[Qemu-devel] [GIT PULL] 0.10.7 stable release

[Qemu-devel] [GIT PULL] 0.10.7 stable release

[Glauber Costa]

Hi people

These are the patches I am proposing for 0.10.7 stable release. If you disagree
with any of them, or think a patch should go in that is not in this list, let me know

patches marked as "BACKPORT" are ones who needed to get some modification, although
very simple ones. All others are conflict-less cherry-picks from master

You can find these patches at the master branch of:

git://git.qemu.org/qemu-stable-0.10.git

[Qemu-devel] [PATCH 01/12] fix for bad macaddr of e1000 in Windows 2003 server with original MS driver

[Glauber Costa]

From: Naphtali Sprei <nsprei@redhat.com>

The sequence of reading from eeprom is "offset by one" moved because of a false
detection of a clock cycle after an eeprom reset. Keeping the last clock value
after a reset keeps it in sync.

Signed-off-by: Naphtali Sprei <nsprei@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 hw/e1000.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index 8c1741f..76fa159 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -262,6 +262,11 @@ set_eecd(E1000State *s, int index, uint32_t val)
     }
     if (!(val & E1000_EECD_CS)) {		// rising, no CS (EEPROM reset)
         memset(&s->eecd_state, 0, sizeof s->eecd_state);
+        /*
+         * restore old_eecd's E1000_EECD_SK (known to be on)
+         * to avoid false detection of a clock edge
+         */
+        s->eecd_state.old_eecd = E1000_EECD_SK;
         return;
     }
     s->eecd_state.val_in <<= 1;
-- 
1.6.2.2

[Qemu-devel] [PATCH 02/12] Handle BH's queued by AIO completions in qemu_aio_flush()

[Glauber Costa]

From: Nolan <nolan@sigbus.net>

Without this, the call to qemu_aio_flush during migration doesn't
actually flush all in-flight SCSI IOs.

Signed-off-by: Nolan Leake <nolan <at> sigbus.net>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 aio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/aio.c b/aio.c
index dc9b85d..efc63fd 100644
--- a/aio.c
+++ b/aio.c
@@ -112,7 +112,7 @@ void qemu_aio_flush(void)
         LIST_FOREACH(node, &aio_handlers, node) {
             ret |= node->io_flush(node->opaque);
         }
-    } while (ret > 0);
+    } while (qemu_bh_poll() || ret > 0);
 }
 
 void qemu_aio_wait(void)
-- 
1.6.2.2

[Qemu-devel] [PATCH 03/12] BACKPORT: Add save/restore support to the LSI logic SCSI device model.

[Glauber Costa]

From: Nolan <nolan@sigbus.net>

This patch requires "Handle BH's queued by AIO completions in
qemu_aio_flush()" to work reliably.  The combination of those two
patches survived 300+ migrations with heavy IO load running in the
guest.

Signed-off-by: Nolan Leake <nolan <at> sigbus.net>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 hw/lsi53c895a.c |  173 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 173 insertions(+), 0 deletions(-)

diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index d4805c4..b8b02c8 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -10,6 +10,8 @@
 /* ??? Need to check if the {read,write}[wl] routines work properly on
    big-endian targets.  */
 
+#include <assert.h>                             \
+
 #include "hw.h"
 #include "pci.h"
 #include "scsi-disk.h"
@@ -1980,6 +1982,174 @@ void lsi_scsi_attach(void *opaque, BlockDriverState *bd, int id)
     bd->private = &s->pci_dev;
 }
 
