[Qemu-devel] Patch Round-up for stable 1.5.3, freeze on 2013-08-16

[Qemu-devel] Patch Round-up for stable 1.5.3, freeze on 2013-08-16

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v1.5.3:

https://github.com/mdroth/qemu/commits/stable-1.5-staging

The release is planned for 2013-08-21:

http://wiki.qemu.org/Planning/1.5

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release. The cut-off date is
2013-08-16 for new patches.

Testing/feedback is greatly appreciated.

Thanks!

Andreas Färber (8):
      target-cris: gen_intermediate_code_internal() should be inlined
      target-lm32: gen_intermediate_code_internal() should be inlined
      target-microblaze: gen_intermediate_code_internal() should be inlined
      target-moxie: gen_intermediate_code_internal() should be inlined
      target-xtensa: gen_intermediate_code_internal() should be inlined
      megasas: Legacy command line handling fix
      virtio-console: Use exitfn for virtserialport, too
      target-i386: Fix X86CPU error handling

Anthony Liguori (1):
      gtk: don't use g_object_unref on GdkCursor

Anthony PERARD (1):
      qxl: Fix QXLRam initialisation.

Christian Borntraeger (2):
      s390/virtio-ccw: Fix virtio reset
      s390/ipl: Fix boot order

Don Koch (1):
      pci-bridge: update mappings for migration/restore

Dongxue Zhang (1):
      target-openrisc: Fix typename in openrisc_cpu_class_by_name()

Fam Zheng (1):
      vmdk: remove wrong calculation of relative path

Gerd Hoffmann (4):
      usb-host-libusb: set USB_DEV_FLAG_IS_HOST
      xhci: handle USB_RET_IOERROR
      xhci: fix segfault
      i82801b11: Fix i82801b11 PCI host bridge config space

Hervé Poussineau (1):
      ppc: do not register IABR SPR twice for 603e

Izumi Tsutsui (1):
      semaphore: fix a hangup problem under load on NetBSD hosts.

KONRAD Frederic (1):
      virtio-scsi: forward scsibus for virtio-scsi-pci.

Kevin Wolf (6):
      gluster: Return bdrv_has_zero_init = 0
      raw-posix: Fix /dev/cdrom magic on OS X
      ahci: Fix FLUSH command
      block: Add return value for bdrv_flush_all()
      cpus: Add return value for vm_stop()
      cpus: Let vm_stop[_force_state]() always flush block devices

Luiz Capitulino (1):
      qapi: qapi-commands: fix possible leaks on visitor dealloc

MORITA Kazutaka (2):
      iov: handle EOF in iov_send_recv
      ignore SIGPIPE in qemu-img and qemu-io

Marcelo Tosatti (1):
      kvmclock: clock should count only if vm is running

Markus Armbruster (4):
      acl: acl_add can't insert before last list element, fix
      qemu-char: Fix ID reuse after chardev-remove for qapi-based init
      qemu-char: Register ring buffer driver with correct name "ringbuf"
      qapi: Rename ChardevBackend member "memory" to "ringbuf"

Martijn van den Broek (1):
      Bugfix for loading multiboot kernels

Michael Roth (1):
      chardev: fix CHR_EVENT_OPENED events for mux chardevs

Michael S. Tsirkin (1):
      vhost: clear signalled_used_valid on vhost stop

Paul Moore (3):
      seccomp: add the asynchronous I/O syscalls to the whitelist
      seccomp: add arch_prctl() to the syscall whitelist
      seccomp: add additional asynchronous I/O syscalls

Peter Crosthwaite (1):
      qom: Fix class cast of NULL classes

Peter Lieven (5):
      Revert "migration: do not sent zero pages in bulk stage"
      migration: do not overwrite zero pages
      iscsi: fix -ENOSPC in iscsi_create()
      iscsi: remove support for misaligned nb_sectors in aio_readv
      iscsi: assert that sectors are aligned to LUN blocksize

Peter Maydell (1):
      arm/boot: Free dtb blob memory after use

Richard W.M. Jones (1):
      block/ssh: Set bdrv_has_zero_init according to the file type.

Ronnie Sahlberg (1):
      Fix iSCSI crash on SG_IO with an iovector

Stefan Hajnoczi (4):
      block: fix bdrv_flush() ordering in bdrv_close()
      dataplane: refuse to start if device is already in use
      dataplane: sync virtio.c and vring.c virtqueue state
      virtio: clear signalled_used_valid when switching from dataplane

Stefan Weil (1):
      gtk: Fix compiler warning (GTK 3 deprecated function)

 arch_init.c                         |   27 +++++-----
 block.c                             |   15 ++++--
 block/gluster.c                     |   10 ++++
 block/iscsi.c                       |   94 +++++++++++++++++++++++++----------
 block/raw-posix.c                   |    1 +
 block/ssh.c                         |   16 ++++++
 block/vmdk.c                        |   44 +---------------
 cpus.c                              |   25 +++++++---
 hw/arm/boot.c                       |   20 ++++++--
 hw/block/dataplane/virtio-blk.c     |   10 +++-
 hw/char/virtio-console.c            |    1 +
 hw/core/loader.c                    |    7 ++-
 hw/display/qxl.c                    |    1 +
 hw/i386/kvm/clock.c                 |   64 +++++++++++-------------
 hw/i386/pc.c                        |   13 +++--
 hw/ide/ahci.c                       |    8 ++-
 hw/ide/core.c                       |    9 ++++
 hw/ide/internal.h                   |    1 +
 hw/pci-bridge/i82801b11.c           |    1 +
 hw/pci/pci-hotplug.c                |   19 ++++++-
 hw/pci/pci.c                        |    5 ++
 hw/pci/pci_bridge.c                 |    2 +-
 hw/s390x/ipl.c                      |   22 ++++----
 hw/s390x/virtio-ccw.c               |    2 +
 hw/scsi/megasas.c                   |    5 +-
 hw/usb/hcd-xhci.c                   |    6 +--
 hw/usb/host-libusb.c                |    1 +
 hw/virtio/dataplane/vring.c         |    9 ++--
 hw/virtio/vhost.c                   |    1 +
 hw/virtio/virtio.c                  |    5 ++
 include/block/block.h               |    2 +-
 include/hw/pci/pci_bridge.h         |    1 +
 include/hw/virtio/dataplane/vring.h |    2 +-
 include/hw/virtio/virtio.h          |    1 +
 include/qemu/thread-posix.h         |    2 +-
 include/sysemu/char.h               |    1 +
 include/sysemu/sysemu.h             |    4 +-
 qapi-schema.json                    |    6 ++-
 qemu-char.c                         |   65 ++++++++++++++++++++++--
 qemu-img.c                          |    4 ++
 qemu-io.c                           |    4 ++
 qemu-seccomp.c                      |    8 ++-
 qom/object.c                        |    6 +--
 scripts/qapi-commands.py            |   17 ++++---
 stubs/vm-stop.c                     |    2 +-
 target-cris/translate.c             |    2 +-
 target-i386/cpu.c                   |    6 ++-
 target-lm32/translate.c             |    5 +-
 target-microblaze/translate.c       |    2 +-
 target-moxie/translate.c            |    2 +-
 target-openrisc/cpu.c               |    4 +-
 target-ppc/translate_init.c         |    5 --
 target-xtensa/translate.c           |    5 +-
 ui/gtk.c                            |    4 ++
 util/acl.c                          |    4 +-
 util/iov.c                          |    6 +++
 util/qemu-thread-posix.c            |   28 ++++++-----
 57 files changed, 423 insertions(+), 219 deletions(-)

[Qemu-devel] [PATCH 01/56] s390/virtio-ccw: Fix virtio reset

[Michael Roth]

From: Christian Borntraeger <borntraeger@de.ibm.com>

On virtio reset we must reset the indicator to avoid stale interrupts,
e.g. after a reset.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit 6504a93011138458a2e4f67b513c5a77bdb3cae1)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/virtio-ccw.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 201a635..de51589 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -803,6 +803,8 @@ static void virtio_ccw_reset(DeviceState *d)
 
     virtio_reset(dev->vdev);
     css_reset_sch(dev->sch);
+    dev->indicators = 0;
+    dev->indicators2 = 0;
 }
 
 /**************** Virtio-ccw Bus Device Descriptions *******************/
-- 
1.7.9.5

[Qemu-devel] [PATCH 02/56] arm/boot: Free dtb blob memory after use

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The dtb blob returned by load_device_tree() is in memory allocated
with g_malloc(). Free it accordingly once we have copied its
contents into the guest memory. To make this easy, we need also to
clean up the error handling in load_dtb() so that we consistently
handle errors in the same way (by printing a message and then
returning -1, rather than either plowing on or exiting immediately).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1371209256-11408-1-git-send-email-peter.maydell@linaro.org
(cherry picked from commit c23045ded7571f0eaad95920ab00b6bc9c3a91e6)

Conflicts:

	hw/arm/boot.c

* updated to include #ifdef for CONFIG_FDT

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/arm/boot.c |   20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index f451529..6bffc3d 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -238,14 +238,14 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
     filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, binfo->dtb_filename);
     if (!filename) {
         fprintf(stderr, "Couldn't open dtb file %s\n", binfo->dtb_filename);
-        return -1;
+        goto fail;
     }
 
     fdt = load_device_tree(filename, &size);
     if (!fdt) {
         fprintf(stderr, "Couldn't open dtb file %s\n", filename);
         g_free(filename);
-        return -1;
+        goto fail;
     }
     g_free(filename);
 
@@ -253,7 +253,7 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
     scells = qemu_devtree_getprop_cell(fdt, "/", "#size-cells");
     if (acells == 0 || scells == 0) {
         fprintf(stderr, "dtb file invalid (#address-cells or #size-cells 0)\n");
-        return -1;
+        goto fail;
     }
 
     mem_reg_propsize = acells + scells;
@@ -265,7 +265,7 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
     } else if (hival != 0) {
         fprintf(stderr, "qemu: dtb file not compatible with "
                 "RAM start address > 4GB\n");
-        exit(1);
+        goto fail;
     }
     mem_reg_property[acells + scells - 1] = cpu_to_be32(binfo->ram_size);
     hival = cpu_to_be32(binfo->ram_size >> 32);
@@ -274,13 +274,14 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
     } else if (hival != 0) {
         fprintf(stderr, "qemu: dtb file not compatible with "
                 "RAM size > 4GB\n");
-        exit(1);
+        goto fail;
     }
 
     rc = qemu_devtree_setprop(fdt, "/memory", "reg", mem_reg_property,
                               mem_reg_propsize * sizeof(uint32_t));
     if (rc < 0) {
         fprintf(stderr, "couldn't set /memory/reg\n");
+        goto fail;
     }
 
     if (binfo->kernel_cmdline && *binfo->kernel_cmdline) {
@@ -288,6 +289,7 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
                                           binfo->kernel_cmdline);
         if (rc < 0) {
             fprintf(stderr, "couldn't set /chosen/bootargs\n");
+            goto fail;
         }
     }
 
@@ -296,19 +298,27 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
                 binfo->initrd_start);
         if (rc < 0) {
             fprintf(stderr, "couldn't set /chosen/linux,initrd-start\n");
+            goto fail;
         }
 
         rc = qemu_devtree_setprop_cell(fdt, "/chosen", "linux,initrd-end",
                     binfo->initrd_start + binfo->initrd_size);
         if (rc < 0) {
             fprintf(stderr, "couldn't set /chosen/linux,initrd-end\n");
+            goto fail;
         }
     }
 
     cpu_physical_memory_write(addr, fdt, size);
 
+    g_free(fdt);
+
     return 0;
 
+fail:
+    g_free(fdt);
+    return -1;
+
 #else
     fprintf(stderr, "Device tree requested, "
                 "but qemu was compiled without fdt support\n");
-- 
1.7.9.5

[Qemu-devel] [PATCH 03/56] ppc: do not register IABR SPR twice for 603e

[Michael Roth]

From: Hervé Poussineau <hpoussin@reactos.org>

IABR SPR is already registered in gen_spr_603(), called from init_proc_603E().

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 9fea2ae25080ad790d7d904d01a1300a45a634eb)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-ppc/translate_init.c |    5 -----
 1 file changed, 5 deletions(-)

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 021a31e..2e2bffa 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -4980,11 +4980,6 @@ static void init_proc_603E (CPUPPCState *env)
                  SPR_NOACCESS, SPR_NOACCESS,
                  &spr_read_generic, &spr_write_generic,
                  0x00000000);
-    /* XXX : not implemented */
-    spr_register(env, SPR_IABR, "IABR",
-                 SPR_NOACCESS, SPR_NOACCESS,
-                 &spr_read_generic, &spr_write_generic,
-                 0x00000000);
     /* Memory management */
     gen_low_BATs(env);
     gen_6xx_7xx_soft_tlb(env, 64, 2);
-- 
1.7.9.5

[Qemu-devel] [PATCH 04/56] qxl: Fix QXLRam initialisation.

[Michael Roth]

From: Anthony PERARD <anthony.perard@citrix.com>

The qxl driver expect NULL for QXLRam.memory_configs, but this is never
initialized.

If memory is set to 0xc2c2.., it leads to a spice-critical error when
trying to start qxl.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 329f97fc4ff4b533fcd2d8f4eab6c9c2568aed27)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/qxl.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index c475cb1..937a402 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -387,6 +387,7 @@ static void init_qxl_ram(PCIQXLDevice *d)
     d->ram->int_pending = cpu_to_le32(0);
     d->ram->int_mask    = cpu_to_le32(0);
     d->ram->update_surface = 0;
+    d->ram->monitors_config = 0;
     SPICE_RING_INIT(&d->ram->cmd_ring);
     SPICE_RING_INIT(&d->ram->cursor_ring);
     SPICE_RING_INIT(&d->ram->release_ring);
-- 
1.7.9.5

[Qemu-devel] [PATCH 05/56] virtio-scsi: forward scsibus for virtio-scsi-pci.

