packet offset
+
+When a packet is sent with QEMU_NET_PACKET_FLAG_RAW by QEMU it
+never includes virtio-net header even if qemu_get_vnet_hdr_len()
+is not 0, and filter-dump is not managing this case.
+
+The only user of QEMU_NET_PACKET_FLAG_RAW is announce_self,
+we can show the problem using it and tcpddump:
+
+- QEMU parameters:
+
+  .. -monitor stdio \
+     -netdev bridge,id=netdev0,br=virbr0 \
+     -device virtio-net,mac=9a:2b:2c:2d:2e:2f,netdev=netdev0 \
+     -object filter-dump,netdev=netdev0,file=log.pcap,id=pcap0
+
+- HMP command:
+
+  (qemu) announce_self
+
+- TCP dump:
+
+  $ tcpdump -nxr log.pcap
+
+  without the fix:
+
+    08:00:06:04:00:03 > 2e:2f:80:35:00:01, ethertype Unknown (0x9a2b), length 50:
+         0x0000:  2c2d 2e2f 0000 0000 9a2b 2c2d 2e2f 0000
+         0x0010:  0000 0000 0000 0000 0000 0000 0000 0000
+         0x0020:  0000 0000
+
+  with the fix:
+
+    ARP, Reverse Request who-is 9a:2b:2c:2d:2e:2f tell 9a:2b:2c:2d:2e:2f, length 46
+         0x0000:  0001 0800 0604 0003 9a2b 2c2d 2e2f 0000
+         0x0010:  0000 9a2b 2c2d 2e2f 0000 0000 0000 0000
+         0x0020:  0000 0000 0000 0000 0000 0000 0000
+
+Fixes: 481c52320a26 ("net: Strip virtio-net header when dumping")
+Cc: akihiko.odaki@daynix.com
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+(picked from https://lore.kernel.org/qemu-devel/20250117111709.970789-3-lvivier@redhat.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/dump.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/dump.c b/net/dump.c
+index 956e34a123..42ab8d7716 100644
+--- a/net/dump.c
++++ b/net/dump.c
+@@ -155,7 +155,8 @@ static ssize_t filter_dump_receive_iov(NetFilterState *nf, NetClientState *sndr,
+ {
+     NetFilterDumpState *nfds = FILTER_DUMP(nf);
+ 
+-    dump_receive_iov(&nfds->ds, iov, iovcnt, qemu_get_vnet_hdr_len(nf->netdev));
++    dump_receive_iov(&nfds->ds, iov, iovcnt, flags & QEMU_NET_PACKET_FLAG_RAW ?
++                     0 : qemu_get_vnet_hdr_len(nf->netdev));
+     return 0;
+ }
+ 

debian/patches/extra/0008-pci-acpi-Windows-PCI-Label-Id-bug-workaround.patch

@@ -0,0 +1,96 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Igor Mammedov <imammedo@redhat.com>
+Date: Wed, 15 Jan 2025 13:53:41 +0100
+Subject: [PATCH] pci: acpi: Windows 'PCI Label Id' bug workaround
+
+Current versions of Windows call _DSM(func=7) regardless
+of whether it is supported or not. It leads to NICs having bogus
+'PCI Label Id = 0', where none should be set at all.
+
+Also presence of 'PCI Label Id' triggers another Windows bug
+on localized versions that leads to hangs. The later bug is fixed
+in latest updates for 'Windows Server' but not in consumer
+versions of Windows (and there is no plans to fix it
+as far as I'm aware).
+
+Given it's easy, implement Microsoft suggested workaround
+(return invalid Package) so that affected Windows versions
+could boot on QEMU.
+This would effectvely remove bogus 'PCI Label Id's on NICs,
+but MS teem confirmed that flipping 'PCI Label Id' should not
+change 'Network Connection' ennumeration, so it should be safe
+for QEMU to change _DSM without any compat code.
+
+Smoke tested with WinXP and WS2022
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/774
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+Message-Id: <20250115125342.3883374-3-imammedo@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 0b053391985abcc40b16ac8fc4a7f6588d1d95c1)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/i386/acpi-build.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
+index 9fcc2897b8..f7b961e04c 100644
+--- a/hw/i386/acpi-build.c
++++ b/hw/i386/acpi-build.c
+@@ -654,6 +654,7 @@ static Aml *aml_pci_pdsm(void)
+     Aml *acpi_index = aml_local(2);
+     Aml *zero = aml_int(0);
+     Aml *one = aml_int(1);
++    Aml *not_supp = aml_int(0xFFFFFFFF);
+     Aml *func = aml_arg(2);
+     Aml *params = aml_arg(4);
+     Aml *bnum = aml_derefof(aml_index(params, aml_int(0)));
+@@ -678,7 +679,7 @@ static Aml *aml_pci_pdsm(void)
+          */
+         ifctx1 = aml_if(aml_lnot(
+                      aml_or(aml_equal(acpi_index, zero),
+-                            aml_equal(acpi_index, aml_int(0xFFFFFFFF)), NULL)
++                            aml_equal(acpi_index, not_supp), NULL)
+                  ));
+         {
+             /* have supported functions */
+@@ -704,18 +705,30 @@ static Aml *aml_pci_pdsm(void)
+     {
+        Aml *pkg = aml_package(2);
+ 
+-       aml_append(pkg, zero);
+-       /*
+-        * optional, if not impl. should return null string
+-        */
+-       aml_append(pkg, aml_string("%s", ""));
+-       aml_append(ifctx, aml_store(pkg, ret));
+-
+        aml_append(ifctx, aml_store(aml_call2("AIDX", bnum, sunum), acpi_index));
++       aml_append(ifctx, aml_store(pkg, ret));
+        /*
+-        * update acpi-index to actual value
++        * Windows calls func=7 without checking if it's available,
++        * as workaround Microsoft has suggested to return invalid for func7
++        * Package, so return 2 elements package but only initialize elements
++        * when acpi_index is supported and leave them uninitialized, which
++        * leads elements to being Uninitialized ObjectType and should trip
++        * Windows into discarding result as an unexpected and prevent setting
++        * bogus 'PCI Label' on the device.
+         */
+-       aml_append(ifctx, aml_store(acpi_index, aml_index(ret, zero)));
++       ifctx1 = aml_if(aml_lnot(aml_lor(
++                    aml_equal(acpi_index, zero), aml_equal(acpi_index, not_supp)
++                )));
++       {
++           aml_append(ifctx1, aml_store(acpi_index, aml_index(ret, zero)));
++           /*
++            * optional, if not impl. should return null string
++            */
++           aml_append(ifctx1, aml_store(aml_string("%s", ""),
++                                        aml_index(ret, one)));
++       }
++       aml_append(ifctx, ifctx1);
++
+        aml_append(ifctx, aml_return(ret));
+     }
+ 