+static void lsi_scsi_save(QEMUFile *f, void *opaque)
+{
+    LSIState *s = opaque;
+
+    assert(s->dma_buf == NULL);
+    assert(s->current_dma_len == 0);
+    assert(s->active_commands == 0);
+
+    pci_device_save(&s->pci_dev, f);
+
+    qemu_put_sbe32s(f, &s->carry);
+    qemu_put_sbe32s(f, &s->sense);
+    qemu_put_sbe32s(f, &s->msg_action);
+    qemu_put_sbe32s(f, &s->msg_len);
+    qemu_put_buffer(f, s->msg, sizeof (s->msg));
+    qemu_put_sbe32s(f, &s->waiting);
+
+    qemu_put_be32s(f, &s->dsa);
+    qemu_put_be32s(f, &s->temp);
+    qemu_put_be32s(f, &s->dnad);
+    qemu_put_be32s(f, &s->dbc);
+    qemu_put_8s(f, &s->istat0);
+    qemu_put_8s(f, &s->istat1);
+    qemu_put_8s(f, &s->dcmd);
+    qemu_put_8s(f, &s->dstat);
+    qemu_put_8s(f, &s->dien);
+    qemu_put_8s(f, &s->sist0);
+    qemu_put_8s(f, &s->sist1);
+    qemu_put_8s(f, &s->sien0);
+    qemu_put_8s(f, &s->sien1);
+    qemu_put_8s(f, &s->mbox0);
+    qemu_put_8s(f, &s->mbox1);
+    qemu_put_8s(f, &s->dfifo);
+    qemu_put_8s(f, &s->ctest2);
+    qemu_put_8s(f, &s->ctest3);
+    qemu_put_8s(f, &s->ctest4);
+    qemu_put_8s(f, &s->ctest5);
+    qemu_put_8s(f, &s->ccntl0);
+    qemu_put_8s(f, &s->ccntl1);
+    qemu_put_be32s(f, &s->dsp);
+    qemu_put_be32s(f, &s->dsps);
+    qemu_put_8s(f, &s->dmode);
+    qemu_put_8s(f, &s->dcntl);
+    qemu_put_8s(f, &s->scntl0);
+    qemu_put_8s(f, &s->scntl1);
+    qemu_put_8s(f, &s->scntl2);
+    qemu_put_8s(f, &s->scntl3);
+    qemu_put_8s(f, &s->sstat0);
+    qemu_put_8s(f, &s->sstat1);
+    qemu_put_8s(f, &s->scid);
+    qemu_put_8s(f, &s->sxfer);
+    qemu_put_8s(f, &s->socl);
+    qemu_put_8s(f, &s->sdid);
+    qemu_put_8s(f, &s->ssid);
+    qemu_put_8s(f, &s->sfbr);
+    qemu_put_8s(f, &s->stest1);
+    qemu_put_8s(f, &s->stest2);
+    qemu_put_8s(f, &s->stest3);
+    qemu_put_8s(f, &s->sidl);
+    qemu_put_8s(f, &s->stime0);
+    qemu_put_8s(f, &s->respid0);
+    qemu_put_8s(f, &s->respid1);
+    qemu_put_be32s(f, &s->mmrs);
+    qemu_put_be32s(f, &s->mmws);
+    qemu_put_be32s(f, &s->sfs);
+    qemu_put_be32s(f, &s->drs);
+    qemu_put_be32s(f, &s->sbms);
+    qemu_put_be32s(f, &s->dbms);
+    qemu_put_be32s(f, &s->dnad64);
+    qemu_put_be32s(f, &s->pmjad1);
+    qemu_put_be32s(f, &s->pmjad2);
+    qemu_put_be32s(f, &s->rbc);
+    qemu_put_be32s(f, &s->ua);
+    qemu_put_be32s(f, &s->ia);
+    qemu_put_be32s(f, &s->sbc);
+    qemu_put_be32s(f, &s->csbc);
+    qemu_put_buffer(f, (uint8_t *)s->scratch, sizeof (s->scratch));
+    qemu_put_8s(f, &s->sbr);
+
+    qemu_put_buffer(f, (uint8_t *)s->script_ram, sizeof (s->script_ram));
+}
+
+static int lsi_scsi_load(QEMUFile *f, void *opaque, int version_id)
+{
+    LSIState *s = opaque;
+    int ret;
+
+    if (version_id > 0) {
+        return -EINVAL;
+    }
+
+    if ((ret = pci_device_load(&s->pci_dev, f)) < 0)
+        return ret;
+
+    qemu_get_sbe32s(f, &s->carry);
+    qemu_get_sbe32s(f, &s->sense);
+    qemu_get_sbe32s(f, &s->msg_action);
+    qemu_get_sbe32s(f, &s->msg_len);
+    qemu_get_buffer(f, s->msg, sizeof (s->msg));
+    qemu_get_sbe32s(f, &s->waiting);
+
+    qemu_get_be32s(f, &s->dsa);
+    qemu_get_be32s(f, &s->temp);
+    qemu_get_be32s(f, &s->dnad);
+    qemu_get_be32s(f, &s->dbc);
+    qemu_get_8s(f, &s->istat0);
+    qemu_get_8s(f, &s->istat1);
+    qemu_get_8s(f, &s->dcmd);
+    qemu_get_8s(f, &s->dstat);
+    qemu_get_8s(f, &s->dien);
+    qemu_get_8s(f, &s->sist0);
+    qemu_get_8s(f, &s->sist1);
+    qemu_get_8s(f, &s->sien0);
+    qemu_get_8s(f, &s->sien1);
+    qemu_get_8s(f, &s->mbox0);
+    qemu_get_8s(f, &s->mbox1);
+    qemu_get_8s(f, &s->dfifo);
+    qemu_get_8s(f, &s->ctest2);
+    qemu_get_8s(f, &s->ctest3);
+    qemu_get_8s(f, &s->ctest4);
+    qemu_get_8s(f, &s->ctest5);
+    qemu_get_8s(f, &s->ccntl0);
+    qemu_get_8s(f, &s->ccntl1);
+    qemu_get_be32s(f, &s->dsp);
+    qemu_get_be32s(f, &s->dsps);
+    qemu_get_8s(f, &s->dmode);
+    qemu_get_8s(f, &s->dcntl);
+    qemu_get_8s(f, &s->scntl0);
+    qemu_get_8s(f, &s->scntl1);
+    qemu_get_8s(f, &s->scntl2);
+    qemu_get_8s(f, &s->scntl3);
+    qemu_get_8s(f, &s->sstat0);
+    qemu_get_8s(f, &s->sstat1);
+    qemu_get_8s(f, &s->scid);
+    qemu_get_8s(f, &s->sxfer);
+    qemu_get_8s(f, &s->socl);
+    qemu_get_8s(f, &s->sdid);
+    qemu_get_8s(f, &s->ssid);
+    qemu_get_8s(f, &s->sfbr);
+    qemu_get_8s(f, &s->stest1);
+    qemu_get_8s(f, &s->stest2);
+    qemu_get_8s(f, &s->stest3);
+    qemu_get_8s(f, &s->sidl);
+    qemu_get_8s(f, &s->stime0);
+    qemu_get_8s(f, &s->respid0);
+    qemu_get_8s(f, &s->respid1);
+    qemu_get_be32s(f, &s->mmrs);
+    qemu_get_be32s(f, &s->mmws);
+    qemu_get_be32s(f, &s->sfs);
+    qemu_get_be32s(f, &s->drs);
+    qemu_get_be32s(f, &s->sbms);
+    qemu_get_be32s(f, &s->dbms);
+    qemu_get_be32s(f, &s->dnad64);
+    qemu_get_be32s(f, &s->pmjad1);
+    qemu_get_be32s(f, &s->pmjad2);
+    qemu_get_be32s(f, &s->rbc);
+    qemu_get_be32s(f, &s->ua);
+    qemu_get_be32s(f, &s->ia);
+    qemu_get_be32s(f, &s->sbc);
+    qemu_get_be32s(f, &s->csbc);
+    qemu_get_buffer(f, (uint8_t *)s->scratch, sizeof (s->scratch));
+    qemu_get_8s(f, &s->sbr);
+
+    qemu_get_buffer(f, (uint8_t *)s->script_ram, sizeof (s->script_ram));
+
+    return 0;
+}
+
 static int lsi_scsi_uninit(PCIDevice *d)
 {
     LSIState *s = (LSIState *) d;
@@ -2038,5 +2208,8 @@ void *lsi_scsi_init(PCIBus *bus, int devfn)
 