[Michael Roth]

From: KONRAD Frederic <fred.konrad@greensocs.com>

This fix a bug with scsi hotplug on virtio-scsi-pci:

As virtio-scsi-pci doesn't have any scsi bus, we need to forward scsi-hot-add
to the virtio-scsi-device plugged on the virtio-bus.

Cc: qemu-stable@nongnu.org
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pci-hotplug.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/hw/pci/pci-hotplug.c b/hw/pci/pci-hotplug.c
index 12287d1..c708752 100644
--- a/hw/pci/pci-hotplug.c
+++ b/hw/pci/pci-hotplug.c
@@ -30,6 +30,8 @@
 #include "monitor/monitor.h"
 #include "hw/scsi/scsi.h"
 #include "hw/virtio/virtio-blk.h"
+#include "hw/virtio/virtio-scsi.h"
+#include "hw/virtio/virtio-pci.h"
 #include "qemu/config-file.h"
 #include "sysemu/blockdev.h"
 #include "qapi/error.h"
@@ -79,13 +81,26 @@ static int scsi_hot_add(Monitor *mon, DeviceState *adapter,
 {
     SCSIBus *scsibus;
     SCSIDevice *scsidev;
+    VirtIOPCIProxy *virtio_proxy;
 
     scsibus = (SCSIBus *)
         object_dynamic_cast(OBJECT(QLIST_FIRST(&adapter->child_bus)),
                             TYPE_SCSI_BUS);
     if (!scsibus) {
-	error_report("Device is not a SCSI adapter");
-	return -1;
+        /*
+         * Check if the adapter is a virtio-scsi-pci, and forward scsi_hot_add
+         * to the virtio-scsi-device.
+         */
+        if (!object_dynamic_cast(OBJECT(adapter), TYPE_VIRTIO_SCSI_PCI)) {
+            error_report("Device is not a SCSI adapter");
+            return -1;
+        }
+        virtio_proxy = VIRTIO_PCI(adapter);
+        adapter = DEVICE(virtio_proxy->bus.vdev);
+        scsibus = (SCSIBus *)
+                  object_dynamic_cast(OBJECT(QLIST_FIRST(&adapter->child_bus)),
+                            TYPE_SCSI_BUS);
+        assert(scsibus);
     }
 
     /*
-- 
1.7.9.5

[Qemu-devel] [PATCH 06/56] acl: acl_add can't insert before last list element, fix

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Watch this:

    $ upstream-qemu -nodefaults -S -vnc :0,acl,sasl -monitor stdio
    QEMU 1.5.50 monitor - type 'help' for more information
    (qemu) acl_add vnc.username drei allow
    acl: added rule at position 1
    (qemu) acl_show vnc.username
    policy: deny
    1: allow drei
    (qemu) acl_add vnc.username zwei allow 1
    acl: added rule at position 2
    (qemu) acl_show vnc.username
    policy: deny
    1: allow drei
    2: allow zwei
    (qemu) acl_add vnc.username eins allow 1
    acl: added rule at position 1
    (qemu) acl_show vnc.username
    policy: deny
    1: allow eins
    2: allow drei
    3: allow zwei

The second acl_add inserts at position 2 instead of 1.

Root cause is an off-by-one in qemu_acl_insert(): when index ==
acl->nentries, it appends instead of inserting before the last list
element.

Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 4999f3a8a6009de05ba82e58e723277917f16254)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 util/acl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/acl.c b/util/acl.c
index a7f33ff..938b7ae 100644
--- a/util/acl.c
+++ b/util/acl.c
@@ -138,9 +138,9 @@ int qemu_acl_insert(qemu_acl *acl,
 
     if (index <= 0)
         return -1;
-    if (index >= acl->nentries)
+    if (index > acl->nentries) {
         return qemu_acl_append(acl, deny, match);
-
+    }
 
     entry = g_malloc(sizeof(*entry));
     entry->match = g_strdup(match);
-- 
1.7.9.5

[Qemu-devel] [PATCH 07/56] usb-host-libusb: set USB_DEV_FLAG_IS_HOST

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

... like host-{linux,bsd}.c do.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 628e54857a82a3cb65ef96c12640c30d6307a064)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/host-libusb.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
index 3a582c5..b7bb250 100644
--- a/hw/usb/host-libusb.c
+++ b/hw/usb/host-libusb.c
@@ -891,6 +891,7 @@ static int usb_host_initfn(USBDevice *udev)
     USBHostDevice *s = USB_HOST_DEVICE(udev);
 
     loglevel = s->loglevel;
+    udev->flags |= (1 << USB_DEV_FLAG_IS_HOST);
     udev->auto_attach = 0;
     QTAILQ_INIT(&s->requests);
     QTAILQ_INIT(&s->isorings);
-- 
1.7.9.5

[Qemu-devel] [PATCH 08/56] s390/ipl: Fix boot order

[Michael Roth]

From: Christian Borntraeger <borntraeger@de.ibm.com>

The latest ipl code adaptions collided with some of the virtio
refactoring rework. This resulted in always booting the first
disk. Let's fix booting from a given ID.
The new code also checks for command lines without bootindex to
avoid random behaviour when accessing dev_st (==0).

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 5c8ded6ef55761e80353f42d8e59c6e233a2f51a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/ipl.c |   22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 0aeb003..d69adb2 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -154,17 +154,19 @@ static void s390_ipl_reset(DeviceState *dev)
     env->psw.mask = IPL_PSW_MASK;
 
     if (!ipl->kernel) {
-        /* booting firmware, tell what device to boot from */
+        /* Tell firmware, if there is a preferred boot device */
+        env->regs[7] = -1;
         DeviceState *dev_st = get_boot_device(0);
-        VirtioCcwDevice *ccw_dev = (VirtioCcwDevice *) object_dynamic_cast(
-                OBJECT(&(dev_st->parent_obj)), "virtio-blk-ccw");
-
-        if (ccw_dev) {
-            env->regs[7] = ccw_dev->sch->cssid << 24 |
-                           ccw_dev->sch->ssid << 16 |
-                           ccw_dev->sch->devno;
-        } else {
-            env->regs[7] = -1;
+        if (dev_st) {
+            VirtioCcwDevice *ccw_dev = (VirtioCcwDevice *) object_dynamic_cast(
+                OBJECT(qdev_get_parent_bus(dev_st)->parent),
+                TYPE_VIRTIO_CCW_DEVICE);
+
+            if (ccw_dev) {
+                env->regs[7] = ccw_dev->sch->cssid << 24 |
+                               ccw_dev->sch->ssid << 16 |
+                               ccw_dev->sch->devno;
+            }
         }
     }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 09/56] Fix iSCSI crash on SG_IO with an iovector

[Michael Roth]

From: Ronnie Sahlberg <ronniesahlberg@gmail.com>

Don't assume that SG_IO is always invoked with a simple buffer,
check the iovec_count and if it is >= 1 then we need to pass an array
of iovectors to libiscsi instead of just a plain buffer.

Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0a53f010745635c39a83756a948df60a84e88fe5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c |   51 ++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 44 insertions(+), 7 deletions(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index 0bbf0b1..fa5252c 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -32,6 +32,7 @@
 #include "block/block_int.h"
 #include "trace.h"
 #include "block/scsi.h"
+#include "qemu/iov.h"
 
 #include <iscsi/iscsi.h>
 #include <iscsi/scsi-lowlevel.h>
@@ -651,6 +652,9 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status,
 {
     IscsiAIOCB *acb = opaque;
 
+    g_free(acb->buf);
+    acb->buf = NULL;
+
     if (acb->canceled != 0) {
         return;
     }
@@ -727,14 +731,30 @@ static BlockDriverAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
     memcpy(&acb->task->cdb[0], acb->ioh->cmdp, acb->ioh->cmd_len);
     acb->task->expxferlen = acb->ioh->dxfer_len;
 
+    data.size = 0;
     if (acb->task->xfer_dir == SCSI_XFER_WRITE) {
-        data.data = acb->ioh->dxferp;
-        data.size = acb->ioh->dxfer_len;
+        if (acb->ioh->iovec_count == 0) {
+            data.data = acb->ioh->dxferp;
+            data.size = acb->ioh->dxfer_len;
+        } else {
+#if defined(LIBISCSI_FEATURE_IOVECTOR)
+            scsi_task_set_iov_out(acb->task,
+                                 (struct scsi_iovec *) acb->ioh->dxferp,
+                                 acb->ioh->iovec_count);
+#else
+            struct iovec *iov = (struct iovec *)acb->ioh->dxferp;
+
+            acb->buf = g_malloc(acb->ioh->dxfer_len);
+            data.data = acb->buf;
+            data.size = iov_to_buf(iov, acb->ioh->iovec_count, 0,
+                                   acb->buf, acb->ioh->dxfer_len);
+#endif
+        }
     }
+
     if (iscsi_scsi_command_async(iscsi, iscsilun->lun, acb->task,
                                  iscsi_aio_ioctl_cb,
-                                 (acb->task->xfer_dir == SCSI_XFER_WRITE) ?
-                                     &data : NULL,
+                                 (data.size > 0) ? &data : NULL,
                                  acb) != 0) {
         scsi_free_scsi_task(acb->task);
         qemu_aio_release(acb);
@@ -743,9 +763,26 @@ static BlockDriverAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
 
     /* tell libiscsi to read straight into the buffer we got from ioctl */
     if (acb->task->xfer_dir == SCSI_XFER_READ) {
-        scsi_task_add_data_in_buffer(acb->task,
-                                     acb->ioh->dxfer_len,
-                                     acb->ioh->dxferp);
+        if (acb->ioh->iovec_count == 0) {
+            scsi_task_add_data_in_buffer(acb->task,
+                                         acb->ioh->dxfer_len,
+                                         acb->ioh->dxferp);
+        } else {
+#if defined(LIBISCSI_FEATURE_IOVECTOR)
+            scsi_task_set_iov_in(acb->task,
+                                 (struct scsi_iovec *) acb->ioh->dxferp,
+                                 acb->ioh->iovec_count);
+#else
+            int i;
+            for (i = 0; i < acb->ioh->iovec_count; i++) {
+                struct iovec *iov = (struct iovec *)acb->ioh->dxferp;
+
+                scsi_task_add_data_in_buffer(acb->task,
+                    iov[i].iov_len,
+                    iov[i].iov_base);
+            }
+#endif
+        }
     }
 
     iscsi_set_events(iscsilun);
-- 
1.7.9.5

[Qemu-devel] [PATCH 10/56] block/ssh: Set bdrv_has_zero_init according to the file type.

[Michael Roth]

From: "Richard W.M. Jones" <rjones@redhat.com>

If the remote is a regular file, set it to true (ie. reads of
uninitialized areas in a newly created file will return zeroes).
If we can't prove that, return false (a safe default).

Tested by adding a debugging print statement [not part of this commit]
and creating a remote file and a remote block device:

  $ ./qemu-img create ssh://localhost/tmp/new 100M
  Formatting 'ssh://localhost/tmp/new', fmt=raw size=104857600
  filename ssh://localhost/tmp/new: has_zero_init = 1
  $ sudo lvcreate -L 1G -n tmp /dev/fedora
    Logical volume "tmp" created
  $ ./qemu-img create ssh://localhost/dev/fedora/tmp 1G
  Formatting 'ssh://localhost/dev/fedora/tmp', fmt=raw size=1073741824
  filename ssh://localhost/dev/fedora/tmp: has_zero_init = 0

Cc: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 0b3f21e6a99c025c829d342ee417f317fe2e03b2)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/ssh.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/block/ssh.c b/block/ssh.c
index 246a70d..d7e7bf8 100644
--- a/block/ssh.c
+++ b/block/ssh.c
@@ -716,6 +716,21 @@ static void ssh_close(BlockDriverState *bs)
     ssh_state_free(s);
 }
 
+static int ssh_has_zero_init(BlockDriverState *bs)
+{
+    BDRVSSHState *s = bs->opaque;
+    /* Assume false, unless we can positively prove it's true. */
+    int has_zero_init = 0;
+
+    if (s->attrs.flags & LIBSSH2_SFTP_ATTR_PERMISSIONS) {
+        if (s->attrs.permissions & LIBSSH2_SFTP_S_IFREG) {
+            has_zero_init = 1;
+        }
+    }
+
+    return has_zero_init;
+}
+
 static void restart_coroutine(void *opaque)
 {
     Coroutine *co = opaque;
@@ -1037,6 +1052,7 @@ static BlockDriver bdrv_ssh = {
     .bdrv_file_open               = ssh_file_open,
     .bdrv_create                  = ssh_create,
     .bdrv_close                   = ssh_close,
+    .bdrv_has_zero_init           = ssh_has_zero_init,
     .bdrv_co_readv                = ssh_co_readv,
     .bdrv_co_writev               = ssh_co_writev,
     .bdrv_getlength               = ssh_getlength,
-- 
1.7.9.5

[Qemu-devel] [PATCH 11/56] gluster: Return bdrv_has_zero_init = 0

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

GlusterFS volumes can be backed by block devices, in which case
bdrv_create() doesn't make sure that the image is zeroed out. It is
currently not possibly to detect whether a given image is backed by a
file or a block device, and incorrectly assuming that it is zeroed
corrupts images during qemu-img convert, so let's err on the side of
caution and always return 0.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 8ab6feec2c7500faafd9a4571fb40d03dd360a64)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/gluster.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/block/gluster.c b/block/gluster.c
index 91acde2..61424bc 100644
--- a/block/gluster.c
+++ b/block/gluster.c
@@ -574,6 +574,12 @@ static void qemu_gluster_close(BlockDriverState *bs)
     glfs_fini(s->glfs);
 }
 
+static int qemu_gluster_has_zero_init(BlockDriverState *bs)
+{
+    /* GlusterFS volume could be backed by a block device */
+    return 0;
+}
+
 static QEMUOptionParameter qemu_gluster_create_options[] = {
     {
         .name = BLOCK_OPT_SIZE,
@@ -595,6 +601,7 @@ static BlockDriver bdrv_gluster = {
     .bdrv_aio_readv               = qemu_gluster_aio_readv,
     .bdrv_aio_writev              = qemu_gluster_aio_writev,
     .bdrv_aio_flush               = qemu_gluster_aio_flush,
+    .bdrv_has_zero_init           = qemu_gluster_has_zero_init,
     .create_options               = qemu_gluster_create_options,
 };
 