debian/patches/extra/0009-hw-usb-hcd-xhci-pci-Use-modulo-to-select-MSI-vector-.patch

@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Phil Dennis-Jordan <phil@philjordan.eu>
+Date: Fri, 13 Dec 2024 17:06:14 +0100
+Subject: [PATCH] hw/usb/hcd-xhci-pci: Use modulo to select MSI vector as per
+ spec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+QEMU would crash with a failed assertion if the XHCI controller
+attempted to raise the interrupt on an interrupter corresponding
+to a MSI vector with a higher index than the highest configured
+for the device by the guest driver.
+
+This behaviour is correct on the MSI/PCI side: per PCI 3.0 spec,
+devices must ensure they do not send MSI notifications for
+vectors beyond the range of those allocated by the system/driver
+software. Unlike MSI-X, there is no generic way for handling
+aliasing in the case of fewer allocated vectors than requested,
+so the specifics are up to device implementors. (Section
+6.8.3.4. "Sending Messages")
+
+It turns out the XHCI spec (Implementation Note in section 4.17,
+"Interrupters") requires that the host controller signal the MSI
+vector with the number computed by taking the interrupter number
+modulo the number of enabled MSI vectors.
+
+This change introduces that modulo calculation, fixing the
+failed assertion. This makes the device work correctly in MSI mode
+with macOS's XHCI driver, which only allocates a single vector.
+
+Signed-off-by: Phil Dennis-Jordan <phil@philjordan.eu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-ID: <20250112210056.16658-2-phil@philjordan.eu>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+(cherry picked from commit bb5b7fced6b5d3334ab20702fc846e47bb1fb731)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/usb/hcd-xhci-pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-xhci-pci.c b/hw/usb/hcd-xhci-pci.c
+index a039f5778a..516e6909d2 100644
+--- a/hw/usb/hcd-xhci-pci.c
++++ b/hw/usb/hcd-xhci-pci.c
+@@ -74,6 +74,7 @@ static bool xhci_pci_intr_raise(XHCIState *xhci, int n, bool level)
+     }
+ 
+     if (msi_enabled(pci_dev) && level) {
++        n %= msi_nr_vectors_allocated(pci_dev);
+         msi_notify(pci_dev, n);
+         return true;
+     }