     lsi_soft_reset(s);
 
+    register_savevm("lsiscsi", -1, 0, lsi_scsi_save, lsi_scsi_load, s);
+
     return s;
+
 }
-- 
1.6.2.2

[Qemu-devel] [PATCH 04/12] vmdk: Fix backing file handling

[Glauber Costa]

From: Kevin Wolf <kwolf@redhat.com>

Instead of storing the backing file in its own BlockDriverState, VMDK uses the
BlockDriverState of the raw image file it opened. This is wrong and breaks
functions that access the backing file or protocols. This fix replaces all
occurrences of s->hd->backing_* with bs->backing_*.

This fixes qemu-iotests failure in 020 (Commit changes to backing file).

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 block-vmdk.c |   29 +++++++++++++++--------------
 1 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/block-vmdk.c b/block-vmdk.c
index 71d7504..1f2ad17 100644
--- a/block-vmdk.c
+++ b/block-vmdk.c
@@ -169,7 +169,7 @@ static int vmdk_is_cid_valid(BlockDriverState *bs)
 {
 #ifdef CHECK_CID
     BDRVVmdkState *s = bs->opaque;
-    BlockDriverState *p_bs = s->hd->backing_hd;
+    BlockDriverState *p_bs = bs->backing_hd;
     uint32_t cur_pcid;
 
     if (p_bs) {
@@ -337,26 +337,26 @@ static int vmdk_parent_open(BlockDriverState *bs, const char * filename)
         p_name += sizeof("parentFileNameHint") + 1;
         if ((end_name = strchr(p_name,'\"')) == 0)
             return -1;
-        if ((end_name - p_name) > sizeof (s->hd->backing_file) - 1)
+        if ((end_name - p_name) > sizeof (bs->backing_file) - 1)
             return -1;
 
-        pstrcpy(s->hd->backing_file, end_name - p_name + 1, p_name);
-        if (stat(s->hd->backing_file, &file_buf) != 0) {
+        pstrcpy(bs->backing_file, end_name - p_name + 1, p_name);
+        if (stat(bs->backing_file, &file_buf) != 0) {
             path_combine(parent_img_name, sizeof(parent_img_name),
-                         filename, s->hd->backing_file);
+                         filename, bs->backing_file);
         } else {
             pstrcpy(parent_img_name, sizeof(parent_img_name),
-                    s->hd->backing_file);
+                    bs->backing_file);
         }
 
-        s->hd->backing_hd = bdrv_new("");
-        if (!s->hd->backing_hd) {
+        bs->backing_hd = bdrv_new("");
+        if (!bs->backing_hd) {
             failure:
             bdrv_close(s->hd);
             return -1;
         }
         parent_open = 1;
-        if (bdrv_open(s->hd->backing_hd, parent_img_name, BDRV_O_RDONLY) < 0)
+        if (bdrv_open(bs->backing_hd, parent_img_name, BDRV_O_RDONLY) < 0)
             goto failure;
         parent_open = 0;
     }
@@ -463,13 +463,14 @@ static int get_whole_cluster(BlockDriverState *bs, uint64_t cluster_offset,
 
     // we will be here if it's first write on non-exist grain(cluster).
     // try to read from parent image, if exist
-    if (s->hd->backing_hd) {
-        BDRVVmdkState *ps = s->hd->backing_hd->opaque;
+    if (bs->backing_hd) {
+        BDRVVmdkState *ps = bs->backing_hd->opaque;
 
         if (!vmdk_is_cid_valid(bs))
             return -1;
 
-        parent_cluster_offset = get_cluster_offset(s->hd->backing_hd, NULL, offset, allocate);
+        parent_cluster_offset = get_cluster_offset(bs->backing_hd, NULL,
+            offset, allocate);
 
         if (parent_cluster_offset) {
             BDRVVmdkState *act_s = activeBDRV.hd->opaque;
@@ -620,10 +621,10 @@ static int vmdk_read(BlockDriverState *bs, int64_t sector_num,
             n = nb_sectors;
         if (!cluster_offset) {
             // try to read from parent image, if exist
-            if (s->hd->backing_hd) {
+            if (bs->backing_hd) {
                 if (!vmdk_is_cid_valid(bs))
                     return -1;
-                ret = bdrv_read(s->hd->backing_hd, sector_num, buf, n);
+                ret = bdrv_read(bs->backing_hd, sector_num, buf, n);
                 if (ret < 0)
                     return -1;
             } else {
-- 
1.6.2.2

[Qemu-devel] [PATCH 05/12] fix broken migration

[Glauber Costa]

While fixing migration with -S, commit
89befdd1a6b18215153b8976682d57b7d03d5782 broke the rest of us. Poor
glommer, with a poor family, spare him his life from this monstruosity.

Since the unconditional vm_start, not autostart was the villain, I'm putting
back autostart. Let me know if you prefer other solutions, it doesn't really matter,
doesn't really matter to me.

Any way the wind blows...

Signed-off-by: Glauber Costa <glommer@redhat.com>
CC: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 vl.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/vl.c b/vl.c
index 6cd0ce7..0e46727 100644
--- a/vl.c
+++ b/vl.c
@@ -5721,8 +5721,10 @@ int main(int argc, char **argv, char **envp)
     if (loadvm)
         do_loadvm(loadvm);
 
-    if (incoming)
+    if (incoming) {
+        autostart = 0;
         qemu_start_incoming_migration(incoming);
+    }
 
     if (autostart)
         vm_start();
-- 
1.6.2.2

[Qemu-devel] [PATCH 06/12] fix migration to obey -S

[Glauber Costa]

From: Paolo Bonzini <pbonzini@redhat.com>

Since migration returns right away, starting the VM right
after calling qemu_start_incoming_migration is wrong even
if -S is not passed.  We have to do this after migration
has completed.

Cc: Glauber Costa  <glommer@redhat.com>
Cc: Anthony Liguori  <aliguori@us.ibm.com>

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 migration-exec.c |    2 ++
 migration-tcp.c  |    2 ++
 sysemu.h         |    1 +
 vl.c             |    4 ++--
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/migration-exec.c b/migration-exec.c
index 2e7fdc2..ade592e 100644
--- a/migration-exec.c
+++ b/migration-exec.c
@@ -122,6 +122,8 @@ static void exec_accept_incoming_migration(void *opaque)
     dprintf("successfully loaded vm state\n");
     /* we've successfully migrated, close the fd */
     qemu_set_fd_handler2(qemu_popen_fd(f), NULL, NULL, NULL, NULL);
+    if (autostart)
+        vm_start();
 
 err:
     qemu_fclose(f);
diff --git a/migration-tcp.c b/migration-tcp.c
index 0875c23..5466e57 100644
--- a/migration-tcp.c
+++ b/migration-tcp.c
@@ -170,6 +170,8 @@ static void tcp_accept_incoming_migration(void *opaque)
     /* we've successfully migrated, close the server socket */
     qemu_set_fd_handler2(s, NULL, NULL, NULL, NULL);
     close(s);
+    if (autostart)
+        vm_start();
 
 out_fopen:
     qemu_fclose(f);
diff --git a/sysemu.h b/sysemu.h
index 57217c1..f549f29 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -77,6 +77,7 @@ int tap_win32_init(VLANState *vlan, const char *model,
 /* SLIRP */
 void do_info_slirp(void);
 
+extern int autostart;
 extern int bios_size;
 extern int cirrus_vga_enabled;
 extern int std_vga_enabled;
diff --git a/vl.c b/vl.c
index 0e46727..f1244c9 100644
--- a/vl.c
+++ b/vl.c
@@ -201,7 +201,7 @@ ram_addr_t ram_size;
 int nb_nics;
 NICInfo nd_table[MAX_NICS];
 int vm_running;
-static int autostart;
+int autostart;
 static int rtc_utc = 1;
 static int rtc_date_offset = -1; /* -1 means no change */
 int cirrus_vga_enabled = 1;
@@ -5726,7 +5726,7 @@ int main(int argc, char **argv, char **envp)
         qemu_start_incoming_migration(incoming);
     }
 
-    if (autostart)
+    else if (autostart)
         vm_start();
 
     if (daemonize) {
-- 
1.6.2.2

[Qemu-devel] [PATCH 07/12] BACKPORT: vnc: fix copyrect screen corruption

[Glauber Costa]

From: Gerd Hoffmann <kraxel@redhat.com>

When sending a copyrect command to the vnc client, we must also update
the local server surface.  Otherwise the server's and the client's idea
of the screen content run out of sync and screen updates don't work
correctly.

[ backport: uses ds_get_data() instead of direct dereference ]
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 vnc.c |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/vnc.c b/vnc.c
index 1d8ebe7..c0700c0 100644
--- a/vnc.c
+++ b/vnc.c
@@ -633,8 +633,14 @@ static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
 
 static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
 {
+
+    uint8_t *src_row;
+    uint8_t *dst_row;
+    int y,pitch,depth;
+
     vnc_update_client(vs);
 