@@ -610,6 +617,7 @@ static BlockDriver bdrv_gluster_tcp = {
     .bdrv_aio_readv               = qemu_gluster_aio_readv,
     .bdrv_aio_writev              = qemu_gluster_aio_writev,
     .bdrv_aio_flush               = qemu_gluster_aio_flush,
+    .bdrv_has_zero_init           = qemu_gluster_has_zero_init,
     .create_options               = qemu_gluster_create_options,
 };
 
@@ -625,6 +633,7 @@ static BlockDriver bdrv_gluster_unix = {
     .bdrv_aio_readv               = qemu_gluster_aio_readv,
     .bdrv_aio_writev              = qemu_gluster_aio_writev,
     .bdrv_aio_flush               = qemu_gluster_aio_flush,
+    .bdrv_has_zero_init           = qemu_gluster_has_zero_init,
     .create_options               = qemu_gluster_create_options,
 };
 
@@ -640,6 +649,7 @@ static BlockDriver bdrv_gluster_rdma = {
     .bdrv_aio_readv               = qemu_gluster_aio_readv,
     .bdrv_aio_writev              = qemu_gluster_aio_writev,
     .bdrv_aio_flush               = qemu_gluster_aio_flush,
+    .bdrv_has_zero_init           = qemu_gluster_has_zero_init,
     .create_options               = qemu_gluster_create_options,
 };
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 12/56] vmdk: remove wrong calculation of relative path

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

When creating image with backing file, the driver tries to calculate the
relative path from created image file to backing file, but the path
computation is incorrect. e.g.:

    $ qemu-img create -f vmdk -b vmdk-data-disk.vmdk vmdk-data-snapshot1
    Formatting 'vmdk-data-snapshot1', fmt=vmdk size=10737418240
    backing_file='vmdk-data-disk.vmdk' compat6=off zeroed_grain=off

    $ qemu-img info vmdk-data-snapshot1
    image: vmdk-data-snapshot1
    file format: vmdk
    virtual size: 10G (10737418240 bytes)
    disk size: 12K
->  backing file: disk.vmdk

The common part in file names, "vmdk-data-", is incorrectly forgotten by
relative_path(). As the VMDK specification has no restriction on
parentNameHint to be relative path, we simply remove this by using the
backing_file option.

Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 8ed610a1c983dd2ed1eed8841036af55751d115f)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vmdk.c |   44 +-------------------------------------------
 1 file changed, 1 insertion(+), 43 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index ee50a73..8c8f1fd 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1465,45 +1465,6 @@ static int filename_decompose(const char *filename, char *path, char *prefix,
     return VMDK_OK;
 }
 
-static int relative_path(char *dest, int dest_size,
-        const char *base, const char *target)
-{
-    int i = 0;
-    int n = 0;
-    const char *p, *q;
-#ifdef _WIN32
-    const char *sep = "\\";
-#else
-    const char *sep = "/";
-#endif
-
-    if (!(dest && base && target)) {
-        return VMDK_ERROR;
-    }
-    if (path_is_absolute(target)) {
-        pstrcpy(dest, dest_size, target);
-        return VMDK_OK;
-    }
-    while (base[i] == target[i]) {
-        i++;
-    }
-    p = &base[i];
-    q = &target[i];
-    while (*p) {
-        if (*p == *sep) {
-            n++;
-        }
-        p++;
-    }
-    dest[0] = '\0';
-    for (; n; n--) {
-        pstrcat(dest, dest_size, "..");
-        pstrcat(dest, dest_size, sep);
-    }
-    pstrcat(dest, dest_size, q);
-    return VMDK_OK;
-}
-
 static int vmdk_create(const char *filename, QEMUOptionParameter *options)
 {
     int fd, idx = 0;
@@ -1603,7 +1564,6 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options)
         return -ENOTSUP;
     }
     if (backing_file) {
-        char parent_filename[PATH_MAX];
         BlockDriverState *bs = bdrv_new("");
         ret = bdrv_open(bs, backing_file, NULL, 0, NULL);
         if (ret != 0) {
@@ -1616,10 +1576,8 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options)
         }
         parent_cid = vmdk_read_cid(bs, 0);
         bdrv_delete(bs);
-        relative_path(parent_filename, sizeof(parent_filename),
-                      filename, backing_file);
         snprintf(parent_desc_line, sizeof(parent_desc_line),
-                "parentFileNameHint=\"%s\"", parent_filename);
+                "parentFileNameHint=\"%s\"", backing_file);
     }
 
     /* Create extents */
-- 
1.7.9.5

[Qemu-devel] [PATCH 13/56] Revert "migration: do not sent zero pages in bulk stage"

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

Not sending zero pages breaks migration if a page is zero
at the source but not at the destination. This can e.g. happen
if different BIOS versions are used at source and destination.
It has also been reported that migration on pseries is completely
broken with this patch.

This effectively reverts commit f1c72795af573b24a7da5eb52375c9aba8a37972.

Conflicts:

	arch_init.c

Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9ef051e5536b6368a1076046ec6c4ec4ac12b5c6)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 arch_init.c |   13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/arch_init.c b/arch_init.c
index 522caeb..6afc57e 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -457,15 +457,10 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
             bytes_sent = -1;
             if (is_zero_page(p)) {
                 acct_info.dup_pages++;
-                if (!ram_bulk_stage) {
-                    bytes_sent = save_block_hdr(f, block, offset, cont,
-                                                RAM_SAVE_FLAG_COMPRESS);
-                    qemu_put_byte(f, 0);
-                    bytes_sent++;
-                } else {
-                    acct_info.skipped_pages++;
-                    bytes_sent = 0;
-                }
+                bytes_sent = save_block_hdr(f, block, offset, cont,
+                                            RAM_SAVE_FLAG_COMPRESS);
+                qemu_put_byte(f, 0);
+                bytes_sent++;
             } else if (!ram_bulk_stage && migrate_use_xbzrle()) {
                 current_addr = block->offset + offset;
                 bytes_sent = save_xbzrle_page(f, p, current_addr, block,
-- 
1.7.9.5

[Qemu-devel] [PATCH 14/56] migration: do not overwrite zero pages

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

on incoming migration do not memset pages to zero if they already read as zero.
this will allocate a new zero page and consume memory unnecessarily. even
if we madvise a MADV_DONTNEED later this will only deallocate the memory
asynchronously.

Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 211ea74022f51164a7729030b28eec90b6c99a08)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 arch_init.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/arch_init.c b/arch_init.c
index 6afc57e..b526dd0 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -832,14 +832,16 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
             }
 
             ch = qemu_get_byte(f);
-            memset(host, ch, TARGET_PAGE_SIZE);
+            if (ch != 0 || !is_zero_page(host)) {
+                memset(host, ch, TARGET_PAGE_SIZE);
 #ifndef _WIN32
-            if (ch == 0 &&
-                (!kvm_enabled() || kvm_has_sync_mmu()) &&
-                getpagesize() <= TARGET_PAGE_SIZE) {
-                qemu_madvise(host, TARGET_PAGE_SIZE, QEMU_MADV_DONTNEED);
-            }
+                if (ch == 0 &&
+                    (!kvm_enabled() || kvm_has_sync_mmu()) &&
+                    getpagesize() <= TARGET_PAGE_SIZE) {
+                    qemu_madvise(host, TARGET_PAGE_SIZE, QEMU_MADV_DONTNEED);
+                }
 #endif
+            }
         } else if (flags & RAM_SAVE_FLAG_PAGE) {
             void *host;
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 15/56] raw-posix: Fix /dev/cdrom magic on OS X

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The raw-posix driver has code to provide a /dev/cdrom on OS X even
though it doesn't really exist. However, since commit c66a6157 the real
filename is dismissed after finding it, so opening /dev/cdrom fails.
Put the filename back into the options QDict to make this work again.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit a5c5ea3f60c000bf18c99435439533728a5f34a2)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/raw-posix.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/block/raw-posix.c b/block/raw-posix.c
index c0ccf27..90ce9f8 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1350,6 +1350,7 @@ static int hdev_open(BlockDriverState *bs, QDict *options, int flags)
                 qemu_close(fd);
             }
             filename = bsdPath;
+            qdict_put(options, "filename", qstring_from_str(filename));
         }
 
         if ( mediaIterator )
-- 
1.7.9.5

[Qemu-devel] [PATCH 16/56] kvmclock: clock should count only if vm is running

[Michael Roth]

From: Marcelo Tosatti <mtosatti@redhat.com>

kvmclock should not count while vm is paused, because:

1) if the vm is paused for long periods, timekeeping
math can overflow while converting the (large) clocksource
delta to nanoseconds.

2) Users rely on CLOCK_MONOTONIC to count run time, that is,
time which OS has been in a runnable state (see CLOCK_BOOTTIME).

Change kvmclock driver so as to save clock value when vm transitions
from runnable to stopped state, and to restore clock value from stopped
to runnable transition.

Cc: qemu-stable@nongnu.org
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 00f4d64ee76e873be881a82d893a591487aa7950)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvm/clock.c |   64 ++++++++++++++++++++++++---------------------------
 1 file changed, 30 insertions(+), 34 deletions(-)

diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index 87d4d0f..98e5ca5 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -28,38 +28,6 @@ typedef struct KVMClockState {
     bool clock_valid;
 } KVMClockState;
 
-static void kvmclock_pre_save(void *opaque)
-{
-    KVMClockState *s = opaque;
-    struct kvm_clock_data data;
-    int ret;
-
-    if (s->clock_valid) {
-        return;
-    }
-    ret = kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, &data);
-    if (ret < 0) {
-        fprintf(stderr, "KVM_GET_CLOCK failed: %s\n", strerror(ret));
-        data.clock = 0;
-    }
-    s->clock = data.clock;
-    /*
-     * If the VM is stopped, declare the clock state valid to avoid re-reading
-     * it on next vmsave (which would return a different value). Will be reset
-     * when the VM is continued.
-     */
-    s->clock_valid = !runstate_is_running();
-}
-
-static int kvmclock_post_load(void *opaque, int version_id)
-{
-    KVMClockState *s = opaque;
-    struct kvm_clock_data data;
-
-    data.clock = s->clock;
-    data.flags = 0;
-    return kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, &data);
-}
 
 static void kvmclock_vm_state_change(void *opaque, int running,
                                      RunState state)
@@ -70,8 +38,18 @@ static void kvmclock_vm_state_change(void *opaque, int running,
     int ret;
 
     if (running) {
+        struct kvm_clock_data data;
+
         s->clock_valid = false;
 
+        data.clock = s->clock;
+        data.flags = 0;
+        ret = kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, &data);
+        if (ret < 0) {
+            fprintf(stderr, "KVM_SET_CLOCK failed: %s\n", strerror(ret));
+            abort();
+        }
+
         if (!cap_clock_ctrl) {
             return;
         }
@@ -84,6 +62,26 @@ static void kvmclock_vm_state_change(void *opaque, int running,
                 return;
             }
         }
+    } else {
+        struct kvm_clock_data data;
+        int ret;
+
+        if (s->clock_valid) {
+            return;
+        }
+        ret = kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, &data);
+        if (ret < 0) {
+            fprintf(stderr, "KVM_GET_CLOCK failed: %s\n", strerror(ret));
+            abort();
+        }
+        s->clock = data.clock;
+
+        /*
+         * If the VM is stopped, declare the clock state valid to
+         * avoid re-reading it on next vmsave (which would return
+         * a different value). Will be reset when the VM is continued.
+         */
+        s->clock_valid = true;
     }
 }
 
@@ -100,8 +98,6 @@ static const VMStateDescription kvmclock_vmsd = {
     .version_id = 1,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
-    .pre_save = kvmclock_pre_save,
-    .post_load = kvmclock_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_UINT64(clock, KVMClockState),
         VMSTATE_END_OF_LIST()
-- 
1.7.9.5

[Qemu-devel] [PATCH 17/56] qemu-char: Fix ID reuse after chardev-remove for qapi-based init

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Commit 2c5f488 introduced qapi-based character device initialization
as a new code path in qemu_chr_new_from_opts().  Unfortunately, it
failed to store parameter opts in the new chardev.  Therefore,
qemu_chr_delete() doesn't delete it.  Even though the device is gone,
its options linger, and any attempt to create another one with the
same ID fails.

Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1372339512-28149-1-git-send-email-armbru@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 2ea3e2c1e85097c45a882dbc1fbba4a7fdb3ff1c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/qemu-char.c b/qemu-char.c
index efe706d..b8ffcba 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -3228,6 +3228,7 @@ CharDriverState *qemu_chr_new_from_opts(QemuOpts *opts,
         }
 
         chr = qemu_chr_find(id);
+        chr->opts = opts;
 
     qapi_out:
         qapi_free_ChardevBackend(backend);
-- 
1.7.9.5

[Qemu-devel] [PATCH 18/56] target-cris: gen_intermediate_code_internal() should be inlined

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Cc: qemu-stable@nongnu.org
Reported-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 6f47ec50db92b4bc77de06661a9e7a3eb538b660)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-cris/translate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-cris/translate.c b/target-cris/translate.c
index dbcb811..ad61071 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -3161,7 +3161,7 @@ static void check_breakpoint(CPUCRISState *env, DisasContext *dc)
  */
 
 /* generate intermediate code for basic block 'tb'.  */
-static void
+static inline void
 gen_intermediate_code_internal(CPUCRISState *env, TranslationBlock *tb,
                                int search_pc)
 {
-- 
1.7.9.5

[Qemu-devel] [PATCH 19/56] target-lm32: gen_intermediate_code_internal() should be inlined

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Cc: qemu-stable@nongnu.org
Reported-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Acked-by: Michael Walle <michael@walle.cc>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 28014bcab244e968cb03f20384943494bd069ee0)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-lm32/translate.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target-lm32/translate.c b/target-lm32/translate.c
index af9ce8c..3e44e5c 100644
--- a/target-lm32/translate.c
+++ b/target-lm32/translate.c
@@ -1011,8 +1011,9 @@ static void check_breakpoint(CPULM32State *env, DisasContext *dc)
 }
 
 /* generate intermediate code for basic block 'tb'.  */
-static void gen_intermediate_code_internal(CPULM32State *env,
-        TranslationBlock *tb, int search_pc)
+static inline
+void gen_intermediate_code_internal(CPULM32State *env,
+                                    TranslationBlock *tb, int search_pc)
 {
     struct DisasContext ctx, *dc = &ctx;
     uint16_t *gen_opc_end;
-- 
1.7.9.5

[Qemu-devel] [PATCH 20/56] target-microblaze: gen_intermediate_code_internal() should be inlined

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Cc: qemu-stable@nongnu.org
Reported-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit fd327f48f7e5892318b6dca2c9c6030618f65728)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-microblaze/translate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 06d2346..85b5488 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -1737,7 +1737,7 @@ static void check_breakpoint(CPUMBState *env, DisasContext *dc)
 }
 
 /* generate intermediate code for basic block 'tb'.  */
-static void
+static inline void
 gen_intermediate_code_internal(CPUMBState *env, TranslationBlock *tb,
                                int search_pc)
 {
-- 
1.7.9.5

[Qemu-devel] [PATCH 21/56] target-moxie: gen_intermediate_code_internal() should be inlined

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Cc: qemu-stable@nongnu.org
Reported-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 13cccc692818a570d1fb1326c84d3edae68987aa)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-moxie/translate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-moxie/translate.c b/target-moxie/translate.c
index cc02bd3..28a5462 100644
--- a/target-moxie/translate.c
+++ b/target-moxie/translate.c
@@ -818,7 +818,7 @@ static int decode_opc(MoxieCPU *cpu, DisasContext *ctx)
 }
 
 /* generate intermediate code for basic block 'tb'.  */
-static void
+static inline void
 gen_intermediate_code_internal(MoxieCPU *cpu, TranslationBlock *tb,
                                bool search_pc)
 {
-- 
1.7.9.5

[Qemu-devel] [PATCH 22/56] target-xtensa: gen_intermediate_code_internal() should be inlined

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Cc: qemu-stable@nongnu.org
Reported-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit ae06d4988d6799f0bd16f27c2bcf80fa1cd2cfd7)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-xtensa/translate.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target-xtensa/translate.c b/target-xtensa/translate.c
index 06d68db..9e05a66 100644
--- a/target-xtensa/translate.c
+++ b/target-xtensa/translate.c
@@ -2875,8 +2875,9 @@ static void gen_ibreak_check(CPUXtensaState *env, DisasContext *dc)
     }
 }
 
-static void gen_intermediate_code_internal(
-        CPUXtensaState *env, TranslationBlock *tb, int search_pc)
+static inline
+void gen_intermediate_code_internal(CPUXtensaState *env,
+                                    TranslationBlock *tb, int search_pc)
 {
     DisasContext dc;
     int insn_count = 0;
-- 
1.7.9.5

[Qemu-devel] [PATCH 23/56] block: fix bdrv_flush() ordering in bdrv_close()

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Since 80ccf93b we flush the block device during close.  The
bdrv_drain_all() call should come before bdrv_flush() to ensure guest
write requests have completed.  Otherwise we may miss pending writes
when flushing.

Call bdrv_drain_all() again for safety as the final step after
bdrv_flush().  This should not be necessary but we can be paranoid here
in case bdrv_flush() left I/O pending.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 58fda173e1156d24e5ff62361774715152188a07)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block.c b/block.c
index 3f87489..c7c3e06 100644
--- a/block.c
+++ b/block.c
@@ -1349,11 +1349,12 @@ void bdrv_reopen_abort(BDRVReopenState *reopen_state)
 
 void bdrv_close(BlockDriverState *bs)
 {
-    bdrv_flush(bs);
     if (bs->job) {
         block_job_cancel_sync(bs->job);
     }
-    bdrv_drain_all();
+    bdrv_drain_all(); /* complete I/O */
+    bdrv_flush(bs);
+    bdrv_drain_all(); /* in case flush left pending I/O */
     notifier_list_notify(&bs->close_notifiers, bs);
 
     if (bs->drv) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 24/56] target-openrisc: Fix typename in openrisc_cpu_class_by_name()

[Michael Roth]

From: Dongxue Zhang <elta.era@gmail.com>

Commit 478032a93d908e59085c1ac56f10979942e7dc4f (target-openrisc:
Rename CPU subtypes) suffixed CPU sub-types with "-or32-cpu" but forgot
to update openrisc_cpu_class_by_name(), so that it was still looking for
the types without suffix.

Make target-openrisc running OK by adding the suffix to the model name.

This means it is no longer possible to use -cpu or1200-or32-cpu or
-cpu any-or32-cpu though.

Cc: qemu-stable@nongnu.org
Signed-off-by: Dongxue Zhang <elta.era@gmail.com>
Tested-by: Jia Liu <proljc@gmail.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 071b3364e7995036816aa4ebf80ecfa04b1a31de)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-openrisc/cpu.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target-openrisc/cpu.c b/target-openrisc/cpu.c
index ffe14f3..4e9a3e8 100644
--- a/target-openrisc/cpu.c
+++ b/target-openrisc/cpu.c
@@ -97,12 +97,14 @@ static void openrisc_cpu_initfn(Object *obj)
 static ObjectClass *openrisc_cpu_class_by_name(const char *cpu_model)
 {
     ObjectClass *oc;
+    char *typename;
 
     if (cpu_model == NULL) {
         return NULL;
     }
 
-    oc = object_class_by_name(cpu_model);
+    typename = g_strdup_printf("%s-" TYPE_OPENRISC_CPU, cpu_model);
+    oc = object_class_by_name(typename);
     if (oc != NULL && (!object_class_dynamic_cast(oc, TYPE_OPENRISC_CPU) ||
                        object_class_is_abstract(oc))) {
         return NULL;
-- 
1.7.9.5

[Qemu-devel] [PATCH 25/56] qom: Fix class cast of NULL classes

[Michael Roth]

From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>

Its clear from the implementation that class casting is supposed to work
with a NULL class argument. Guard all dereferences of the class argument
against NULL accordingly.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 94cd5ba46b74eea289a7e582635820c1c54e66fa.1371546907.git.peter.crosthwaite@xilinx.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 9d6a3d58e4d1431ab3809ff621cfd1f9ec75eef5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qom/object.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/qom/object.c b/qom/object.c
index 803b94b..b7ecb9f 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -531,14 +531,14 @@ ObjectClass *object_class_dynamic_cast_assert(ObjectClass *class,
 #ifdef CONFIG_QOM_CAST_DEBUG
     int i;
 
-    for (i = 0; i < OBJECT_CLASS_CAST_CACHE; i++) {
+    for (i = 0; class && i < OBJECT_CLASS_CAST_CACHE; i++) {
         if (class->cast_cache[i] == typename) {
             ret = class;
             goto out;
         }
     }
 #else
-    if (!class->interfaces) {
+    if (!class || !class->interfaces) {
         return class;
     }
 #endif
@@ -551,7 +551,7 @@ ObjectClass *object_class_dynamic_cast_assert(ObjectClass *class,
     }
 
 #ifdef CONFIG_QOM_CAST_DEBUG
-    if (ret == class) {
+    if (class && ret == class) {
         for (i = 1; i < OBJECT_CLASS_CAST_CACHE; i++) {
             class->cast_cache[i - 1] = class->cast_cache[i];
         }
-- 
1.7.9.5

[Qemu-devel] [PATCH 26/56] seccomp: add the asynchronous I/O syscalls to the whitelist

[Michael Roth]

From: Paul Moore <pmoore@redhat.com>

In order to enable the asynchronous I/O functionality when using the
seccomp sandbox we need to add the associated syscalls to the
whitelist.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Reviewed-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Message-id: 20130529203001.20939.83322.stgit@localhost
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit fd21faadb12669e24eaf0a277de61c24fcde4cac)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-seccomp.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 031da1d..ca123bf 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -87,6 +87,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(stat), 245 },
     { SCMP_SYS(uname), 245 },
     { SCMP_SYS(eventfd2), 245 },
+    { SCMP_SYS(io_getevents), 245 },
     { SCMP_SYS(dup), 245 },
     { SCMP_SYS(dup2), 245 },
     { SCMP_SYS(dup3), 245 },
@@ -229,7 +230,9 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(sendmmsg), 241 },
     { SCMP_SYS(recvmmsg), 241 },
     { SCMP_SYS(prlimit64), 241 },
-    { SCMP_SYS(waitid), 241 }
+    { SCMP_SYS(waitid), 241 },
+    { SCMP_SYS(io_setup), 241 },
+    { SCMP_SYS(io_destroy), 241 }
 };
 
 int seccomp_start(void)
-- 
1.7.9.5

[Qemu-devel] [PATCH 27/56] qapi: qapi-commands: fix possible leaks on visitor dealloc

[Michael Roth]

From: Luiz Capitulino <lcapitulino@redhat.com>

In qmp-marshal.c the dealloc visitor calls use the same errp
pointer of the input visitor calls. This means that if any of
the input visitor calls fails, then the dealloc visitor will
return early, before freeing the object's memory.

Here's an example, consider this code:

int qmp_marshal_input_block_passwd(Monitor *mon, const QDict *qdict, QObject **ret)
{
	[...]

    char * device = NULL;
    char * password = NULL;

    mi = qmp_input_visitor_new_strict(QOBJECT(args));
    v = qmp_input_get_visitor(mi);
    visit_type_str(v, &device, "device", errp);
    visit_type_str(v, &password, "password", errp);
    qmp_input_visitor_cleanup(mi);

    if (error_is_set(errp)) {
        goto out;
    }
    qmp_block_passwd(device, password, errp);

out:
    md = qapi_dealloc_visitor_new();
    v = qapi_dealloc_get_visitor(md);
    visit_type_str(v, &device, "device", errp);
    visit_type_str(v, &password, "password", errp);
    qapi_dealloc_visitor_cleanup(md);

	[...]

    return 0;
}

Consider errp != NULL when the out label is reached, we're going
to leak device and password.

This patch fixes this by always passing errp=NULL for dealloc
visitors, meaning that we always try to free them regardless of
any previous failure. The above example would then be:

out:
    md = qapi_dealloc_visitor_new();
    v = qapi_dealloc_get_visitor(md);
    visit_type_str(v, &device, "device", NULL);
    visit_type_str(v, &password, "password", NULL);
    qapi_dealloc_visitor_cleanup(md);

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 8f91ad8a1b4702966d91ea58cd90bbde1faea1b3)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/qapi-commands.py |   17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/scripts/qapi-commands.py b/scripts/qapi-commands.py
index e06332b..b12b696 100644
--- a/scripts/qapi-commands.py
+++ b/scripts/qapi-commands.py
@@ -128,12 +128,15 @@ bool has_%(argname)s = false;
 
 def gen_visitor_input_block(args, obj, dealloc=False):
     ret = ""
+    errparg = 'errp'
+
     if len(args) == 0:
         return ret
 
     push_indent()
 
     if dealloc:
+        errparg = 'NULL'
         ret += mcgen('''
 md = qapi_dealloc_visitor_new();
 v = qapi_dealloc_get_visitor(md);
@@ -148,22 +151,22 @@ v = qmp_input_get_visitor(mi);
     for argname, argtype, optional, structured in parse_args(args):
         if optional:
             ret += mcgen('''
-visit_start_optional(v, &has_%(c_name)s, "%(name)s", errp);
+visit_start_optional(v, &has_%(c_name)s, "%(name)s", %(errp)s);
 if (has_%(c_name)s) {
 ''',
-                         c_name=c_var(argname), name=argname)
+                         c_name=c_var(argname), name=argname, errp=errparg)
             push_indent()
         ret += mcgen('''
-%(visitor)s(v, &%(c_name)s, "%(name)s", errp);
+%(visitor)s(v, &%(c_name)s, "%(name)s", %(errp)s);
 ''',
                      c_name=c_var(argname), name=argname, argtype=argtype,
-                     visitor=type_visitor(argtype))
+                     visitor=type_visitor(argtype), errp=errparg)
         if optional:
             pop_indent()
             ret += mcgen('''
 }
-visit_end_optional(v, errp);
-''')
+visit_end_optional(v, %(errp)s);
+''', errp=errparg)
 
     if dealloc:
         ret += mcgen('''
@@ -194,7 +197,7 @@ static void qmp_marshal_output_%(c_name)s(%(c_ret_type)s ret_in, QObject **ret_o
     }
     qmp_output_visitor_cleanup(mo);
     v = qapi_dealloc_get_visitor(md);
-    %(visitor)s(v, &ret_in, "unused", errp);
+    %(visitor)s(v, &ret_in, "unused", NULL);
     qapi_dealloc_visitor_cleanup(md);
 }
 ''',
-- 
1.7.9.5

[Qemu-devel] [PATCH 28/56] ahci: Fix FLUSH command

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

AHCI couldn't cope with asynchronous commands that aren't doing DMA, it
simply wouldn't complete them. Due to the bug fixed in commit f68ec837,
FLUSH commands would seem to have completed immediately even if they
were still running on the host. After the commit, they would simply hang
and never unset the BSY bit, rendering AHCI unusable on any OS sending
flushes.

This patch adds another callback for the completion of asynchronous
commands. This is what AHCI really wants to use for its command
completion logic rather than an DMA completion callback.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit a62eaa26c1d6d48fbdc3ac1d32bd1314f5fdc8c9)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ide/ahci.c     |    8 +++++++-
 hw/ide/core.c     |    9 +++++++++
 hw/ide/internal.h |    1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index eab6096..ade9f64 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1104,9 +1104,14 @@ static int ahci_dma_add_status(IDEDMA *dma, int status)
 
 static int ahci_dma_set_inactive(IDEDMA *dma)
 {
+    return 0;
+}
+
+static int ahci_async_cmd_done(IDEDMA *dma)
+{
     AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
 
-    DPRINTF(ad->port_no, "dma done\n");
+    DPRINTF(ad->port_no, "async cmd done\n");
 
     /* update d2h status */
     ahci_write_fis_d2h(ad, NULL);
@@ -1141,6 +1146,7 @@ static const IDEDMAOps ahci_dma_ops = {
     .set_unit = ahci_dma_set_unit,
     .add_status = ahci_dma_add_status,
     .set_inactive = ahci_dma_set_inactive,
+    .async_cmd_done = ahci_async_cmd_done,
     .restart_cb = ahci_dma_restart_cb,
     .reset = ahci_dma_reset,
 };
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 9926d92..8b3dde6 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -568,10 +568,18 @@ static void dma_buf_commit(IDEState *s)
     qemu_sglist_destroy(&s->sg);
 }
 
+static void ide_async_cmd_done(IDEState *s)
+{
+    if (s->bus->dma->ops->async_cmd_done) {
+        s->bus->dma->ops->async_cmd_done(s->bus->dma);
+    }
+}
+
 void ide_set_inactive(IDEState *s)
 {
     s->bus->dma->aiocb = NULL;
     s->bus->dma->ops->set_inactive(s->bus->dma);
+    ide_async_cmd_done(s);
 }
 
 void ide_dma_error(IDEState *s)
@@ -804,6 +812,7 @@ static void ide_flush_cb(void *opaque, int ret)
 
     bdrv_acct_done(s->bs, &s->acct);
     s->status = READY_STAT | SEEK_STAT;
+    ide_async_cmd_done(s);
     ide_set_irq(s->bus);
 }
 
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 03f1489..048a052 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -433,6 +433,7 @@ struct IDEDMAOps {
     DMAIntFunc *set_unit;
     DMAIntFunc *add_status;
     DMAFunc *set_inactive;
+    DMAFunc *async_cmd_done;
     DMARestartFunc *restart_cb;
     DMAFunc *reset;
 };
-- 
1.7.9.5

[Qemu-devel] [PATCH 29/56] iscsi: fix -ENOSPC in iscsi_create()

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

the -ENOPSC case did not work due to the missing goto.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d3bda7bc166f40326ba646ee145630bb1b59da96)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/block/iscsi.c b/block/iscsi.c
index fa5252c..91b602c 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -1272,6 +1272,7 @@ static int iscsi_create(const char *filename, QEMUOptionParameter *options)
     }
     if (bs.total_sectors < total_size) {
         ret = -ENOSPC;
+        goto out;
     }
 
     ret = 0;
-- 
1.7.9.5

[Qemu-devel] [PATCH 30/56] iscsi: remove support for misaligned nb_sectors in aio_readv

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

this hask is not working (anymore). support for misaligned offsets should
be handled at the block layer.

Signed-off-by: Peter Lieven <pl@kamp.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7e4d5a9f94a0d8485bf63e1f8256e0a0014495ab)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c |   22 ++++------------------
 1 file changed, 4 insertions(+), 18 deletions(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index 91b602c..df283ed 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -62,8 +62,6 @@ typedef struct IscsiAIOCB {
     int status;
     int canceled;
     int retries;
-    size_t read_size;
-    size_t read_offset;
     int64_t sector_num;
     int nb_sectors;
 #ifdef __linux__
@@ -380,6 +378,7 @@ static int
 iscsi_aio_readv_acb(IscsiAIOCB *acb)
 {
     struct iscsi_context *iscsi = acb->iscsilun->iscsi;
+    size_t size;
     uint64_t lba;
     uint32_t num_sectors;
     int ret;
@@ -392,20 +391,7 @@ iscsi_aio_readv_acb(IscsiAIOCB *acb)
     acb->status      = -EINPROGRESS;
     acb->buf         = NULL;
 
-    /* If LUN blocksize is bigger than BDRV_BLOCK_SIZE a read from QEMU
-     * may be misaligned to the LUN, so we may need to read some extra
-     * data.
-     */
-    acb->read_offset = 0;
-    if (acb->iscsilun->block_size > BDRV_SECTOR_SIZE) {
-        uint64_t bdrv_offset = BDRV_SECTOR_SIZE * acb->sector_num;
-
-        acb->read_offset  = bdrv_offset % acb->iscsilun->block_size;
-    }
-
-    num_sectors  = (acb->read_size + acb->iscsilun->block_size
-                    + acb->read_offset - 1)
-                    / acb->iscsilun->block_size;
+    size = acb->nb_sectors * BDRV_SECTOR_SIZE;
 
     acb->task = malloc(sizeof(struct scsi_task));
     if (acb->task == NULL) {
@@ -416,8 +402,9 @@ iscsi_aio_readv_acb(IscsiAIOCB *acb)
     memset(acb->task, 0, sizeof(struct scsi_task));
 
     acb->task->xfer_dir = SCSI_XFER_READ;
+    acb->task->expxferlen = size;
     lba = sector_qemu2lun(acb->sector_num, acb->iscsilun);
-    acb->task->expxferlen = acb->read_size;
+    num_sectors = sector_qemu2lun(acb->nb_sectors, acb->iscsilun);
 
     switch (acb->iscsilun->type) {
     case TYPE_DISK:
@@ -472,7 +459,6 @@ iscsi_aio_readv(BlockDriverState *bs, int64_t sector_num,
     acb->sector_num  = sector_num;
     acb->iscsilun    = iscsilun;
     acb->qiov        = qiov;
-    acb->read_size   = BDRV_SECTOR_SIZE * (size_t)acb->nb_sectors;
     acb->retries     = ISCSI_CMD_RETRIES;
 
     if (iscsi_aio_readv_acb(acb) != 0) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 31/56] iscsi: assert that sectors are aligned to LUN blocksize

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

if the blocksize of an iSCSI LUN is bigger than the BDRV_SECTOR_SIZE
it is possible that sector_num or nb_sectors are not correctly
aligned.

to avoid corruption we fail requests which are misaligned.

Signed-off-by: Peter Lieven <pl@kamp.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 91bea4e2bb1a5f7954a3b3a4f2e28e96bd25c458)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/block/iscsi.c b/block/iscsi.c
index df283ed..1294fdf 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -237,6 +237,18 @@ static int64_t sector_qemu2lun(int64_t sector, IscsiLun *iscsilun)
     return sector * BDRV_SECTOR_SIZE / iscsilun->block_size;
 }
 
+static bool is_request_lun_aligned(int64_t sector_num, int nb_sectors,
+                                      IscsiLun *iscsilun)
+{
+    if ((sector_num * BDRV_SECTOR_SIZE) % iscsilun->block_size ||
+        (nb_sectors * BDRV_SECTOR_SIZE) % iscsilun->block_size) {
+            error_report("iSCSI misaligned request: iscsilun->block_size %u, sector_num %ld, nb_sectors %d",
+                         iscsilun->block_size, sector_num, nb_sectors);
+            return 0;
+    }
+    return 1;
+}
+
 static int
 iscsi_aio_writev_acb(IscsiAIOCB *acb)
 {
@@ -321,6 +333,10 @@ iscsi_aio_writev(BlockDriverState *bs, int64_t sector_num,
     IscsiLun *iscsilun = bs->opaque;
     IscsiAIOCB *acb;
 
+    if (!is_request_lun_aligned(sector_num, nb_sectors, iscsilun)) {
+        return NULL;
+    }
+
     acb = qemu_aio_get(&iscsi_aiocb_info, bs, cb, opaque);
     trace_iscsi_aio_writev(iscsilun->iscsi, sector_num, nb_sectors, opaque, acb);
 
@@ -452,6 +468,10 @@ iscsi_aio_readv(BlockDriverState *bs, int64_t sector_num,
     IscsiLun *iscsilun = bs->opaque;
     IscsiAIOCB *acb;
 
+    if (!is_request_lun_aligned(sector_num, nb_sectors, iscsilun)) {
+        return NULL;
+    }
+
     acb = qemu_aio_get(&iscsi_aiocb_info, bs, cb, opaque);
     trace_iscsi_aio_readv(iscsilun->iscsi, sector_num, nb_sectors, opaque, acb);
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 32/56] block: Add return value for bdrv_flush_all()

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

bdrv_flush() can fail, and bdrv_flush_all() should return an error as
well if this happens for a block device. It returns the first error
return now, but still at least tries to flush the remaining devices even
in error cases.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f0f0fdfeec6c67ad374114ecc4b3e3ccde5e94d2)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c               |   10 ++++++++--
 include/block/block.h |    2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/block.c b/block.c
index c7c3e06..d338a20 100644
--- a/block.c
+++ b/block.c
@@ -2907,13 +2907,19 @@ int bdrv_get_flags(BlockDriverState *bs)
     return bs->open_flags;
 }
 
-void bdrv_flush_all(void)
+int bdrv_flush_all(void)
 {
     BlockDriverState *bs;
+    int result = 0;
 
     QTAILQ_FOREACH(bs, &bdrv_states, list) {
-        bdrv_flush(bs);
+        int ret = bdrv_flush(bs);
+        if (ret < 0 && !result) {
+            result = ret;
+        }
     }
+
+    return result;
 }
 
 int bdrv_has_zero_init(BlockDriverState *bs)
diff --git a/include/block/block.h b/include/block/block.h
index 1251c5c..4bc51d5 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -276,7 +276,7 @@ void bdrv_clear_incoming_migration_all(void);
 /* Ensure contents are flushed to disk.  */
 int bdrv_flush(BlockDriverState *bs);
 int coroutine_fn bdrv_co_flush(BlockDriverState *bs);
-void bdrv_flush_all(void);
+int bdrv_flush_all(void);
 void bdrv_close_all(void);
 void bdrv_drain_all(void);
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 33/56] cpus: Add return value for vm_stop()

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

If flushing the block devices fails, return an error. The VM is stopped
anyway.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 5698346391b306c2c84358c68ee897c095d714cc)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cpus.c                  |   20 +++++++++++++-------
 include/sysemu/sysemu.h |    4 ++--
 stubs/vm-stop.c         |    2 +-
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/cpus.c b/cpus.c
index c232265..2a2f633 100644
--- a/cpus.c
+++ b/cpus.c
@@ -437,17 +437,21 @@ bool cpu_is_stopped(CPUState *cpu)
     return !runstate_is_running() || cpu->stopped;
 }
 
-static void do_vm_stop(RunState state)
+static int do_vm_stop(RunState state)
 {
+    int ret = 0;
+
     if (runstate_is_running()) {
         cpu_disable_ticks();
         pause_all_vcpus();
         runstate_set(state);
         vm_state_notify(0, state);
         bdrv_drain_all();
-        bdrv_flush_all();
+        ret = bdrv_flush_all();
         monitor_protocol_event(QEVENT_STOP, NULL);
     }
+
+    return ret;
 }
 
 static bool cpu_can_run(CPUState *cpu)
@@ -1093,7 +1097,7 @@ void cpu_stop_current(void)
     }
 }
 
-void vm_stop(RunState state)
+int vm_stop(RunState state)
 {
     if (qemu_in_vcpu_thread()) {
         qemu_system_vmstop_request(state);
@@ -1102,19 +1106,21 @@ void vm_stop(RunState state)
          * vm_stop() has been requested.
          */
         cpu_stop_current();
-        return;
+        return 0;
     }
-    do_vm_stop(state);
+
+    return do_vm_stop(state);
 }
 
 /* does a state transition even if the VM is already stopped,
    current state is forgotten forever */
-void vm_stop_force_state(RunState state)
+int vm_stop_force_state(RunState state)
 {
     if (runstate_is_running()) {
-        vm_stop(state);
+        return vm_stop(state);
     } else {
         runstate_set(state);
+        return 0;
     }
 }
 
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index 2fb71af..b5e1add 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -35,8 +35,8 @@ void vm_state_notify(int running, RunState state);
 #define VMRESET_REPORT   true
 
 void vm_start(void);
-void vm_stop(RunState state);
-void vm_stop_force_state(RunState state);
+int vm_stop(RunState state);
+int vm_stop_force_state(RunState state);
 
 typedef enum WakeupReason {
     QEMU_WAKEUP_REASON_OTHER = 0,
diff --git a/stubs/vm-stop.c b/stubs/vm-stop.c
index 4568935..f82c897 100644
--- a/stubs/vm-stop.c
+++ b/stubs/vm-stop.c
@@ -1,7 +1,7 @@
 #include "qemu-common.h"
 #include "sysemu/sysemu.h"
 
-void vm_stop(RunState state)
+int vm_stop(RunState state)
 {
     abort();
 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 34/56] cpus: Let vm_stop[_force_state]() always flush block devices

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Even if the VM is already stopped, we cannot assume that all data has
already been successfully flushed to disk. The flush during the previous
vm_stop() could have failed.

Run bdrv_flush_all() unconditionally so that we get an error each time
if the block device isn't really flushed.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 594a45ce64dbef1829996403506a1154eb2fd1cc)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cpus.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/cpus.c b/cpus.c
index 2a2f633..65b0b0e 100644
--- a/cpus.c
+++ b/cpus.c
@@ -446,11 +446,12 @@ static int do_vm_stop(RunState state)
         pause_all_vcpus();
         runstate_set(state);
         vm_state_notify(0, state);
-        bdrv_drain_all();
-        ret = bdrv_flush_all();
         monitor_protocol_event(QEVENT_STOP, NULL);
     }
 
+    bdrv_drain_all();
+    ret = bdrv_flush_all();
+
     return ret;
 }
 
@@ -1120,7 +1121,9 @@ int vm_stop_force_state(RunState state)
         return vm_stop(state);
     } else {
         runstate_set(state);
-        return 0;
+        /* Make sure to return an error if the flush in a previous vm_stop()
+         * failed. */
+        return bdrv_flush_all();
     }
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 35/56] megasas: Legacy command line handling fix

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Only apply legacy command line handling when the device has not been
hot-plugged. Propagate failure of legacy command line handling.

Cc: qemu-stable@nongnu.org
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 22d6aa03fd87ba5f219d26bc1810646d0f95842a)

Conflicts:

	hw/scsi/megasas.c

* modified to avoid dependency on fancy new upcast macros

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/megasas.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 4934a81..27288b9 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -2088,6 +2088,7 @@ static const struct SCSIBusInfo megasas_scsi_info = {
 
 static int megasas_scsi_init(PCIDevice *dev)
 {
+    DeviceState *d = DEVICE(dev);
     MegasasState *s = DO_UPCAST(MegasasState, dev, dev);
     uint8_t *pci_conf;
     int i, bar_type;
@@ -2160,7 +2161,9 @@ static int megasas_scsi_init(PCIDevice *dev)
     }
 
     scsi_bus_new(&s->bus, &dev->qdev, &megasas_scsi_info, NULL);
-    scsi_bus_legacy_handle_cmdline(&s->bus);
+    if (!d->hotplugged) {
+        return scsi_bus_legacy_handle_cmdline(&s->bus);
+    }
     return 0;
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 36/56] gtk: don't use g_object_unref on GdkCursor

[Michael Roth]

From: Anthony Liguori <aliguori@us.ibm.com>

It's not a GObject.

Cc: Gerd Hoffman <kraxel@redhat.com>
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
v1 -> v2
 - Fix summary to agree with code (Peter)
(cherry picked from commit 171392406d8e230d62e5ebf4805f71460854b8ec)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 ui/gtk.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/gtk.c b/ui/gtk.c
index a788cc0..41942cb 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -377,7 +377,7 @@ static void gd_cursor_define(DisplayChangeListener *dcl,
                                         pixbuf, c->hot_x, c->hot_y);
     gdk_window_set_cursor(gtk_widget_get_window(s->drawing_area), cursor);
     g_object_unref(pixbuf);
-    g_object_unref(cursor);
+    gdk_cursor_unref(cursor);
 }
 
 static void gd_switch(DisplayChangeListener *dcl,
-- 
1.7.9.5

[Qemu-devel] [PATCH 37/56] gtk: Fix compiler warning (GTK 3 deprecated function)

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

With GTK 3, the function gdk_cursor_unref is deprecated:

qemu/ui/gtk.c: In function ‘gd_cursor_define’:
qemu/ui/gtk.c:380:5: error:
 ‘gdk_cursor_unref’ is deprecated (declared at /usr/include/gtk-3.0/gdk/gdkcursor.h:233): Use 'g_object_unref' instead [-Werror=deprecated-declarations]

Fix the gcc compiler warning by using conditional compilation.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-id: 1371391987-10795-1-git-send-email-sw@weilnetz.de
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 030b4b7debf659dcd6fc66826564285fdce5057d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 ui/gtk.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ui/gtk.c b/ui/gtk.c
index 41942cb..abd0c4c 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -377,7 +377,11 @@ static void gd_cursor_define(DisplayChangeListener *dcl,
                                         pixbuf, c->hot_x, c->hot_y);
     gdk_window_set_cursor(gtk_widget_get_window(s->drawing_area), cursor);
     g_object_unref(pixbuf);
+#if !GTK_CHECK_VERSION(3, 0, 0)
     gdk_cursor_unref(cursor);
+#else
+    g_object_unref(cursor);
+#endif
 }
 
 static void gd_switch(DisplayChangeListener *dcl,
-- 
1.7.9.5

[Qemu-devel] [PATCH 38/56] dataplane: refuse to start if device is already in use

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Dataplane must check whether a block device is in use before launching
the dataplane thread.  This is necessary since the thread does not
synchronize with the main loop and I/O requests could cause corruption.

One example is when a drive is added and a block job is started before
hotplugging the virtio-blk-pci adapter.  In this case we must not use
dataplane mode.

Cc: qemu-stable@nongnu.org
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit b0f2027cde31c645524256763672e09eeb204a9a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/block/dataplane/virtio-blk.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c
index 0356665..a58cc53 100644
--- a/hw/block/dataplane/virtio-blk.c
+++ b/hw/block/dataplane/virtio-blk.c
@@ -418,6 +418,14 @@ bool virtio_blk_data_plane_create(VirtIODevice *vdev, VirtIOBlkConf *blk,
         return false;
     }
 
+    /* If dataplane is (re-)enabled while the guest is running there could be
+     * block jobs that can conflict.
+     */
+    if (bdrv_in_use(blk->conf.bs)) {
+        error_report("cannot start dataplane thread while device is in use");
+        return false;
+    }
+
     fd = raw_get_aio_fd(blk->conf.bs);
     if (fd < 0) {
         error_report("drive is incompatible with x-data-plane, "
-- 
1.7.9.5

[Qemu-devel] [PATCH 39/56] xhci: handle USB_RET_IOERROR

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=980377

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit ed60ff024fdb0e7ca9c002af166e10683cf49805)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-xhci.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 8813bdf..632ede8 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1707,6 +1707,7 @@ static int xhci_complete_packet(XHCITransfer *xfer)
     trace_usb_xhci_xfer_error(xfer, xfer->packet.status);
     switch (xfer->packet.status) {
     case USB_RET_NODEV:
+    case USB_RET_IOERROR:
         xfer->status = CC_USB_TRANSACTION_ERROR;
         xhci_xfer_report(xfer);
         xhci_stall_ep(xfer);
-- 
1.7.9.5

[Qemu-devel] [PATCH 40/56] qemu-char: Register ring buffer driver with correct name "ringbuf"

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

The driver is new in 1.4, with the documented name "ringbuf".
However, it's actual name is the completely undocumented "memory".
Screwed up in commit 3949e59.  Fix code to match documentation.

Keep the undocumented name working as an alias for compatibility.

Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1374849874-25531-3-git-send-email-armbru@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c11ed9666d69abaf217c8800f299c519b487b7d3)

Conflicts:

	qemu-char.c

* removed dependency on command-line specifiable mux (bb6fb7c0)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/qemu-char.c b/qemu-char.c
index b8ffcba..c6c4c6b 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -3764,7 +3764,7 @@ static void register_types(void)
     register_char_driver_qapi("null", CHARDEV_BACKEND_KIND_NULL, NULL);
     register_char_driver("socket", qemu_chr_open_socket);
     register_char_driver("udp", qemu_chr_open_udp);
-    register_char_driver_qapi("memory", CHARDEV_BACKEND_KIND_MEMORY,
+    register_char_driver_qapi("ringbuf", CHARDEV_BACKEND_KIND_MEMORY,
                               qemu_chr_parse_ringbuf);
     register_char_driver_qapi("file", CHARDEV_BACKEND_KIND_FILE,
                               qemu_chr_parse_file_out);
@@ -3782,6 +3782,9 @@ static void register_types(void)
     register_char_driver_qapi("console", CHARDEV_BACKEND_KIND_CONSOLE, NULL);
     register_char_driver_qapi("pipe", CHARDEV_BACKEND_KIND_PIPE,
                               qemu_chr_parse_pipe);
+    /* Bug-compatibility: */
+    register_char_driver_qapi("memory", CHARDEV_BACKEND_KIND_MEMORY,
+                              qemu_chr_parse_ringbuf);
 }
 
 type_init(register_types);
-- 
1.7.9.5

[Qemu-devel] [PATCH 41/56] qapi: Rename ChardevBackend member "memory" to "ringbuf"

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Commit 1da48c6 called the new member "memory" after commit 3949e59
standardized "ringbuf".  Rename for consistency.

However, member name "memory" is visible in QMP since 1.5.  It's
undocumented just like the driver name.  Keep it working anyway.

Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1374849874-25531-4-git-send-email-armbru@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3a1da42eb35a67d0dbc899dd571ea386fa11c4dd)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qapi-schema.json |    6 ++++--
 qemu-char.c      |   11 ++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/qapi-schema.json b/qapi-schema.json
index 9302e7d..1c8503a 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3288,9 +3288,9 @@
 ##
 # @ChardevRingbuf:
 #
-# Configuration info for memory chardevs
+# Configuration info for ring buffer chardevs.
 #
-# @size: #optional Ringbuffer size, must be power of two, default is 65536
+# @size: #optional ring buffer size, must be power of two, default is 65536
 #
 # Since: 1.5
 ##
@@ -3321,6 +3321,8 @@
                                        'spicevmc' : 'ChardevSpiceChannel',
                                        'spiceport' : 'ChardevSpicePort',
                                        'vc'     : 'ChardevVC',
+                                       'ringbuf': 'ChardevRingbuf',
+                                       # next one is just for compatibility
                                        'memory' : 'ChardevRingbuf' } }
 
 ##
diff --git a/qemu-char.c b/qemu-char.c
index c6c4c6b..c16aea1 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -3115,12 +3115,12 @@ static void qemu_chr_parse_ringbuf(QemuOpts *opts, ChardevBackend *backend,
 {
     int val;
 
-    backend->memory = g_new0(ChardevRingbuf, 1);
+    backend->ringbuf = g_new0(ChardevRingbuf, 1);
 
     val = qemu_opt_get_number(opts, "size", 0);
     if (val != 0) {
-        backend->memory->has_size = true;
-        backend->memory->size = val;
+        backend->ringbuf->has_size = true;
+        backend->ringbuf->size = val;
     }
 }
 
@@ -3713,8 +3713,9 @@ ChardevReturn *qmp_chardev_add(const char *id, ChardevBackend *backend,
     case CHARDEV_BACKEND_KIND_VC:
         chr = vc_init(backend->vc);
         break;
+    case CHARDEV_BACKEND_KIND_RINGBUF:
     case CHARDEV_BACKEND_KIND_MEMORY:
-        chr = qemu_chr_open_ringbuf(backend->memory, errp);
+        chr = qemu_chr_open_ringbuf(backend->ringbuf, errp);
         break;
     default:
         error_setg(errp, "unknown chardev backend (%d)", backend->kind);
@@ -3764,7 +3765,7 @@ static void register_types(void)
     register_char_driver_qapi("null", CHARDEV_BACKEND_KIND_NULL, NULL);
     register_char_driver("socket", qemu_chr_open_socket);
     register_char_driver("udp", qemu_chr_open_udp);
-    register_char_driver_qapi("ringbuf", CHARDEV_BACKEND_KIND_MEMORY,
+    register_char_driver_qapi("ringbuf", CHARDEV_BACKEND_KIND_RINGBUF,
                               qemu_chr_parse_ringbuf);
     register_char_driver_qapi("file", CHARDEV_BACKEND_KIND_FILE,
                               qemu_chr_parse_file_out);
-- 
1.7.9.5

[Qemu-devel] [PATCH 42/56] virtio-console: Use exitfn for virtserialport, too

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

virtconsole and virtserialport are identical in every other aspect
except for the distinguishing VirtIOSerialPortClass::is_console field.

Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Message-id: 1375313326-14966-1-git-send-email-afaerber@suse.de
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 203439ce0a832e36b276f10892846bd91ee836eb)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/char/virtio-console.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/char/virtio-console.c b/hw/char/virtio-console.c
index 6759e51..2e00ad2 100644
--- a/hw/char/virtio-console.c
+++ b/hw/char/virtio-console.c
@@ -185,6 +185,7 @@ static void virtserialport_class_init(ObjectClass *klass, void *data)
     VirtIOSerialPortClass *k = VIRTIO_SERIAL_PORT_CLASS(klass);
 
     k->init = virtconsole_initfn;
+    k->exit = virtconsole_exitfn;
     k->have_data = flush_buf;
     k->set_guest_connected = set_guest_connected;
     dc->props = virtserialport_properties;
-- 
1.7.9.5

[Qemu-devel] [PATCH 43/56] pci-bridge: update mappings for migration/restore

[Michael Roth]

From: Don Koch <dkoch@verizon.com>

Fix for LP#1187529: Devices on PCI bridge stop working when
live-migrated. Update bridge mappings for all PCI bridge
devices in get_pci_config_device().

Signed-off-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit e78e9ae4a933504d383703870d491615b0261801)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pci.c                |    5 +++++
 hw/pci/pci_bridge.c         |    2 +-
 include/hw/pci/pci_bridge.h |    1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index d5257ed..26995d7 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -373,6 +373,7 @@ int pci_bus_num(PCIBus *s)
 static int get_pci_config_device(QEMUFile *f, void *pv, size_t size)
 {
     PCIDevice *s = container_of(pv, PCIDevice, config);
+    PCIDeviceClass *pc = PCI_DEVICE_GET_CLASS(s);
     uint8_t *config;
     int i;
 
@@ -390,6 +391,10 @@ static int get_pci_config_device(QEMUFile *f, void *pv, size_t size)
     memcpy(s->config, config, size);
 
     pci_update_mappings(s);
+    if (pc->is_bridge) {
+        PCIBridge *b = container_of(s, PCIBridge, dev);
+        pci_bridge_update_mappings(b);
+    }
 
     memory_region_set_enabled(&s->bus_master_enable_region,
                               pci_get_word(s->config + PCI_COMMAND)
diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index 24be6c5..3897bd8 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -224,7 +224,7 @@ static void pci_bridge_region_cleanup(PCIBridge *br, PCIBridgeWindows *w)
     g_free(w);
 }
 
-static void pci_bridge_update_mappings(PCIBridge *br)
+void pci_bridge_update_mappings(PCIBridge *br)
 {
     PCIBridgeWindows *w = br->windows;
 
diff --git a/include/hw/pci/pci_bridge.h b/include/hw/pci/pci_bridge.h
index 1868f7a..1d8f997 100644
--- a/include/hw/pci/pci_bridge.h
+++ b/include/hw/pci/pci_bridge.h
@@ -37,6 +37,7 @@ PCIBus *pci_bridge_get_sec_bus(PCIBridge *br);
 pcibus_t pci_bridge_get_base(const PCIDevice *bridge, uint8_t type);
 pcibus_t pci_bridge_get_limit(const PCIDevice *bridge, uint8_t type);
 
+void pci_bridge_update_mappings(PCIBridge *br);
 void pci_bridge_write_config(PCIDevice *d,
                              uint32_t address, uint32_t val, int len);
 void pci_bridge_disable_base_limit(PCIDevice *dev);
-- 
1.7.9.5

[Qemu-devel] [PATCH 44/56] xhci: fix segfault

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Guest trying to reset a endpoint of a disconnected device resulted in
xhci trying to dereference uport while being NULL, thereby crashing
qemu.  Fix that by adding a check.  Drop unused dev variable while
touching that code bit.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 75cc1c1fcba1987bdf3979c4289ab756c2b15742)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-xhci.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 632ede8..d88c1ae 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1395,7 +1395,6 @@ static TRBCCode xhci_reset_ep(XHCIState *xhci, unsigned int slotid,
 {
     XHCISlot *slot;
     XHCIEPContext *epctx;
-    USBDevice *dev;
 
     trace_usb_xhci_ep_reset(slotid, epid);
     assert(slotid >= 1 && slotid <= xhci->numslots);
@@ -1431,8 +1430,8 @@ static TRBCCode xhci_reset_ep(XHCIState *xhci, unsigned int slotid,
         ep |= 0x80;
     }
 
-    dev = xhci->slots[slotid-1].uport->dev;
-    if (!dev) {
+    if (!xhci->slots[slotid-1].uport ||
+        !xhci->slots[slotid-1].uport->dev) {
         return CC_USB_TRANSACTION_ERROR;
     }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 45/56] chardev: fix CHR_EVENT_OPENED events for mux chardevs

[Michael Roth]

As of bd5c51ee6c4f1c79cae5ad2516d711a27b4ea8ec, chardevs no longer use
bottom-halves to issue CHR_EVENT_OPENED events. To maintain past
semantics, we instead defer the CHR_EVENT_OPENED events toward the end
of chardev initialization.

For muxes, this isn't good enough, since a range of FEs must be able
to attach to the mux prior to any CHR_EVENT_OPENED being issued, else
each FE will immediately print it's initial output (prompts, banners,
etc.) just prior to us switching to the next FE as part of
initialization.

The is new and confusing behavior for users, as they'll see output for
things like the HMP monitor, even though their the current mux focus
may be a guest serial port with potentially no output.

We fix this by further deferring CHR_EVENT_OPENED events for FEs
associated with muxes until after machine init by flagging mux chardevs
with 'explicit_be_open', which suppresses emission of CHR_EVENT_OPENED
events until we explicitly set the mux as opened later.

Currently, we must defer till after machine init since we potentially
associate FEs with muxes as part of realize (for instance,
serial_isa_realizefn).

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Message-id: 1375207462-8141-1-git-send-email-mdroth@linux.vnet.ibm.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7b7ab18d0b9769b5f39e663fa55caed461b1202e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/sysemu/char.h |    1 +
 qemu-char.c           |   50 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/include/sysemu/char.h b/include/sysemu/char.h
index 066c216..ac2aaaf 100644
--- a/include/sysemu/char.h
+++ b/include/sysemu/char.h
@@ -77,6 +77,7 @@ struct CharDriverState {
     int explicit_fe_open;
     int explicit_be_open;
     int avail_connections;
+    int is_mux;
     QemuOpts *opts;
     QTAILQ_ENTRY(CharDriverState) next;
 };
diff --git a/qemu-char.c b/qemu-char.c
index c16aea1..dbb574d 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -478,6 +478,46 @@ static void mux_chr_update_read_handler(CharDriverState *chr)
     mux_chr_send_event(d, d->focus, CHR_EVENT_MUX_IN);
 }
 
+static bool muxes_realized;
+
+/**
+ * Called after processing of default and command-line-specified
+ * chardevs to deliver CHR_EVENT_OPENED events to any FEs attached
+ * to a mux chardev. This is done here to ensure that
+ * output/prompts/banners are only displayed for the FE that has
+ * focus when initial command-line processing/machine init is
+ * completed.
+ *
+ * After this point, any new FE attached to any new or existing
+ * mux will receive CHR_EVENT_OPENED notifications for the BE
+ * immediately.
+ */
+static void muxes_realize_done(Notifier *notifier, void *unused)
+{
+    CharDriverState *chr;
+
+    QTAILQ_FOREACH(chr, &chardevs, next) {
+        if (chr->is_mux) {
+            MuxDriver *d = chr->opaque;
+            int i;
+
+            /* send OPENED to all already-attached FEs */
+            for (i = 0; i < d->mux_cnt; i++) {
+                mux_chr_send_event(d, i, CHR_EVENT_OPENED);
+            }
+            /* mark mux as OPENED so any new FEs will immediately receive
+             * OPENED event
+             */
+            qemu_chr_be_generic_open(chr);
+        }
+    }
+    muxes_realized = true;
+}
+
+static Notifier muxes_realize_notify = {
+    .notify = muxes_realize_done,
+};
+
 static CharDriverState *qemu_chr_open_mux(CharDriverState *drv)
 {
     CharDriverState *chr;
@@ -494,6 +534,11 @@ static CharDriverState *qemu_chr_open_mux(CharDriverState *drv)
     chr->chr_accept_input = mux_chr_accept_input;
     /* Frontend guest-open / -close notification is not support with muxes */
     chr->chr_set_fe_open = NULL;
+    /* only default to opened state if we've realized the initial
+     * set of muxes
+     */
+    chr->explicit_be_open = muxes_realized ? 0 : 1;
+    chr->is_mux = 1;
 
     return chr;
 }
@@ -3786,6 +3831,11 @@ static void register_types(void)
     /* Bug-compatibility: */
     register_char_driver_qapi("memory", CHARDEV_BACKEND_KIND_MEMORY,
                               qemu_chr_parse_ringbuf);
+    /* this must be done after machine init, since we register FEs with muxes
+     * as part of realize functions like serial_isa_realizefn when -nographic
+     * is specified
+     */
+    qemu_add_machine_init_done_notifier(&muxes_realize_notify);
 }
 
 type_init(register_types);
-- 
1.7.9.5

[Qemu-devel] [PATCH 46/56] seccomp: add arch_prctl() to the syscall whitelist

[Michael Roth]

From: Paul Moore <pmoore@redhat.com>

It appears that even a very simple /etc/qemu-ifup configuration can
require the arch_prctl() syscall, see the example below:

	#!/bin/sh
	/sbin/ifconfig $1 0.0.0.0 up
	/usr/sbin/brctl addif <switch> $1

Signed-off-by: Paul Moore <pmoore@redhat.com>
Reviewed-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Message-id: 20130718135703.8247.19213.stgit@localhost
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit d2509b667caf482b6f827ff2645cbeb9b39ce29e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-seccomp.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index ca123bf..a7fb139 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -232,7 +232,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(prlimit64), 241 },
     { SCMP_SYS(waitid), 241 },
     { SCMP_SYS(io_setup), 241 },
-    { SCMP_SYS(io_destroy), 241 }
+    { SCMP_SYS(io_destroy), 241 },
+    { SCMP_SYS(arch_prctl), 240 }
 };
 
 int seccomp_start(void)
-- 
1.7.9.5

[Qemu-devel] [PATCH 47/56] seccomp: add additional asynchronous I/O syscalls

[Michael Roth]

From: Paul Moore <pmoore@redhat.com>

A previous commit, "seccomp: add the asynchronous I/O syscalls to the
whitelist", added several asynchronous I/O syscalls but left out the
io_submit() and io_cancel() syscalls.  This patch corrects this by
adding the two missing asynchronous I/O syscalls.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Reviewed-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Message-id: 20130715193201.943.4913.stgit@localhost
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 94113bd8a1d9acd05a879bc309cc659ace09e287)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-seccomp.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index a7fb139..9e91c73 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -33,6 +33,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(socketcall), 250 },
 #endif
     { SCMP_SYS(read), 249 },
+    { SCMP_SYS(io_submit), 249 },
     { SCMP_SYS(brk), 248 },
     { SCMP_SYS(clone), 247 },
     { SCMP_SYS(mmap), 247 },
@@ -231,6 +232,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(recvmmsg), 241 },
     { SCMP_SYS(prlimit64), 241 },
     { SCMP_SYS(waitid), 241 },
+    { SCMP_SYS(io_cancel), 241 },
     { SCMP_SYS(io_setup), 241 },
     { SCMP_SYS(io_destroy), 241 },
     { SCMP_SYS(arch_prctl), 240 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 48/56] iov: handle EOF in iov_send_recv

[Michael Roth]

From: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>

Without this patch, iov_send_recv() never returns when do_send_recv()
returns zero.

Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 840042901710c2dc1a3ac3e5af9bed449c339701)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 util/iov.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/util/iov.c b/util/iov.c
index cc6e837..f705586 100644
--- a/util/iov.c
+++ b/util/iov.c
@@ -202,6 +202,12 @@ ssize_t iov_send_recv(int sockfd, struct iovec *iov, unsigned iov_cnt,
             return -1;
         }
 
+        if (ret == 0 && !do_send) {
+            /* recv returns 0 when the peer has performed an orderly
+             * shutdown. */
+            break;
+        }
+
         /* Prepare for the next iteration */
         offset += ret;
         total += ret;
-- 
1.7.9.5

[Qemu-devel] [PATCH 49/56] target-i386: Fix X86CPU error handling

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Error **errp argument is not for emitting warnings, it means an error
has occurred and the caller should not make any assumptions about the
state of other return values (unless otherwise documented).

Therefore cpu_x86_create() must unref the new X86CPU itself, and
pc_new_cpu() must check for an Error rather than NULL return value.

While at it, clean up a superfluous NULL check.

Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
Cc: qemu-stable@nongnu.org
Cc: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit cd7b87ffe9b6b7b0089ec8c71555f3b942bc6daf)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/pc.c      |   13 ++++++-------
 target-i386/cpu.c |    6 +++++-
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index e2c44f8..a7ecfb0 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -902,20 +902,19 @@ static X86CPU *pc_new_cpu(const char *cpu_model, int64_t apic_id,
     X86CPU *cpu;
     Error *local_err = NULL;
 
-    cpu = cpu_x86_create(cpu_model, icc_bridge, errp);
-    if (!cpu) {
-        return cpu;
+    cpu = cpu_x86_create(cpu_model, icc_bridge, &local_err);
+    if (local_err != NULL) {
+        error_propagate(errp, local_err);
+        return NULL;
     }
 
     object_property_set_int(OBJECT(cpu), apic_id, "apic-id", &local_err);
     object_property_set_bool(OBJECT(cpu), true, "realized", &local_err);
 
     if (local_err) {
-        if (cpu != NULL) {
-            object_unref(OBJECT(cpu));
-            cpu = NULL;
-        }
         error_propagate(errp, local_err);
+        object_unref(OBJECT(cpu));
+        cpu = NULL;
     }
     return cpu;
 }
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index ae8e682..cdae1ce 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -1820,7 +1820,11 @@ X86CPU *cpu_x86_create(const char *cpu_model, DeviceState *icc_bridge,
     }
 
 out:
-    error_propagate(errp, error);
+    if (error != NULL) {
+        error_propagate(errp, error);
+        object_unref(OBJECT(cpu));
+        cpu = NULL;
+    }
     g_strfreev(model_pieces);
     return cpu;
 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 50/56] ignore SIGPIPE in qemu-img and qemu-io

[Michael Roth]

From: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>

This prevents the tools from being stopped when they write data to a
closed connection in the other side.

Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 526eda14a68d5b3596be715505289b541288ef2a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-img.c |    4 ++++
 qemu-io.c  |    4 ++++
 2 files changed, 8 insertions(+)

diff --git a/qemu-img.c b/qemu-img.c
index cd096a1..2189fc9 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -2460,6 +2460,10 @@ int main(int argc, char **argv)
     const img_cmd_t *cmd;
     const char *cmdname;
 
+#ifdef CONFIG_POSIX
+    signal(SIGPIPE, SIG_IGN);
+#endif
+
     error_set_progname(argv[0]);
 
     qemu_init_main_loop();
diff --git a/qemu-io.c b/qemu-io.c
index 475a8bd..5045ff8 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1920,6 +1920,10 @@ int main(int argc, char **argv)
     int opt_index = 0;
     int flags = BDRV_O_UNMAP;
 
+#ifdef CONFIG_POSIX
+    signal(SIGPIPE, SIG_IGN);
+#endif
+
     progname = basename(argv[0]);
 
     while ((c = getopt_long(argc, argv, sopt, lopt, &opt_index)) != -1) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 51/56] semaphore: fix a hangup problem under load on NetBSD hosts.

[Michael Roth]

From: Izumi Tsutsui <tsutsui@ceres.dti.ne.jp>

Fix following bugs in "fallback implementation of counting semaphores
with mutex+condvar" added in c166cb72f1676855816340666c3b618beef4b976:
 - waiting threads are not restarted properly if more than one threads
   are waiting unblock signals in qemu_sem_timedwait()
 - possible missing pthread_cond_signal(3) calls when waiting threads
   are returned by ETIMEDOUT
 - fix an uninitialized variable
The problem is analyzed by and fix is provided by Noriyuki Soda.