debian/patches/extra/0010-pci-ensure-valid-link-status-bits-for-downstream-por.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Ott <sebott@redhat.com>
+Date: Tue, 3 Dec 2024 13:19:28 +0100
+Subject: [PATCH] pci: ensure valid link status bits for downstream ports
+
+PCI hotplug for downstream endpoints on arm fails because Linux'
+PCIe hotplug driver doesn't like the QEMU provided LNKSTA:
+
+  pcieport 0000:08:01.0: pciehp: Slot(2): Card present
+  pcieport 0000:08:01.0: pciehp: Slot(2): Link Up
+  pcieport 0000:08:01.0: pciehp: Slot(2): Cannot train link: status 0x2000
+
+There's 2 cases where LNKSTA isn't setup properly:
+* the downstream device has no express capability
+* max link width of the bridge is 0
+
+Move the sanity checks added via 88c869198aa63
+("pci: Sanity test minimum downstream LNKSTA") outside of the
+branch to make sure downstream ports always have a valid LNKSTA.
+
+Signed-off-by: Sebastian Ott <sebott@redhat.com>
+Tested-by: Zhenyu Zhang <zhenyzha@redhat.com>
+Message-Id: <20241203121928.14861-1-sebott@redhat.com>
+Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 694632fd44987cc4618612a38ad151047524a590)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/pci/pcie.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
+index 0b455c8654..1b12db6fa2 100644
+--- a/hw/pci/pcie.c
++++ b/hw/pci/pcie.c
+@@ -1113,18 +1113,22 @@ void pcie_sync_bridge_lnk(PCIDevice *bridge_dev)
+         if ((lnksta & PCI_EXP_LNKSTA_NLW) > (lnkcap & PCI_EXP_LNKCAP_MLW)) {
+             lnksta &= ~PCI_EXP_LNKSTA_NLW;
+             lnksta |= lnkcap & PCI_EXP_LNKCAP_MLW;
+-        } else if (!(lnksta & PCI_EXP_LNKSTA_NLW)) {
+-            lnksta |= QEMU_PCI_EXP_LNKSTA_NLW(QEMU_PCI_EXP_LNK_X1);
+         }
+ 
+         if ((lnksta & PCI_EXP_LNKSTA_CLS) > (lnkcap & PCI_EXP_LNKCAP_SLS)) {
+             lnksta &= ~PCI_EXP_LNKSTA_CLS;
+             lnksta |= lnkcap & PCI_EXP_LNKCAP_SLS;
+-        } else if (!(lnksta & PCI_EXP_LNKSTA_CLS)) {
+-            lnksta |= QEMU_PCI_EXP_LNKSTA_CLS(QEMU_PCI_EXP_LNK_2_5GT);
+         }
+     }
+ 
++    if (!(lnksta & PCI_EXP_LNKSTA_NLW)) {
++        lnksta |= QEMU_PCI_EXP_LNKSTA_NLW(QEMU_PCI_EXP_LNK_X1);
++    }
++
++    if (!(lnksta & PCI_EXP_LNKSTA_CLS)) {
++        lnksta |= QEMU_PCI_EXP_LNKSTA_CLS(QEMU_PCI_EXP_LNK_2_5GT);
++    }
++
+     pci_word_test_and_clear_mask(exp_cap + PCI_EXP_LNKSTA,
+                                  PCI_EXP_LNKSTA_CLS | PCI_EXP_LNKSTA_NLW);
+     pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA, lnksta &

debian/patches/extra/0011-pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Thu, 12 Dec 2024 22:04:02 +1000
+Subject: [PATCH] pci/msix: Fix msix pba read vector poll end calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The end vector calculation has a bug that results in polling fewer
+than required vectors when reading at a non-zero offset in PBA memory.
+
+Fixes: bbef882cc193 ("msi: add API to get notified about pending bit poll")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Message-Id: <20241212120402.1475053-1-npiggin@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 42e2a7a0ab23784e44fcb18369e06067abc89305)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/pci/msix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/pci/msix.c b/hw/pci/msix.c
+index 487e49834e..cc6e79ec67 100644
+--- a/hw/pci/msix.c
++++ b/hw/pci/msix.c
+@@ -250,7 +250,7 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
+     PCIDevice *dev = opaque;
+     if (dev->msix_vector_poll_notifier) {
+         unsigned vector_start = addr * 8;
+-        unsigned vector_end = MIN(addr + size * 8, dev->msix_entries_nr);
++        unsigned vector_end = MIN((addr + size) * 8, dev->msix_entries_nr);
+         dev->msix_vector_poll_notifier(dev, vector_start, vector_end);
+     }
+ 

debian/patches/series

@@ -1,6 +1,14 @@
 extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
 extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0003-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
+extra/0003-tcg-Reset-free_temps-before-tcg_optimize.patch
+extra/0004-target-i386-Reset-TSCs-of-parked-vCPUs-too-on-VM-res.patch
+extra/0005-i386-cpu-Mark-avx10_version-filtered-when-prefix-is-.patch
+extra/0006-net-Fix-announce_self.patch
+extra/0007-net-dump-Correctly-compute-Ethernet-packet-offset.patch
+extra/0008-pci-acpi-Windows-PCI-Label-Id-bug-workaround.patch
+extra/0009-hw-usb-hcd-xhci-pci-Use-modulo-to-select-MSI-vector-.patch
+extra/0010-pci-ensure-valid-link-status-bits-for-downstream-por.patch
+extra/0011-pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch