[Qemu-devel] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Qemu-devel] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v1.6.1:

https://github.com/mdroth/qemu/commits/stable-1.6-staging

The release is planned for 2013-10-02:

http://wiki.qemu.org/Planning/1.6

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release. The cut-off date is
2013-09-30 for new patches.

Testing/feedback is greatly appreciated.

Thanks!

Andrea Arcangeli (1):
      exec: always use MADV_DONTFORK

Andreas Färber (1):
      gdbstub: Fix gdb_register_coprocessor() register counting

Anthony PERARD (2):
      pc: Initializing ram_memory under Xen.
      pc_q35: Initialize Xen.

Anton Blanchard (1):
      pseries: Fix stalls on hypervisor virtual console

Aurelien Jarno (3):
      target-ppc: fix bit extraction for FPBF and FPL
      ne2000: mark I/O as LITTLE_ENDIAN
      pcnet-pci: mark I/O and MMIO as LITTLE_ENDIAN

Cole Robinson (1):
      qapi-types.py: Fix enum struct sizes on i686

Gerd Hoffmann (7):
      xhci: fix endpoint interval calculation
      Revert "usb-hub: report status changes only once"
      xhci: reset port when disabling slot
      usb: parallelize usb3 streams
      ehci: save device pointer in EHCIState
      qxl: fix local renderer
      chardev: fix pty_chr_timer

Hervé Poussineau (1):
      adlib: sort offsets in portio registration

Hu Tao (1):
      exec: check offset_within_address_space for register subpage

Jan Kiszka (5):
      memory: Provide separate handling of unassigned io ports accesses
      Revert "memory: Return -1 again on reads from unsigned regions"
      kvmvapic: Catch invalid ROM size
      kvmvapic: Enter inactive state on hardware reset
      kvmvapic: Clear also physical ROM address when entering INACTIVE state

Marcel Apfelbaum (1):
      usb/dev-hid: Modified usb-tablet category from Misc to Input

Markus Armbruster (1):
      scsi: Fix scsi_bus_legacy_add_drive() scsi-generic with serial

Michael R. Hines (1):
      rdma: silly ipv6 bugfix

Michael S. Tsirkin (2):
      pc: fix regression for 64 bit PCI memory
      virtio_pci: fix level interrupts with irqfd

Paolo Bonzini (5):
      block: expect errors from bdrv_co_is_allocated
      target-i386: fix disassembly with PAE=1, PG=0
      exec: fix writing to MMIO area with non-power-of-two length
      blockdev: do not default cache.no-flush to true
      virtio-blk: do not relay a previous driver's WCE configuration to the current

Peter Maydell (1):
      scripts/qapi.py: Avoid syntax not supported by Python 2.4

Stefan Hajnoczi (1):
      block: ensure bdrv_drain_all() works during bdrv_delete()

Stefan Weil (2):
      w32: Fix access to host devices (regression)
      tci: Fix qemu-alpha on 32 bit hosts (wrong assertions)

yinyin (1):
      virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table

 block.c                        |   11 +++++++----
 block/cow.c                    |    6 +++++-
 block/qcow2.c                  |    4 +---
 block/raw-win32.c              |   36 +++++++++++++++++++++++++++++-------
 block/stream.c                 |    2 +-
 blockdev.c                     |    2 +-
 exec.c                         |    9 +++++++--
 gdbstub.c                      |    6 ++++--
 hw/audio/adlib.c               |    2 +-
 hw/block/virtio-blk.c          |   24 ++++++++++++++++++++++--
 hw/char/spapr_vty.c            |    2 ++
 hw/display/qxl-render.c        |   15 ++++++++++-----
 hw/i386/kvmvapic.c             |   17 ++++++++++++-----
 hw/i386/pc_piix.c              |    2 +-
 hw/i386/pc_q35.c               |    5 +++++
 hw/net/ne2000.c                |    2 +-
 hw/net/pcnet-pci.c             |    4 ++--
 hw/pci-host/piix.c             |    9 ++++++---
 hw/pci-host/q35.c              |    8 +++++---
 hw/scsi/scsi-bus.c             |    2 +-
 hw/usb/core.c                  |    7 ++++---
 hw/usb/dev-hid.c               |    2 +-
 hw/usb/dev-hub.c               |    6 +-----
 hw/usb/hcd-ehci.c              |    7 +++----
 hw/usb/hcd-ehci.h              |    1 +
 hw/usb/hcd-xhci.c              |    3 ++-
 hw/virtio/virtio-pci.c         |    3 +--
 hw/virtio/virtio.c             |    2 +-
 include/exec/ioport.h          |    4 ++++
 include/hw/i386/pc.h           |   11 ++++++++++-
 include/hw/virtio/virtio-blk.h |    1 +
 include/hw/xen/xen.h           |    4 +---
 include/qom/cpu.h              |    2 ++
 ioport.c                       |   16 ++++++++++++++++
 memory.c                       |    2 +-
 migration-rdma.c               |    8 +++++---
 qemu-char.c                    |   12 ++++--------
 qemu-img.c                     |   16 ++++++++++++++--
 qemu-io-cmds.c                 |    4 ++++
 qom/cpu.c                      |    2 +-
 scripts/qapi-types.py          |    5 ++++-
 scripts/qapi.py                |    2 +-
 target-i386/helper.c           |   34 ++++++++++++++++------------------
 target-ppc/translate.c         |    4 ++--
 tci.c                          |   12 ------------
 xen-all.c                      |    7 ++++---
 xen-stub.c                     |    2 +-
 47 files changed, 228 insertions(+), 119 deletions(-)

[Qemu-devel] [PATCH 01/38] block: ensure bdrv_drain_all() works during bdrv_delete()

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

In bdrv_delete() make sure to call bdrv_make_anon() *after* bdrv_close()
so that the device is still seen by bdrv_drain_all() when iterating
bdrv_states.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e1b5c52e04d04bb93546c6e37e8884889d047cb1)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/block.c b/block.c
index 01b66d8..d5ce8d3 100644
--- a/block.c
+++ b/block.c
@@ -1606,11 +1606,11 @@ void bdrv_delete(BlockDriverState *bs)
     assert(!bs->job);
     assert(!bs->in_use);
 
+    bdrv_close(bs);
+
     /* remove from list, if necessary */
     bdrv_make_anon(bs);
 
-    bdrv_close(bs);
-
     g_free(bs);
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 02/38] gdbstub: Fix gdb_register_coprocessor() register counting

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Commit a0e372f0c49ac01faeaeb73a6e8f50e8ac615f34 reorganized the register
counting for GDB. While it seems correct not to let the total number of
registers skyrocket in an SMP scenario through a static variable, the
distinction between total register count and 'g' packet register count
(last_reg vs. num_g_regs) got lost among the way.

Fix this by introducing CPUState::gdb_num_g_regs and using that in
gdb_handle_packet().

Reported-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org (stable-1.6)
Tested-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Tested-by: Max Filippov <jcmvbkbc@gmail.com>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 35143f0164e6933a85c7c2b8a89a040d881a9151)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 gdbstub.c         |    6 ++++--
 include/qom/cpu.h |    2 ++
 qom/cpu.c         |    2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/gdbstub.c b/gdbstub.c
index 1af25a6..9d067d6 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -621,6 +621,8 @@ void gdb_register_coprocessor(CPUState *cpu,
         if (g_pos != s->base_reg) {
             fprintf(stderr, "Error: Bad gdb register numbering for '%s'\n"
                     "Expected %d got %d\n", xml, g_pos, s->base_reg);
+        } else {
+            cpu->gdb_num_g_regs = cpu->gdb_num_regs;
         }
     }
 }
@@ -902,7 +904,7 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
     case 'g':
         cpu_synchronize_state(s->g_cpu);
         len = 0;
-        for (addr = 0; addr < s->g_cpu->gdb_num_regs; addr++) {
+        for (addr = 0; addr < s->g_cpu->gdb_num_g_regs; addr++) {
             reg_size = gdb_read_register(s->g_cpu, mem_buf + len, addr);
             len += reg_size;
         }
@@ -914,7 +916,7 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
         registers = mem_buf;
         len = strlen(p) / 2;
         hextomem((uint8_t *)registers, p, len);
-        for (addr = 0; addr < s->g_cpu->gdb_num_regs && len > 0; addr++) {
+        for (addr = 0; addr < s->g_cpu->gdb_num_g_regs && len > 0; addr++) {
             reg_size = gdb_write_register(s->g_cpu, registers, addr);
             len -= reg_size;
             registers += reg_size;
diff --git a/include/qom/cpu.h b/include/qom/cpu.h
index 0d6e95c..3e49936 100644
--- a/include/qom/cpu.h
+++ b/include/qom/cpu.h
@@ -152,6 +152,7 @@ struct kvm_run;
  * @current_tb: Currently executing TB.
  * @gdb_regs: Additional GDB registers.
  * @gdb_num_regs: Number of total registers accessible to GDB.
+ * @gdb_num_g_regs: Number of registers in GDB 'g' packets.
  * @next_cpu: Next CPU sharing TB cache.
  * @kvm_fd: vCPU file descriptor for KVM.
  *
@@ -188,6 +189,7 @@ struct CPUState {
     struct TranslationBlock *current_tb;
     struct GDBRegisterState *gdb_regs;
     int gdb_num_regs;
+    int gdb_num_g_regs;
     CPUState *next_cpu;
 
     int kvm_fd;
diff --git a/qom/cpu.c b/qom/cpu.c
index aa95108..e71e57b 100644
--- a/qom/cpu.c
+++ b/qom/cpu.c
@@ -240,7 +240,7 @@ static void cpu_common_initfn(Object *obj)
     CPUState *cpu = CPU(obj);
     CPUClass *cc = CPU_GET_CLASS(obj);
 
-    cpu->gdb_num_regs = cc->gdb_num_core_regs;
+    cpu->gdb_num_regs = cpu->gdb_num_g_regs = cc->gdb_num_core_regs;
 }
 
 static int64_t cpu_common_get_arch_id(CPUState *cpu)
-- 
1.7.9.5

[Qemu-devel] [PATCH 03/38] target-ppc: fix bit extraction for FPBF and FPL

[Michael Roth]

From: Aurelien Jarno <aurelien@aurel32.net>

Bit extraction for the FP BF and L field of the MTFSFI and MTFSF
instructions is wrong and doesn't match the reference manual (which
explain the bit number in big endian format). It has been broken in
commit 7d08d85645def18eac2a9d672c1868a35e0bcf79.

This patch fixes this, which in turn fixes the problem reported by
Khem Raj about the floor() function of libm.

Reported-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
CC: qemu-stable@nongnu.org (1.6)
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 779f659021d1754117bce1aab9370dc22f37ae07)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-ppc/translate.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index f07d70d..41f4048 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -428,9 +428,9 @@ EXTRACT_HELPER(CRM, 12, 8);
 EXTRACT_HELPER(SR, 16, 4);
 
 /* mtfsf/mtfsfi */
-EXTRACT_HELPER(FPBF, 19, 3);
+EXTRACT_HELPER(FPBF, 23, 3);
 EXTRACT_HELPER(FPIMM, 12, 4);
-EXTRACT_HELPER(FPL, 21, 1);
+EXTRACT_HELPER(FPL, 25, 1);
 EXTRACT_HELPER(FPFLM, 17, 8);
 EXTRACT_HELPER(FPW, 16, 1);
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 04/38] rdma: silly ipv6 bugfix

[Michael Roth]

From: "Michael R. Hines" <mrhines@us.ibm.com>

My bad - but it's very important for us to warn the user that
IPv6 is broken on RoCE in linux right now, until linux releases
a fixed version.

Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit c89aa2f1851b08c3efa8a1070c0a6b9a36e1227f)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 migration-rdma.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/migration-rdma.c b/migration-rdma.c
index 3d1266f..f5e75d6 100644
--- a/migration-rdma.c
+++ b/migration-rdma.c
@@ -920,9 +920,11 @@ static int qemu_rdma_resolve_host(RDMAContext *rdma, Error **errp)
         ret = rdma_resolve_addr(rdma->cm_id, NULL, e->ai_dst_addr,
                 RDMA_RESOLVE_TIMEOUT_MS);
         if (!ret) {
-            ret = qemu_rdma_broken_ipv6_kernel(errp, rdma->cm_id->verbs);
-            if (ret) {
-                continue;
+            if (e->ai_family == AF_INET6) {
+                ret = qemu_rdma_broken_ipv6_kernel(errp, rdma->cm_id->verbs);
+                if (ret) {
+                    continue;
+                }
             }
             goto route;
         }
-- 
1.7.9.5

[Qemu-devel] [PATCH 05/38] scripts/qapi.py: Avoid syntax not supported by Python 2.4

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The Python "except Foo as x" syntax was only introduced in
Python 2.6, but we aim to support Python 2.4 and later.
Use the old-style "except Foo, x" syntax instead, thus
fixing configure/compile on systems with older Python.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit 21e0043bada1a24ae2ba6cd0051e104c0cbf9634)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/qapi.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/qapi.py b/scripts/qapi.py
index 0ebea94..1069310 100644
--- a/scripts/qapi.py
+++ b/scripts/qapi.py
@@ -161,7 +161,7 @@ class QAPISchema:
 def parse_schema(fp):
     try:
         schema = QAPISchema(fp)
-    except QAPISchemaError as e:
+    except QAPISchemaError, e:
         print >>sys.stderr, e
         exit(1)
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 06/38] usb/dev-hid: Modified usb-tablet category from Misc to Input

[Michael Roth]

From: Marcel Apfelbaum <marcel.a@redhat.com>

usb-tablet device was wrongly assigned to Misc category

Reported-by: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 31efd2e883018b4c079ad082105bc161fbb3fef8)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/dev-hid.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
index 66c6331..5956720 100644
--- a/hw/usb/dev-hid.c
+++ b/hw/usb/dev-hid.c
@@ -658,7 +658,7 @@ static void usb_tablet_class_initfn(ObjectClass *klass, void *data)
     uc->product_desc   = "QEMU USB Tablet";
     dc->vmsd = &vmstate_usb_ptr;
     dc->props = usb_tablet_properties;
-    set_bit(DEVICE_CATEGORY_MISC, dc->categories);
+    set_bit(DEVICE_CATEGORY_INPUT, dc->categories);
 }
 
 static const TypeInfo usb_tablet_info = {
-- 
1.7.9.5

[Qemu-devel] [PATCH 07/38] scsi: Fix scsi_bus_legacy_add_drive() scsi-generic with serial

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

scsi_bus_legacy_add_drive() creates either a scsi-disk or a
scsi-generic device.  It sets property "serial" to argument serial
unless null.  Crashes with scsi-generic, because it doesn't have such
the property.

Only usb_msd_initfn_storage() passes non-null serial.  Reproducer:

    $ qemu-system-x86_64 -nodefaults -display none -S -usb \
    -drive if=none,file=/dev/sg1,id=usb-drv0 \
    -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123
    qemu-system-x86_64: -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123: Property '.serial' not found
    Aborted (core dumped)

Fix by handling exactly like "removable": set the property only when
it exists.

Cc: qemu-stable@nongnu.org
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c24e7517ee4a98e90eee5f0f07708a1fa12326b3)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index fbf9173..8fe4f4c 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -224,7 +224,7 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv,
     if (object_property_find(OBJECT(dev), "removable", NULL)) {
         qdev_prop_set_bit(dev, "removable", removable);
     }
-    if (serial) {
+    if (serial && object_property_find(OBJECT(dev), "serial", NULL)) {
         qdev_prop_set_string(dev, "serial", serial);
     }
     if (qdev_prop_set_drive(dev, "drive", bdrv) < 0) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 08/38] pc: fix regression for 64 bit PCI memory

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

commit 398489018183d613306ab022653552247d93919f
    pc: limit 64 bit hole to 2G by default
introduced a way for management to control
the window allocated to the 64 bit PCI hole.

This is useful, but existing management tools do not know how to set
this property.  As a result, e.g. specifying a large ivshmem device with
size > 4G is broken by default.  For example this configuration no
longer works:

-device ivshmem,size=4294967296,chardev=cfoo
-chardev socket,path=/tmp/sock,id=cfoo,server,nowait

Fix this by detecting that hole size was not specified
and defaulting to the backwards-compatible value of 1 << 62.

Cc: qemu-stable@nongnu.org
Cc: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 1466cef32dd5e7ef3c6477e96d85d92302ad02e3)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci-host/piix.c   |    9 ++++++---
 hw/pci-host/q35.c    |    8 +++++---
 include/hw/i386/pc.h |   11 ++++++++++-
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
index dc1718f..221d82b 100644
--- a/hw/pci-host/piix.c
+++ b/hw/pci-host/piix.c
@@ -320,6 +320,7 @@ PCIBus *i440fx_init(PCII440FXState **pi440fx_state,
     PCII440FXState *f;
     unsigned i;
     I440FXState *i440fx;
+    uint64_t pci_hole64_size;
 
     dev = qdev_create(NULL, TYPE_I440FX_PCI_HOST_BRIDGE);
     s = PCI_HOST_BRIDGE(dev);
@@ -351,13 +352,15 @@ PCIBus *i440fx_init(PCII440FXState **pi440fx_state,
                              pci_hole_start, pci_hole_size);
     memory_region_add_subregion(f->system_memory, pci_hole_start, &f->pci_hole);
 
+    pci_hole64_size = pci_host_get_hole64_size(i440fx->pci_hole64_size);
+
     pc_init_pci64_hole(&i440fx->pci_info, 0x100000000ULL + above_4g_mem_size,
-                       i440fx->pci_hole64_size);
+                       pci_hole64_size);
     memory_region_init_alias(&f->pci_hole_64bit, OBJECT(d), "pci-hole64",
                              f->pci_address_space,
                              i440fx->pci_info.w64.begin,
-                             i440fx->pci_hole64_size);
-    if (i440fx->pci_hole64_size) {
+                             pci_hole64_size);
+    if (pci_hole64_size) {
         memory_region_add_subregion(f->system_memory,
                                     i440fx->pci_info.w64.begin,
                                     &f->pci_hole_64bit);
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 12314d8..4febd24 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -320,6 +320,7 @@ static int mch_init(PCIDevice *d)
 {
     int i;
     MCHPCIState *mch = MCH_PCI_DEVICE(d);
+    uint64_t pci_hole64_size;
 
     /* setup pci memory regions */
     memory_region_init_alias(&mch->pci_hole, OBJECT(mch), "pci-hole",
@@ -329,13 +330,14 @@ static int mch_init(PCIDevice *d)
     memory_region_add_subregion(mch->system_memory, mch->below_4g_mem_size,
                                 &mch->pci_hole);
 
+    pci_hole64_size = pci_host_get_hole64_size(mch->pci_hole64_size);
     pc_init_pci64_hole(&mch->pci_info, 0x100000000ULL + mch->above_4g_mem_size,
-                       mch->pci_hole64_size);
+                       pci_hole64_size);
     memory_region_init_alias(&mch->pci_hole_64bit, OBJECT(mch), "pci-hole64",
                              mch->pci_address_space,
                              mch->pci_info.w64.begin,
-                             mch->pci_hole64_size);
-    if (mch->pci_hole64_size) {
+                             pci_hole64_size);
+    if (pci_hole64_size) {
         memory_region_add_subregion(mch->system_memory,
                                     mch->pci_info.w64.begin,
                                     &mch->pci_hole_64bit);
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index f79d478..475ba9e 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -106,7 +106,16 @@ PcGuestInfo *pc_guest_info_init(ram_addr_t below_4g_mem_size,
 #define PCI_HOST_PROP_PCI_HOLE64_START "pci-hole64-start"
 #define PCI_HOST_PROP_PCI_HOLE64_END   "pci-hole64-end"
 #define PCI_HOST_PROP_PCI_HOLE64_SIZE  "pci-hole64-size"
-#define DEFAULT_PCI_HOLE64_SIZE (1ULL << 31)
+#define DEFAULT_PCI_HOLE64_SIZE (~0x0ULL)
+
+static inline uint64_t pci_host_get_hole64_size(uint64_t pci_hole64_size)
+{
+    if (pci_hole64_size == DEFAULT_PCI_HOLE64_SIZE) {
+        return 1ULL << 62;
+    } else {
+        return pci_hole64_size;
+    }
+}
 
 void pc_init_pci64_hole(PcPciInfo *pci_info, uint64_t pci_hole64_start,
                         uint64_t pci_hole64_size);
-- 
1.7.9.5

[Qemu-devel] [PATCH 09/38] pseries: Fix stalls on hypervisor virtual console

[Michael Roth]

From: Anton Blanchard <anton@samba.org>

A number of users are reporting stalls when using the pseries
hypervisor virtual console.

A simple test case is to paste 15 or 17 characters at a time
into the console. Pasting 15 characters at a time works fine
but pasting 17 characters hangs for a random amount of time.
Other activity (network, qemu monitor etc) unblocks it.

If qemu-char tries to send more than 16 characters at once,
vty_can_receive returns false. At this point we have to
wait for the guest to consume that output. Everything is good
so far.

The problem occurs when the the guest does consume the output.
We need to signal back to the qemu-char layer that we are
ready for more input. Without this we block until something
else kicks us (eg network activity).

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 7770b6f78a2d655e03852a5de238f5926c92be6a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/char/spapr_vty.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c
index a799721..9c2aef8 100644
--- a/hw/char/spapr_vty.c
+++ b/hw/char/spapr_vty.c
@@ -47,6 +47,8 @@ static int vty_getchars(VIOsPAPRDevice *sdev, uint8_t *buf, int max)
         buf[n++] = dev->buf[dev->out++ % VTERM_BUFSIZE];
     }
 
+    qemu_chr_accept_input(dev->chardev);
+
     return n;
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 10/38] virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table

[Michael Roth]

From: yinyin <yin.yin@cs2c.com.cn>

virtqueue_get_avail_bytes: when found a indirect desc, we need loop over it.
           /* loop over the indirect descriptor table */
           indirect = 1;
           max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
           num_bufs = i = 0;
           desc_pa = vring_desc_addr(desc_pa, i);
But, It init i to 0, then use i to update desc_pa. so we will always get:
desc_pa = vring_desc_addr(desc_pa, 0);
the last two line should swap.

Cc: qemu-stable@nongnu.org
Signed-off-by: Yin Yin <yin.yin@cs2c.com.cn>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 1ae2757c6c4525c9b42f408c86818f843bad7418)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index f03c45d..2f1e73b 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
             /* loop over the indirect descriptor table */
             indirect = 1;
             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
-            num_bufs = i = 0;
             desc_pa = vring_desc_addr(desc_pa, i);
+            num_bufs = i = 0;
         }
 
         do {
-- 
1.7.9.5

[Qemu-devel] [PATCH 11/38] xhci: fix endpoint interval calculation

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit ca7162782a293f525633e5816470498dd86a51cf)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-xhci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 58c88b8..3c0ba8e 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1257,7 +1257,7 @@ static void xhci_init_epctx(XHCIEPContext *epctx,
         epctx->ring.ccs = ctx[2] & 1;
     }
 
-    epctx->interval = 1 << (ctx[0] >> 16) & 0xff;
+    epctx->interval = 1 << ((ctx[0] >> 16) & 0xff);
 }
 
 static TRBCCode xhci_enable_ep(XHCIState *xhci, unsigned int slotid,
-- 
1.7.9.5

[Qemu-devel] [PATCH 12/38] Revert "usb-hub: report status changes only once"

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

This reverts commit a309ee6e0a256f690760abfba44fceaa52a7c2f3.

This isn't in line with the usb specification and adds regressions,
win7 fails to drive the usb hub for example.

Was added because it "solved" the issue of hubs interacting badly
with the xhci host controller.  Now with the root cause being fixed
in xhci (commit <FIXME>) we can revert this one.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit bdebd6ee81f4d849aa8541c289203e3992450db0)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/dev-hub.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/hw/usb/dev-hub.c b/hw/usb/dev-hub.c
index e865a98..4188a3c 100644
--- a/hw/usb/dev-hub.c
+++ b/hw/usb/dev-hub.c
@@ -33,7 +33,6 @@ typedef struct USBHubPort {
     USBPort port;
     uint16_t wPortStatus;
     uint16_t wPortChange;
-    uint16_t wPortChange_reported;
 } USBHubPort;
 
 typedef struct USBHubState {
@@ -468,11 +467,8 @@ static void usb_hub_handle_data(USBDevice *dev, USBPacket *p)
             status = 0;
             for(i = 0; i < NUM_PORTS; i++) {
                 port = &s->ports[i];
-                if (port->wPortChange &&
-                    port->wPortChange_reported != port->wPortChange) {
+                if (port->wPortChange)
                     status |= (1 << (i + 1));
-                }
-                port->wPortChange_reported = port->wPortChange;
             }
             if (status != 0) {
                 for(i = 0; i < n; i++) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 13/38] block: expect errors from bdrv_co_is_allocated

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

Some bdrv_is_allocated callers do not expect errors, but the fallback
in qcow2.c might make other callers trip on assertion failures or
infinite loops.

Fix the callers to always look for errors.

Cc: qemu-stable@nongnu.org
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit d663640c04f2aab810915c556390211d75457704)

Conflicts:

	block/cow.c

*modified to avoid dependency on upstream's e641c1e8

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c        |    7 +++++--
 block/cow.c    |    6 +++++-
 block/qcow2.c  |    4 +---
 block/stream.c |    2 +-
 qemu-img.c     |   16 ++++++++++++++--
 qemu-io-cmds.c |    4 ++++
 6 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/block.c b/block.c
index d5ce8d3..8ce8b91 100644
--- a/block.c
+++ b/block.c
@@ -1803,8 +1803,11 @@ int bdrv_commit(BlockDriverState *bs)
     buf = g_malloc(COMMIT_BUF_SECTORS * BDRV_SECTOR_SIZE);
 
     for (sector = 0; sector < total_sectors; sector += n) {
-        if (bdrv_is_allocated(bs, sector, COMMIT_BUF_SECTORS, &n)) {
-
+        ret = bdrv_is_allocated(bs, sector, COMMIT_BUF_SECTORS, &n);
+        if (ret < 0) {
+            goto ro_cleanup;
+        }
+        if (ret) {
             if (bdrv_read(bs, sector, buf, n) != 0) {
                 ret = -EIO;
                 goto ro_cleanup;
diff --git a/block/cow.c b/block/cow.c
index 1cc2e89..e1b73d6 100644
--- a/block/cow.c
+++ b/block/cow.c
@@ -189,7 +189,11 @@ static int coroutine_fn cow_read(BlockDriverState *bs, int64_t sector_num,
     int ret, n;
 
     while (nb_sectors > 0) {
-        if (bdrv_co_is_allocated(bs, sector_num, nb_sectors, &n)) {
+        ret = bdrv_co_is_allocated(bs, sector_num, nb_sectors, &n);
+        if (ret < 0) {
+            return ret;
+        }
+        if (ret) {
             ret = bdrv_pread(bs->file,
                         s->cow_sectors_offset + sector_num * 512,
                         buf, n * 512);
diff --git a/block/qcow2.c b/block/qcow2.c
index 3376901..7f7282e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -648,13 +648,11 @@ static int coroutine_fn qcow2_co_is_allocated(BlockDriverState *bs,
     int ret;
 
     *pnum = nb_sectors;
-    /* FIXME We can get errors here, but the bdrv_co_is_allocated interface
-     * can't pass them on today */
     qemu_co_mutex_lock(&s->lock);
     ret = qcow2_get_cluster_offset(bs, sector_num << 9, pnum, &cluster_offset);
     qemu_co_mutex_unlock(&s->lock);
     if (ret < 0) {
-        *pnum = 0;
+        return ret;
     }
 
     return (cluster_offset != 0) || (ret == QCOW2_CLUSTER_ZERO);
diff --git a/block/stream.c b/block/stream.c
index 7fe9e48..4e8d177 100644
--- a/block/stream.c
+++ b/block/stream.c
@@ -120,7 +120,7 @@ wait:
         if (ret == 1) {
             /* Allocated in the top, no need to copy.  */
             copy = false;
-        } else {
+        } else if (ret >= 0) {
             /* Copy if allocated in the intermediate images.  Limit to the
              * known-unallocated area [sector_num, sector_num+n).  */
             ret = bdrv_co_is_allocated_above(bs->backing_hd, base,
diff --git a/qemu-img.c b/qemu-img.c
index b9a848d..b01998b 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1485,8 +1485,15 @@ static int img_convert(int argc, char **argv)
                    are present in both the output's and input's base images (no
                    need to copy them). */
                 if (out_baseimg) {
-                    if (!bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
-                                           n, &n1)) {
+                    ret = bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
+                                            n, &n1);
+                    if (ret < 0) {
+                        error_report("error while reading metadata for sector "
+                                     "%" PRId64 ": %s",
+                                     sector_num - bs_offset, strerror(-ret));
+                        goto out;
+                    }
+                    if (!ret) {
                         sector_num += n1;
                         continue;
                     }
@@ -2076,6 +2083,11 @@ static int img_rebase(int argc, char **argv)
 
             /* If the cluster is allocated, we don't need to take action */
             ret = bdrv_is_allocated(bs, sector, n, &n);
+            if (ret < 0) {
+                error_report("error while reading image metadata: %s",
+                             strerror(-ret));
+                goto out;
+            }
             if (ret) {
                 continue;
             }
diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
index ffbcf31..ffe48ad 100644
--- a/qemu-io-cmds.c
+++ b/qemu-io-cmds.c
@@ -1829,6 +1829,10 @@ static int alloc_f(BlockDriverState *bs, int argc, char **argv)
     sector_num = offset >> 9;
     while (remaining) {
         ret = bdrv_is_allocated(bs, sector_num, remaining, &num);
+        if (ret < 0) {
+            printf("is_allocated failed: %s\n", strerror(-ret));
+            return 0;
+        }
         sector_num += num;
         remaining -= num;
         if (ret) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 14/38] target-i386: fix disassembly with PAE=1, PG=0

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

CR4.PAE=1 will not enable paging if CR0.PG=0, but the "if" chain
in x86_cpu_get_phys_page_debug says otherwise.  Check CR0.PG
before everything else.

Fixes "-d in_asm" for a code section at the beginning of OVMF.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Max Filippov <jcmvbkbc@gmail.com>
(cherry picked from commit f2f8560c7a5303065a2a3207ec475dfb3a622a0e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/helper.c |   34 ++++++++++++++++------------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/target-i386/helper.c b/target-i386/helper.c
index bf3e2ac..7f74e5d 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -894,7 +894,10 @@ hwaddr x86_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
     uint32_t page_offset;
     int page_size;
 
-    if (env->cr[4] & CR4_PAE_MASK) {
+    if (!(env->cr[0] & CR0_PG_MASK)) {
+        pte = addr & env->a20_mask;
+        page_size = 4096;
+    } else if (env->cr[4] & CR4_PAE_MASK) {
         target_ulong pdpe_addr;
         uint64_t pde, pdpe;
 
@@ -952,26 +955,21 @@ hwaddr x86_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
     } else {
         uint32_t pde;
 
-        if (!(env->cr[0] & CR0_PG_MASK)) {
-            pte = addr;
-            page_size = 4096;
+        /* page directory entry */
+        pde_addr = ((env->cr[3] & ~0xfff) + ((addr >> 20) & 0xffc)) & env->a20_mask;
+        pde = ldl_phys(pde_addr);
+        if (!(pde & PG_PRESENT_MASK))
+            return -1;
+        if ((pde & PG_PSE_MASK) && (env->cr[4] & CR4_PSE_MASK)) {
+            pte = pde & ~0x003ff000; /* align to 4MB */
+            page_size = 4096 * 1024;
         } else {
             /* page directory entry */
-            pde_addr = ((env->cr[3] & ~0xfff) + ((addr >> 20) & 0xffc)) & env->a20_mask;
-            pde = ldl_phys(pde_addr);
-            if (!(pde & PG_PRESENT_MASK))
+            pte_addr = ((pde & ~0xfff) + ((addr >> 10) & 0xffc)) & env->a20_mask;
+            pte = ldl_phys(pte_addr);
+            if (!(pte & PG_PRESENT_MASK))
                 return -1;
-            if ((pde & PG_PSE_MASK) && (env->cr[4] & CR4_PSE_MASK)) {
-                pte = pde & ~0x003ff000; /* align to 4MB */
-                page_size = 4096 * 1024;
-            } else {
-                /* page directory entry */
-                pte_addr = ((pde & ~0xfff) + ((addr >> 10) & 0xffc)) & env->a20_mask;
-                pte = ldl_phys(pte_addr);
-                if (!(pte & PG_PRESENT_MASK))
-                    return -1;
-                page_size = 4096;
-            }
+            page_size = 4096;
         }
         pte = pte & env->a20_mask;
     }
-- 
1.7.9.5

[Qemu-devel] [PATCH 15/38] adlib: sort offsets in portio registration

[Michael Roth]