Also put additional cleanup suggested by Laszlo Ersek:
 - make QemuSemaphore.count unsigned (it won't be negative)
 - check a return value of in pthread_cond_wait() in qemu_sem_wait()

Signed-off-by: Izumi Tsutsui <tsutsui@ceres.dti.ne.jp>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 1372841894-10634-1-git-send-email-tsutsui@ceres.dti.ne.jp
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 79761c6681f0d1cc1c027116fcb4382d41ed3ece)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/qemu/thread-posix.h |    2 +-
 util/qemu-thread-posix.c    |   28 ++++++++++++++++------------
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/include/qemu/thread-posix.h b/include/qemu/thread-posix.h
index 0f30dcc..361566a 100644
--- a/include/qemu/thread-posix.h
+++ b/include/qemu/thread-posix.h
@@ -15,7 +15,7 @@ struct QemuSemaphore {
 #if defined(__APPLE__) || defined(__NetBSD__)
     pthread_mutex_t lock;
     pthread_cond_t cond;
-    int count;
+    unsigned int count;
 #else
     sem_t sem;
 #endif
diff --git a/util/qemu-thread-posix.c b/util/qemu-thread-posix.c
index 4489abf..4de133e 100644
--- a/util/qemu-thread-posix.c
+++ b/util/qemu-thread-posix.c
@@ -170,12 +170,11 @@ void qemu_sem_post(QemuSemaphore *sem)
 
 #if defined(__APPLE__) || defined(__NetBSD__)
     pthread_mutex_lock(&sem->lock);
-    if (sem->count == INT_MAX) {
+    if (sem->count == UINT_MAX) {
         rc = EINVAL;
-    } else if (sem->count++ < 0) {
-        rc = pthread_cond_signal(&sem->cond);
     } else {
-        rc = 0;
+        sem->count++;
+        rc = pthread_cond_signal(&sem->cond);
     }
     pthread_mutex_unlock(&sem->lock);
     if (rc != 0) {
@@ -207,19 +206,21 @@ int qemu_sem_timedwait(QemuSemaphore *sem, int ms)
     struct timespec ts;
 
 #if defined(__APPLE__) || defined(__NetBSD__)
+    rc = 0;
     compute_abs_deadline(&ts, ms);
     pthread_mutex_lock(&sem->lock);
-    --sem->count;
-    while (sem->count < 0) {
+    while (sem->count == 0) {
         rc = pthread_cond_timedwait(&sem->cond, &sem->lock, &ts);
         if (rc == ETIMEDOUT) {
-            ++sem->count;
             break;
         }
         if (rc != 0) {
             error_exit(rc, __func__);
         }
     }
+    if (rc != ETIMEDOUT) {
+        --sem->count;
+    }
     pthread_mutex_unlock(&sem->lock);
     return (rc == ETIMEDOUT ? -1 : 0);
 #else
@@ -249,16 +250,19 @@ int qemu_sem_timedwait(QemuSemaphore *sem, int ms)
 
 void qemu_sem_wait(QemuSemaphore *sem)
 {
+    int rc;
+
 #if defined(__APPLE__) || defined(__NetBSD__)
     pthread_mutex_lock(&sem->lock);
-    --sem->count;
-    while (sem->count < 0) {
-        pthread_cond_wait(&sem->cond, &sem->lock);
+    while (sem->count == 0) {
+        rc = pthread_cond_wait(&sem->cond, &sem->lock);
+        if (rc != 0) {
+            error_exit(rc, __func__);
+        }
     }
+    --sem->count;
     pthread_mutex_unlock(&sem->lock);
 #else
-    int rc;
-
     do {
         rc = sem_wait(&sem->sem);
     } while (rc == -1 && errno == EINTR);
-- 
1.7.9.5

[Qemu-devel] [PATCH 52/56] Bugfix for loading multiboot kernels

[Michael Roth]

From: Martijn van den Broek <martijn.vdbrk@gmail.com>

This patch fixes a bug in rom_copy introduced by
commit d60fa42e8bae39440f997ebfe8fe328269a57d16.

rom_copy failed to load roms with a "datasize" of 0.
As a result, multiboot kernels were not loaded correctly
when they contain a segment with a "file size" of 0.

https://bugs.launchpad.net/qemu/+bug/1208944

Signed-off-by: Martijn van den Broek <martijn.vdbrk@gmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: CAG1x_oET1u3TMPu3r_zzd3ZXsTWQLiaM0zAc+RkHFCwvJjGOvg@mail.gmail.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0dd5ce38fbeb2fb97b01cc8c1c97292211e48ee6)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/core/loader.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index 7507914..8514eaf 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -779,9 +779,6 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
         if (rom->addr > end) {
             break;
         }
-        if (!rom->data) {
-            continue;
-        }
 
         d = dest + (rom->addr - addr);
         s = rom->data;
@@ -791,7 +788,9 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
             l = dest - d;
         }
 
-        memcpy(d, s, l);
+        if (l > 0) {
+            memcpy(d, s, l);
+        }
 
         if (rom->romsize > rom->datasize) {
             /* If datasize is less than romsize, it means that we didn't
-- 
1.7.9.5

[Qemu-devel] [PATCH 53/56] i82801b11: Fix i82801b11 PCI host bridge config space

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

pci_bridge_write_config() was not being used.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 4965b7f056177ddfb816319e9ff5e766898d0bc5)

Conflicts:

	hw/pci-bridge/i82801b11.c

* modified to avoid dependency on 125ee0ed

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci-bridge/i82801b11.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/pci-bridge/i82801b11.c b/hw/pci-bridge/i82801b11.c
index 5807a92..0841531 100644
--- a/hw/pci-bridge/i82801b11.c
+++ b/hw/pci-bridge/i82801b11.c
@@ -87,6 +87,7 @@ static void i82801b11_bridge_class_init(ObjectClass *klass, void *data)
     k->device_id = PCI_DEVICE_ID_INTEL_82801BA_11;
     k->revision = ICH9_D2P_A2_REVISION;
     k->init = i82801b11_bridge_initfn;
+    k->config_write = pci_bridge_write_config;
 }
 
 static const TypeInfo i82801b11_bridge_info = {
-- 
1.7.9.5

[Qemu-devel] [PATCH 54/56] dataplane: sync virtio.c and vring.c virtqueue state

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Load the virtio.c state into vring.c when we start dataplane mode and
vice versa when stopping dataplane mode.  This patch makes it possible
to start and stop dataplane any time while the guest is running.

This will eventually allow us to go back to QEMU main loop for
bdrv_drain_all() and live migration.  In the meantime, this patch makes
the dataplane lifecycle more robust but should make no visible
difference.  It may be useful in the virtio-net dataplane effort.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 9154b02c53bb6685797c973fcdbec51c4714777d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/block/dataplane/virtio-blk.c     |    2 +-
 hw/virtio/dataplane/vring.c         |    8 +++++---
 include/hw/virtio/dataplane/vring.h |    2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c
index a58cc53..fb70645 100644
--- a/hw/block/dataplane/virtio-blk.c
+++ b/hw/block/dataplane/virtio-blk.c
@@ -545,7 +545,7 @@ void virtio_blk_data_plane_stop(VirtIOBlockDataPlane *s)
     /* Clean up guest notifier (irq) */
     k->set_guest_notifiers(qbus->parent, 1, false);
 
-    vring_teardown(&s->vring);
+    vring_teardown(&s->vring, s->vdev, 0);
     s->started = false;
     s->stopping = false;
 }
diff --git a/hw/virtio/dataplane/vring.c b/hw/virtio/dataplane/vring.c
index e0d6e83..82cc151 100644
--- a/hw/virtio/dataplane/vring.c
+++ b/hw/virtio/dataplane/vring.c
@@ -39,8 +39,8 @@ bool vring_setup(Vring *vring, VirtIODevice *vdev, int n)
 
     vring_init(&vring->vr, virtio_queue_get_num(vdev, n), vring_ptr, 4096);
 
-    vring->last_avail_idx = 0;
-    vring->last_used_idx = 0;
+    vring->last_avail_idx = virtio_queue_get_last_avail_idx(vdev, n);
+    vring->last_used_idx = vring->vr.used->idx;
     vring->signalled_used = 0;
     vring->signalled_used_valid = false;
 
@@ -49,8 +49,10 @@ bool vring_setup(Vring *vring, VirtIODevice *vdev, int n)
     return true;
 }
 
-void vring_teardown(Vring *vring)
+void vring_teardown(Vring *vring, VirtIODevice *vdev, int n)
 {
+    virtio_queue_set_last_avail_idx(vdev, n, vring->last_avail_idx);
+
     hostmem_finalize(&vring->hostmem);
 }
 
diff --git a/include/hw/virtio/dataplane/vring.h b/include/hw/virtio/dataplane/vring.h
index 9380cb5..c0b69ff 100644
--- a/include/hw/virtio/dataplane/vring.h
+++ b/include/hw/virtio/dataplane/vring.h
@@ -50,7 +50,7 @@ static inline void vring_set_broken(Vring *vring)
 }
 
 bool vring_setup(Vring *vring, VirtIODevice *vdev, int n);
-void vring_teardown(Vring *vring);
+void vring_teardown(Vring *vring, VirtIODevice *vdev, int n);
 void vring_disable_notification(VirtIODevice *vdev, Vring *vring);
 bool vring_enable_notification(VirtIODevice *vdev, Vring *vring);
 bool vring_should_notify(VirtIODevice *vdev, Vring *vring);
-- 
1.7.9.5

[Qemu-devel] [PATCH 55/56] virtio: clear signalled_used_valid when switching from dataplane

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

When the dataplane thread stops, its vring.c implementation synchronizes
vring state back to virtio.c so we can continue emulating the virtio
device.

This patch ensures that virtio.c's signalled_used_valid flag is reset so
that we do not suppress guest notifications due to stale signalled_used
values.

Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6793dfd1b6a99a79b9f2e3c4d6625ccd6513f240)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/dataplane/vring.c |    1 +
 hw/virtio/virtio.c          |    5 +++++
 include/hw/virtio/virtio.h  |    1 +
 3 files changed, 7 insertions(+)

diff --git a/hw/virtio/dataplane/vring.c b/hw/virtio/dataplane/vring.c
index 82cc151..351a343 100644
--- a/hw/virtio/dataplane/vring.c
+++ b/hw/virtio/dataplane/vring.c
@@ -52,6 +52,7 @@ bool vring_setup(Vring *vring, VirtIODevice *vdev, int n)
 void vring_teardown(Vring *vring, VirtIODevice *vdev, int n)
 {
     virtio_queue_set_last_avail_idx(vdev, n, vring->last_avail_idx);
+    virtio_queue_invalidate_signalled_used(vdev, n);
 
     hostmem_finalize(&vring->hostmem);
 }
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 8176c14..a5251cb 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1025,6 +1025,11 @@ void virtio_queue_set_last_avail_idx(VirtIODevice *vdev, int n, uint16_t idx)
     vdev->vq[n].last_avail_idx = idx;
 }
 
+void virtio_queue_invalidate_signalled_used(VirtIODevice *vdev, int n)
+{
+    vdev->vq[n].signalled_used_valid = false;
+}
+
 VirtQueue *virtio_get_queue(VirtIODevice *vdev, int n)
 {
     return vdev->vq + n;
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index a6c5c53..f2aa6a3 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -233,6 +233,7 @@ hwaddr virtio_queue_get_used_size(VirtIODevice *vdev, int n);
 hwaddr virtio_queue_get_ring_size(VirtIODevice *vdev, int n);
 uint16_t virtio_queue_get_last_avail_idx(VirtIODevice *vdev, int n);
 void virtio_queue_set_last_avail_idx(VirtIODevice *vdev, int n, uint16_t idx);
+void virtio_queue_invalidate_signalled_used(VirtIODevice *vdev, int n);
 VirtQueue *virtio_get_queue(VirtIODevice *vdev, int n);
 uint16_t virtio_get_queue_index(VirtQueue *vq);
 int virtio_queue_get_id(VirtQueue *vq);
-- 
1.7.9.5

[Qemu-devel] [PATCH 56/56] vhost: clear signalled_used_valid on vhost stop

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

When vhost device stops, its implementation synchronizes kernel state
back to virtio.c so we can continue emulating the device
in userspace.

This patch ensures that virtio.c's signalled_used_valid flag is reset so
that userspace does not suppress guest notifications due to stale
signalled_used values.

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 3561ba14188b3c1e54246ed6db97896bbc082d2f)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/vhost.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index fbabf99..0dabf26 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -761,6 +761,7 @@ static void vhost_virtqueue_stop(struct vhost_dev *dev,
         fflush(stderr);
     }
     virtio_queue_set_last_avail_idx(vdev, idx, state.num);
+    virtio_queue_invalidate_signalled_used(vdev, idx);
     assert (r >= 0);
     cpu_physical_memory_unmap(vq->ring, virtio_queue_get_ring_size(vdev, idx),
                               0, virtio_queue_get_ring_size(vdev, idx));
-- 
1.7.9.5

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.5.3, freeze on 2013-08-16

[Doug Goldstein]

On Tue, Aug 13, 2013 at 10:10 AM, Michael Roth
<mdroth@linux.vnet.ibm.com> wrote:
> Hi everyone,
>
> The following new patches are queued for QEMU stable v1.5.3:
>
> https://github.com/mdroth/qemu/commits/stable-1.5-staging
>
> The release is planned for 2013-08-21:
>
> http://wiki.qemu.org/Planning/1.5
>
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release. The cut-off date is
> 2013-08-16 for new patches.

Potentially:

commit 0f953051178f2e3df36efa5158a71f33d35fa812
Author: Markus Armbruster <armbru@redhat.com>
Date:   Thu Jun 27 16:22:07 2013 +0200

    qemu-char: Fix ringbuf option size

    Any attempt to use it trips an "opt->desc->type == QEMU_OPT_NUMBER"
    assertion.  Broken in commit 1da48c65.

    Cc: qemu-stable@nongnu.org
    Signed-off-by: Markus Armbruster <armbru@redhat.com>
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>

-- 
Doug Goldstein

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.5.3, freeze on 2013-08-16

[Michael Roth]

Quoting Doug Goldstein (2013-08-13 23:05:31)
> On Tue, Aug 13, 2013 at 10:10 AM, Michael Roth
> <mdroth@linux.vnet.ibm.com> wrote:
> > Hi everyone,
> >
> > The following new patches are queued for QEMU stable v1.5.3:
> >
> > https://github.com/mdroth/qemu/commits/stable-1.5-staging
> >
> > The release is planned for 2013-08-21:
> >
> > http://wiki.qemu.org/Planning/1.5
> >
> > Please respond here or CC qemu-stable@nongnu.org on any patches you
> > think should be included in the release. The cut-off date is
> > 2013-08-16 for new patches.
> 
> Potentially:

Definitely :) Slipped by me, applied now.

> 
> commit 0f953051178f2e3df36efa5158a71f33d35fa812
> Author: Markus Armbruster <armbru@redhat.com>
> Date:   Thu Jun 27 16:22:07 2013 +0200
> 
>     qemu-char: Fix ringbuf option size
> 
>     Any attempt to use it trips an "opt->desc->type == QEMU_OPT_NUMBER"
>     assertion.  Broken in commit 1da48c65.
> 
>     Cc: qemu-stable@nongnu.org
>     Signed-off-by: Markus Armbruster <armbru@redhat.com>
>     Reviewed-by: Eric Blake <eblake@redhat.com>
>     Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> 
> -- 
> Doug Goldstein