+    /* send bitblit op to the vnc client */
     vnc_write_u8(vs, 0);  /* msg id */
     vnc_write_u8(vs, 0);
     vnc_write_u16(vs, 1); /* number of rects */
@@ -642,6 +648,23 @@ static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, i
     vnc_write_u16(vs, src_x);
     vnc_write_u16(vs, src_y);
     vnc_flush(vs);
+
+    /* do bitblit op on the local surface too */
+    pitch = ds_get_linesize(vs->ds);
+    depth = ds_get_bytes_per_pixel(vs->ds);
+    src_row = ds_get_data(vs->ds) + pitch * src_y + depth * src_x;
+    dst_row = ds_get_data(vs->ds) + pitch * dst_y + depth * dst_x;
+    if (dst_y > src_y) {
+        /* copy backwards */
+        src_row += pitch * (h-1);
+        dst_row += pitch * (h-1);
+        pitch = -pitch;
+    }
+    for (y = 0; y < h; y++) {
+        memmove(dst_row, src_row, w * depth);
+        src_row += pitch;
+        dst_row += pitch;
+    }
 }
 
 static void vnc_dpy_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
-- 
1.6.2.2

[Qemu-devel] [PATCH 08/12] e1000.c doesn't properly emulate EERD and ICS registers

[Glauber Costa]

From: Bill Paul <wpaul@windriver.com>

Once again, the emulation of the EERD and ICS registers in e1000.c is
incorrect. Nobody has noticed this before because none of the Intel-written
e1000 drivers use these registers, and all of the independently written open
source drivers copy Intel's example, so they don't use them either.
Regardless, these registers are documented in the programmer's manuals, and
their emulated behavior doesn't match the verified behavior of real hardware,
so any software that does use them doesn't function correctly.

-Bill

Signed-off-by: Bill Paul <wpaul@windriver.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 hw/e1000.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index 76fa159..c55007a 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -155,6 +155,7 @@ set_interrupt_cause(E1000State *s, int index, uint32_t val)
     if (val)
         val |= E1000_ICR_INT_ASSERTED;
     s->mac_reg[ICR] = val;
+    s->mac_reg[ICS] = val;
     qemu_set_irq(s->dev.irq[0], (s->mac_reg[IMS] & s->mac_reg[ICR]) != 0);
 }
 
@@ -287,10 +288,14 @@ flash_eerd_read(E1000State *s, int x)
 {
     unsigned int index, r = s->mac_reg[EERD] & ~E1000_EEPROM_RW_REG_START;
 
+    if ((s->mac_reg[EERD] & E1000_EEPROM_RW_REG_START) == 0)
+        return (s->mac_reg[EERD]);
+
     if ((index = r >> E1000_EEPROM_RW_ADDR_SHIFT) > EEPROM_CHECKSUM_REG)
-        return 0;
-    return (s->eeprom_data[index] << E1000_EEPROM_RW_REG_DATA) |
-           E1000_EEPROM_RW_REG_DONE | r;
+        return (E1000_EEPROM_RW_REG_DONE | r);
+
+    return ((s->eeprom_data[index] << E1000_EEPROM_RW_REG_DATA) |
+           E1000_EEPROM_RW_REG_DONE | r);
 }
 
 static void
@@ -779,7 +784,7 @@ static uint32_t (*macreg_readops[])(E1000State *, int) = {
     getreg(WUFC),	getreg(TDT),	getreg(CTRL),	getreg(LEDCTL),
     getreg(MANC),	getreg(MDIC),	getreg(SWSM),	getreg(STATUS),
     getreg(TORL),	getreg(TOTL),	getreg(IMS),	getreg(TCTL),
-    getreg(RDH),	getreg(RDT),	getreg(VET),
+    getreg(RDH),	getreg(RDT),	getreg(VET),	getreg(ICS),
 
     [TOTH] = mac_read_clr8,	[TORH] = mac_read_clr8,	[GPRC] = mac_read_clr4,
     [GPTC] = mac_read_clr4,	[TPR] = mac_read_clr4,	[TPT] = mac_read_clr4,
-- 
1.6.2.2

[Qemu-devel] [PATCH 09/12] make windows notice media change

[Glauber Costa]

From: Gleb Natapov <gleb@redhat.com>

Windows seems to be very stupid about cdrom media change. It polls
cdrom status and if status goes ready->media not present->ready
it assumes that media was changed. If "media not present" step doesn't
happen even if "medium may have changed" was seen it assumes media
haven't changed. Fake "media not present" step.

Filip Navara did a great job debugging this issue in Windows and this is
what he found out:

BINGO! ... The media present notifications were broken ever since
Windows 2000 it seems. The media change is detected properly and it's
passed to ClassSetMediaChangeState function which in turn calls
ClasspInternalSetMediaChangeState. This function is responsible for
changing some internal state of the device object and sending the PnP
events which later result in application notifications. It has this
tiny bit of code (not copied byte for byte):

if (oldMediaState == NewState) {
  // Media is in the same state it was before.
  return;
}

so the end result is that for the case of UNIT NEEDS ATTENTION /
MEDIUM MAY HAVE CHANGED without NOT READY in-between is really broken.
It results in the internal media change counter incremented, so the
media contents are re-read when necessary, instead of relying on the
cache, but the notifications to applications are never sent.

Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Message-Id:

Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 hw/ide.c |   38 +++++++++++++++++++++++++-------------
 1 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/hw/ide.c b/hw/ide.c
index 9b93e7f..654402f 100644
--- a/hw/ide.c
+++ b/hw/ide.c
@@ -418,6 +418,7 @@ typedef struct IDEState {
     /* ATAPI specific */
     uint8_t sense_key;
     uint8_t asc;
+    uint8_t cdrom_changed;
     int packet_transfer_size;
     int elementary_transfer_size;
     int io_buffer_index;
@@ -1640,9 +1641,10 @@ static void ide_atapi_cmd(IDEState *s)
     }
     switch(s->io_buffer[0]) {
     case GPCMD_TEST_UNIT_READY:
-        if (bdrv_is_inserted(s->bs)) {
+        if (bdrv_is_inserted(s->bs) && !s->cdrom_changed) {
             ide_atapi_cmd_ok(s);
         } else {
+            s->cdrom_changed = 0;
             ide_atapi_cmd_error(s, SENSE_NOT_READY,
                                 ASC_MEDIUM_NOT_PRESENT);
         }
@@ -2102,7 +2104,7 @@ static void cdrom_change_cb(void *opaque)
 
     s->sense_key = SENSE_UNIT_ATTENTION;
     s->asc = ASC_MEDIUM_MAY_HAVE_CHANGED;
-
+    s->cdrom_changed = 1;
     ide_set_irq(s);
 }
 
@@ -2870,7 +2872,7 @@ static void ide_save(QEMUFile* f, IDEState *s)
 }
 
 /* load per IDE drive data */
-static void ide_load(QEMUFile* f, IDEState *s)
+static void ide_load(QEMUFile* f, IDEState *s, int version_id)
 {
     s->mult_sectors=qemu_get_be32(f);
     s->identify_set=qemu_get_be32(f);
@@ -2894,6 +2896,13 @@ static void ide_load(QEMUFile* f, IDEState *s)
 
     qemu_get_8s(f, &s->sense_key);
     qemu_get_8s(f, &s->asc);
+    if (version_id == 3) {
+        qemu_get_8s(f, &s->cdrom_changed);
+    } else {
+        if (s->sense_key == SENSE_UNIT_ATTENTION &&
+                       s->asc == ASC_MEDIUM_MAY_HAVE_CHANGED)
+            s->cdrom_changed = 1;
+    }
     /* XXX: if a transfer is pending, we do not save it yet */
 }
 
@@ -3215,7 +3224,7 @@ static int pci_ide_load(QEMUFile* f, void *opaque, int version_id)
     PCIIDEState *d = opaque;
     int ret, i;
 
-    if (version_id != 2)
+    if (version_id != 2 && version_id != 3)
         return -EINVAL;
     ret = pci_device_load(&d->dev, f);
     if (ret < 0)
@@ -3245,7 +3254,7 @@ static int pci_ide_load(QEMUFile* f, void *opaque, int version_id)
 
     /* per IDE drive data */
     for(i = 0; i < 4; i++) {
-        ide_load(f, &d->ide_if[i]);
+        ide_load(f, &d->ide_if[i], version_id);
     }
     return 0;
 }
@@ -3335,7 +3344,7 @@ void pci_cmd646_ide_init(PCIBus *bus, BlockDriverState **hd_table,
     ide_init2(&d->ide_if[0], hd_table[0], hd_table[1], irq[0]);
     ide_init2(&d->ide_if[2], hd_table[2], hd_table[3], irq[1]);
 
-    register_savevm("ide", 0, 2, pci_ide_save, pci_ide_load, d);
+    register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
     qemu_register_reset(cmd646_reset, d);
     cmd646_reset(d);
 }
@@ -3394,7 +3403,7 @@ void pci_piix3_ide_init(PCIBus *bus, BlockDriverState **hd_table, int devfn,
         if (hd_table[i])
             hd_table[i]->private = &d->dev;
 
-    register_savevm("ide", 0, 2, pci_ide_save, pci_ide_load, d);
+    register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
 }
 
 /* hd_table must contain 4 block drivers */
@@ -3430,7 +3439,7 @@ void pci_piix4_ide_init(PCIBus *bus, BlockDriverState **hd_table, int devfn,
     ide_init_ioport(&d->ide_if[0], 0x1f0, 0x3f6);
     ide_init_ioport(&d->ide_if[2], 0x170, 0x376);
 
-    register_savevm("ide", 0, 2, pci_ide_save, pci_ide_load, d);
+    register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
 }
 
 #if defined(TARGET_PPC)
@@ -3718,7 +3727,7 @@ static int pmac_ide_load(QEMUFile *f, void *opaque, int version_id)
     uint8_t drive1_selected;
     unsigned int i;
 
-    if (version_id != 1)
+    if (version_id != 1 && version_id != 3)
         return -EINVAL;
 
     /* per IDE interface data */
@@ -3728,7 +3737,7 @@ static int pmac_ide_load(QEMUFile *f, void *opaque, int version_id)
 
     /* per IDE drive data */
     for(i = 0; i < 2; i++) {
-        ide_load(f, &s[i]);
+        ide_load(f, &s[i], version_id);
     }
     return 0;
 }
@@ -3759,7 +3768,7 @@ int pmac_ide_init (BlockDriverState **hd_table, qemu_irq irq,
 
     pmac_ide_memory = cpu_register_io_memory(0, pmac_ide_read,
                                              pmac_ide_write, d);
-    register_savevm("ide", 0, 1, pmac_ide_save, pmac_ide_load, d);
+    register_savevm("ide", 0, 3, pmac_ide_save, pmac_ide_load, d);
     qemu_register_reset(pmac_ide_reset, d);
     pmac_ide_reset(d);
 
@@ -4152,6 +4161,9 @@ static int md_load(QEMUFile *f, void *opaque, int version_id)
     int i;
     uint8_t drive1_selected;
 
