From cf816402f7ced5248243f4f7eb7584522aa19c5f Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Oct 19 2016 17:17:38 +0000
Subject: Fix nested PPC 'Unknown MMU model' error (bz #1374749)

Fix flickering display with boxes + wayland VM (bz #1266484)
Add ppc64 kvm memlock file (bz #1293024)

---

diff --git a/0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch b/0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
new file mode 100644
index 0000000..183d1fe
--- /dev/null
+++ b/0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
@@ -0,0 +1,54 @@
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 21 Sep 2016 11:42:15 +0200
+Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not
+ available
+
+QEMU currently refuses to start with KVM-PR and only prints out
+
+	qemu: fatal: Unknown MMU model 851972
+
+when being started there. This is because commit 4322e8ced5aaac719
+("ppc: Fix 64K pages support in full emulation") introduced a new
+POWERPC_MMU_64K bit to indicate support for this page size, but
+it never gets cleared on KVM-PR if the host kernel does not support
+this. Thus we've got to turn off this bit in the mmu_model for KVM-PR.
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7)
+---
+ target-ppc/kvm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
+index dcb68b9..6bdc804 100644
+--- a/target-ppc/kvm.c
++++ b/target-ppc/kvm.c
+@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
+     CPUPPCState *env = &cpu->env;
+     long rampagesize;
+     int iq, ik, jq, jk;
++    bool has_64k_pages = false;
+ 
+     /* We only handle page sizes for 64-bit server guests for now */
+     if (!(env->mmu_model & POWERPC_MMU_64)) {
+@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
+                                      ksps->enc[jk].page_shift)) {
+                 continue;
+             }
++            if (ksps->enc[jk].page_shift == 16) {
++                has_64k_pages = true;
++            }
+             qsps->enc[jq].page_shift = ksps->enc[jk].page_shift;
+             qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc;
+             if (++jq >= PPC_PAGE_SIZES_MAX_SZ) {
+@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
+     if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
+         env->mmu_model &= ~POWERPC_MMU_1TSEG;
+     }
++    if (!has_64k_pages) {
++        env->mmu_model &= ~POWERPC_MMU_64K;
++    }
+ }
+ #else /* defined (TARGET_PPC64) */
+ 
diff --git a/0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
new file mode 100644
index 0000000..874e14f
--- /dev/null
+++ b/0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
@@ -0,0 +1,74 @@
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Fri, 14 Oct 2016 14:22:36 +0200
+Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config
+ changes
+
+Currently if the client keeps sending the same monitor config to
+QEMU/spice-server, QEMU will always raise
+a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
+change or not.
+Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
+event to user-space without checking if there were actual changes.
+Next in line are gnome-shell/mutter (on a default f25 install), which
+will try to reconfigure everything without checking if there is anything
+to do.
+Where this gets ugly is that when applying the resolution changes,
+gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
+drmModeSetCrtc, which will cause the primary surface to be destroyed and
+recreated by the QXL KMS driver. This in turn will cause the client to
+resend a client monitors config message, which will cause QEMU to reemit
+an interrupt with an unchanged monitors configuration, ...
+This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
+
+This commit makes sure that we only emit
+QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
+changes the guest should act on.
+---
+ hw/display/qxl.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 0e2682d..56759f8 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -1000,6 +1000,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
+     QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
+     int i;
+     unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
++    bool config_changed = false;
+ 
+     if (qxl->revision < 4) {
+         trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
+@@ -1030,6 +1031,21 @@ static int interface_client_monitors_config(QXLInstance *sin,
+     }
+ #endif
+ 
++    if (rom->client_monitors_config.count != MIN(monitors_config->num_of_monitors, max_outputs)) {
++        config_changed = true;
++    }
++    for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
++        VDAgentMonConfig *monitor = &monitors_config->monitors[i];
++        QXLURect *rect = &rom->client_monitors_config.heads[i];
++        /* monitor->depth ignored */
++        if ((rect->left != monitor->x) ||
++            (rect->top != monitor->y)  ||
++            (rect->right != monitor->x + monitor->width) ||
++            (rect->bottom != monitor->y + monitor->height)) {
++            config_changed = true;
++        }
++    }
++
+     memset(&rom->client_monitors_config, 0,
+            sizeof(rom->client_monitors_config));
+     rom->client_monitors_config.count = monitors_config->num_of_monitors;
+@@ -1059,7 +1075,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
+     trace_qxl_interrupt_client_monitors_config(qxl->id,
+                         rom->client_monitors_config.count,
+                         rom->client_monitors_config.heads);
+-    qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
++    if (config_changed) {
++        qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
++    }
+     return 1;
+ }
+ 
diff --git a/qemu.spec b/qemu.spec
index 11189e1..cd48911 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -68,7 +68,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.7.0
-Release: 4%{?rcrel}%{?dist}
+Release: 5%{?rcrel}%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -129,6 +129,10 @@ Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
 # Fix interrupt endpoints not working with network/spice USB redirection on
 # guest with an emulated xhci controller (bz #1382331)
 Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
+# Fix nested PPC 'Unknown MMU model' error (bz #1374749)
+Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
+# Fix flickering display with boxes + wayland VM (bz #1266484)
+Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
 
 # documentation deps
 BuildRequires: texi2html
@@ -1599,6 +1603,11 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Wed Oct 19 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-5
+- Fix nested PPC 'Unknown MMU model' error (bz #1374749)
+- Fix flickering display with boxes + wayland VM (bz #1266484)
+- Add ppc64 kvm memlock file (bz #1293024)
+
 * Sat Oct 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-4
 - CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
 - CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)