+    if (version_id != 0 && version_id != 3)
+        return -EINVAL;
+
     qemu_get_8s(f, &s->opt);
     qemu_get_8s(f, &s->stat);
     qemu_get_8s(f, &s->pins);
@@ -4165,7 +4177,7 @@ static int md_load(QEMUFile *f, void *opaque, int version_id)
     s->ide->cur_drive = &s->ide[(drive1_selected != 0)];
 
     for (i = 0; i < 2; i ++)
-        ide_load(f, &s->ide[i]);
+        ide_load(f, &s->ide[i], version_id);
 
     return 0;
 }
@@ -4396,7 +4408,7 @@ struct pcmcia_card_s *dscm1xxxx_init(BlockDriverState *bdrv)
     md->ide->mdata_size = METADATA_SIZE;
     md->ide->mdata_storage = (uint8_t *) qemu_mallocz(METADATA_SIZE);
 
-    register_savevm("microdrive", -1, 0, md_save, md_load, md);
+    register_savevm("microdrive", -1, 3, md_save, md_load, md);
 
     return &md->card;
 }
-- 
1.6.2.2

[Qemu-devel] [PATCH 10/12] BACKPORT: Fix segfault of qemu-system-arm with PXA target

[Glauber Costa]

From: Torsten Duwe <duwe@lst.de>

qemu-system-arm (0.10.5) segfaults when invoked with a PXA machine target,
e.g. -M tosa. The reason is fairly obvious:

[backport: current code uses struct scoop_info_s instead of a typedef ]

Signed-off-by: Torsten Duwe <duwe@lst.de>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrzej Zaborowski <balrogg@gmail.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 hw/zaurus.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/zaurus.c b/hw/zaurus.c
index 8b16c47..7c1fd2a 100644
--- a/hw/zaurus.c
+++ b/hw/zaurus.c
@@ -160,7 +160,7 @@ static CPUWriteMemoryFunc *scoop_writefn[] = {
 
 void scoop_gpio_set(void *opaque, int line, int level)
 {
-    struct scoop_info_s *s = (struct scoop_info_s *) s;
+    struct scoop_info_s *s = (struct scoop_info_s *) opaque;
 
     if (level)
         s->gpio_level |= (1 << line);
-- 
1.6.2.2

[Qemu-devel] [PATCH 11/12] Fix detached migration with exec.

[Glauber Costa]

From: Chris Lalancette <clalance@redhat.com>

When trying to do detached migration with exec, I found that
the monitor wouldn't always return in a timely manner.  I
tracked this down to exec_start_outgoing_migration.  It
appeared we were setting the fd to NONBLOCK'ing, but in
point of fact we weren't.

This bugfix should also go onto the stable 0.10 branch

Signed-off-by: Chris Lalancette <clalance@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 migration-exec.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

diff --git a/migration-exec.c b/migration-exec.c
index ade592e..6786dbf 100644
--- a/migration-exec.c
+++ b/migration-exec.c
@@ -74,10 +74,7 @@ MigrationState *exec_start_outgoing_migration(const char *command,
         goto err_after_open;
     }
 
-    if (fcntl(s->fd, F_SETFD, O_NONBLOCK) == -1) {
-        dprintf("Unable to set nonblocking mode on file descriptor\n");
-        goto err_after_open;
-    }
+    socket_set_nonblock(s->fd);
 
     s->opaque = qemu_popen(f, "w");
 
-- 
1.6.2.2

[Qemu-devel] [PATCH 12/12] Don't segfault when changing VNC password on an SDL display.

[Glauber Costa]

From: Zachary Amsden <zamsden@redhat.com>

Signed-off-by: Zachary Amsden <zamsden@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Glauber Costa <glommer@redhat.com>
---
 vnc.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/vnc.c b/vnc.c
index c0700c0..1652029 100644
--- a/vnc.c
+++ b/vnc.c
@@ -2438,6 +2438,10 @@ int vnc_display_password(DisplayState *ds, const char *password)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
 
+    if (!vs) {
+        return -1;
+    }
+
     if (vs->password) {
 	qemu_free(vs->password);
 	vs->password = NULL;
-- 
1.6.2.2

Re: [Qemu-devel] [GIT PULL] 0.10.7 stable release

[Chris Webb]

Glauber Costa <glommer@redhat.com> writes:

> These are the patches I am proposing for 0.10.7 stable release. If you disagree
> with any of them, or think a patch should go in that is not in this list, let me know

I have seen a large number of failures of production qemu-kvm virtual
machines with segfaults in the VNC code. (Thread rooted at
<20090812150159.GW5348@arachsys.com>.)

Avi pointed out Gerd's patch 198a00:

  http://git.qemu.org/qemu.git/commit/?id=198a0039c5fca224a77e9761e2350dd9cc102ad0

which I backported <20090819224739.GB17276@arachsys.com>:

  http://lists.gnu.org/archive/html/qemu-devel/2009-08/msg00949.html

This has massively reduced the crash rate of qemu-kvm processes across our
clusters, although I still do a see a (much rarer) vnc-related segfault in
vnc_framebuffer_update().

Although these use-after-free problems were seen in qemu-kvm, the code (and
patch) are identical in standard qemu so I'd strongly recommend this
backport of Gerd's patch for qemu-stable 0.10.7.

Best wishes,

Chris.

[Qemu-devel] Re: [PATCH 05/12] fix broken migration

[Paolo Bonzini]

On 08/26/2009 03:05 PM, Glauber Costa wrote:
> While fixing migration with -S, commit
> 89befdd1a6b18215153b8976682d57b7d03d5782 broke the rest of us. Poor
> glommer, with a poor family, spare him his life from this monstruosity.
>
> Since the unconditional vm_start, not autostart was the villain, I'm putting
> back autostart. Let me know if you prefer other solutions, it doesn't really matter,
> doesn't really matter to me.
>
> Any way the wind blows...

This patch is superseded by 06/12 (in fact 06/12 was meant that way for 
trunk as well) and has already been reverted in Anthony's queue.

Paolo

Re: [Qemu-devel] [GIT PULL] 0.10.7 stable release

[Glauber Costa]

On Wed, Aug 26, 2009 at 2:50 PM, Chris Webb<chris@arachsys.com> wrote:
> Glauber Costa <glommer@redhat.com> writes:
>
>> These are the patches I am proposing for 0.10.7 stable release. If you disagree
>> with any of them, or think a patch should go in that is not in this list, let me know
>
> I have seen a large number of failures of production qemu-kvm virtual
> machines with segfaults in the VNC code. (Thread rooted at
> <20090812150159.GW5348@arachsys.com>.)
>
> Avi pointed out Gerd's patch 198a00:
>
>  http://git.qemu.org/qemu.git/commit/?id=198a0039c5fca224a77e9761e2350dd9cc102ad0
>
> which I backported <20090819224739.GB17276@arachsys.com>:
>
>  http://lists.gnu.org/archive/html/qemu-devel/2009-08/msg00949.html
>
> This has massively reduced the crash rate of qemu-kvm processes across our
> clusters, although I still do a see a (much rarer) vnc-related segfault in
> vnc_framebuffer_update().

Good. Sorry, I missed that one.

Since you effectively wrote a backport, can you re-send it with a SoB
line, and some information
on the changelog telling us where and why the differences from master occurs?

I'll then happily and promply pick it up.

-- 
Glauber  Costa.
"Free as in Freedom"
http://glommer.net

"The less confident you are, the more serious you have to act."

[Qemu-devel] Re: [PATCH 11/12] Fix detached migration with exec.

[Chris Lalancette]

Glauber Costa wrote:
> From: Chris Lalancette <clalance@redhat.com>
> 
> When trying to do detached migration with exec, I found that
> the monitor wouldn't always return in a timely manner.  I
> tracked this down to exec_start_outgoing_migration.  It
> appeared we were setting the fd to NONBLOCK'ing, but in
> point of fact we weren't.
> 
> This bugfix should also go onto the stable 0.10 branch

ACK!

-- 
Chris Lalancette

Re: [Qemu-devel] [GIT PULL] 0.10.7 stable release

[Chris Webb]

Glauber Costa <glommer@gmail.com> writes:

> Since you effectively wrote a backport, can you re-send it with a SoB
> line, and some information on the changelog telling us where and why the
> differences from master occurs?

Sure, no problem. I've just done this. I wasn't completely sure on the right
way to format the sign-off and changelog on a backport---hope the patch
header I've sent is what you had in mind here.

Cheers,

Chris.

[Qemu-devel] Re: [PATCH 05/12] fix broken migration

[Glauber Costa]

On Thu, Aug 27, 2009 at 12:33:44AM +0200, Juan Quintela wrote:
> Glauber Costa <glommer@redhat.com> wrote:
> > While fixing migration with -S, commit
> > 89befdd1a6b18215153b8976682d57b7d03d5782 broke the rest of us. Poor
> > glommer, with a poor family, spare him his life from this monstruosity.
> >
> > Since the unconditional vm_start, not autostart was the villain, I'm putting
> > back autostart. Let me know if you prefer other solutions, it doesn't really matter,
> > doesn't really matter to me.
> >
> > Any way the wind blows...
> 
> Please drop this one.  I agree with bonzini here.
> It breaks completely incoming migration, and conflicts with semantics of
> next one.
wrong semantics is not a problem here, as long as we keep the same semantics.

For master, I can agree that the work you've done leave us at a better shape, but
for stable-0.10, this patch is totally needed for migration to work.

[Qemu-devel] Re: [PATCH 05/12] fix broken migration

[Paolo Bonzini]

>> Please drop this one.  I agree with bonzini here.
>> It breaks completely incoming migration, and conflicts with semantics of
>> next one.
> wrong semantics is not a problem here, as long as we keep the same semantics.
>
> For master, I can agree that the work you've done leave us at a better shape, but
> for stable-0.10, this patch is totally needed for migration to work.

Not at all, 6/12 (in particular changing the if to else if) does the same.

Paolo

Re: [Qemu-devel] [PATCH 07/12] BACKPORT: vnc: fix copyrect screen corruption

[Mark McLoughlin]

Hey,

On Wed, 2009-08-26 at 09:05 -0400, Glauber Costa wrote:
> From: Gerd Hoffmann <kraxel@redhat.com>
> 
> When sending a copyrect command to the vnc client, we must also update
> the local server surface.  Otherwise the server's and the client's idea
> of the screen content run out of sync and screen updates don't work
> correctly.
> 
> [ backport: uses ds_get_data() instead of direct dereference ]

We have reports from two Fedora 11 users that this fix makes things
worse:

  https://bugzilla.redhat.com/503156

Cheers,
Mark.