From: Hervé Poussineau <hpoussin@reactos.org>

This fixes the following assert when -device adlib is used:
ioport.c:240: portio_list_add: Assertion `pio->offset >= off_last' failed.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 2b21fb57af305f17841d79e7e2e02ad1aec3f5ca)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/audio/adlib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
index 0421d47..db4a953 100644
--- a/hw/audio/adlib.c
+++ b/hw/audio/adlib.c
@@ -284,9 +284,9 @@ static void Adlib_fini (AdlibState *s)
 }
 
 static MemoryRegionPortio adlib_portio_list[] = {
-    { 0x388, 4, 1, .read = adlib_read, .write = adlib_write, },
     { 0, 4, 1, .read = adlib_read, .write = adlib_write, },
     { 0, 2, 1, .read = adlib_read, .write = adlib_write, },
+    { 0x388, 4, 1, .read = adlib_read, .write = adlib_write, },
     PORTIO_END_OF_LIST(),
 };
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 16/38] exec: fix writing to MMIO area with non-power-of-two length

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

The problem is introduced by commit 2332616 (exec: Support 64-bit
operations in address_space_rw, 2013-07-08).  Before that commit,
memory_access_size would only return 1/2/4.

Since alignment is already handled above, reduce l to the largest
power of two that is smaller than l.

Cc: qemu-stable@nongnu.org
Reported-by: Oleksii Shevchuk <alxchk@gmail.com>
Tested-by: Oleksii Shevchuk <alxchk@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 098178f2749a63fbbb1a626dcc7d939d5cb2bde7)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/exec.c b/exec.c
index 3ca9381..394f7e2 100644
--- a/exec.c
+++ b/exec.c
@@ -1928,6 +1928,9 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
     if (l > access_size_max) {
         l = access_size_max;
     }
+    if (l & (l - 1)) {
+        l = 1 << (qemu_fls(l) - 1);
+    }
 
     return l;
 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 17/38] virtio_pci: fix level interrupts with irqfd

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

commit 62c96360ae7f2c7a8b029277fbb7cb082fdef7fd
    virtio-pci: fix level interrupts
only helps systems without irqfd: on systems with irqfd support we
passed in flag requesting irqfd even when msix is disabled.

As a result, for level interrupts we didn't install an fd handler so
unmasking an fd had no effect.

Fix this up.

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 23fe2b3f9e7df8da53ac1bc32c6875254911d7f4)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio-pci.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index d37037e..41b96ce 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -799,8 +799,7 @@ static int virtio_pci_set_guest_notifiers(DeviceState *d, int nvqs, bool assign)
             break;
         }
 
-        r = virtio_pci_set_guest_notifier(d, n, assign,
-                                          kvm_msi_via_irqfd_enabled());
+        r = virtio_pci_set_guest_notifier(d, n, assign, with_irqfd);
         if (r < 0) {
             goto assign_error;
         }
-- 
1.7.9.5

[Qemu-devel] [PATCH 18/38] exec: always use MADV_DONTFORK

[Michael Roth]

From: Andrea Arcangeli <aarcange@redhat.com>

MADV_DONTFORK prevents fork to fail with -ENOMEM if the default
overcommit heuristics decides there's too much anonymous virtual
memory allocated. If the KVM secondary MMU is synchronized with MMU
notifiers or not, doesn't make a difference in that regard.

Secondly it's always more efficient to avoid copying the guest
physical address space in the fork child (so we avoid to mark all the
guest memory readonly in the parent and so we skip the establishment
and teardown of lots of pagetables in the child).

In the common case we can ignore the error if MADV_DONTFORK is not
available. Leave a second invocation that errors out in the KVM path
if MMU notifiers are missing and KVM is enabled, to abort in such
case.

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Tested-By: Benoit Canet <benoit@irqsave.net>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
(cherry picked from commit 3e469dbfe413c25d48321c3a19ddfae0727dc6e5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/exec.c b/exec.c
index 394f7e2..2ea8f04 100644
--- a/exec.c
+++ b/exec.c
@@ -1172,6 +1172,7 @@ ram_addr_t qemu_ram_alloc_from_ptr(ram_addr_t size, void *host,
 
     qemu_ram_setup_dump(new_block->host, size);
     qemu_madvise(new_block->host, size, QEMU_MADV_HUGEPAGE);
+    qemu_madvise(new_block->host, size, QEMU_MADV_DONTFORK);
 
     if (kvm_enabled())
         kvm_setup_guest_memory(new_block->host, size);
-- 
1.7.9.5

[Qemu-devel] [PATCH 19/38] xhci: reset port when disabling slot

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 5c67dd7b4884979a2613a4702ac1ab68b0e6a16e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-xhci.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 3c0ba8e..a6f55a1 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -2076,6 +2076,7 @@ static TRBCCode xhci_disable_slot(XHCIState *xhci, unsigned int slotid)
 
     xhci->slots[slotid-1].enabled = 0;
     xhci->slots[slotid-1].addressed = 0;
+    xhci->slots[slotid-1].uport = NULL;
     return CC_SUCCESS;
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 20/38] usb: parallelize usb3 streams

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

usb3 bulk endpoints with streams are implicitly pipelined now,
so the requests will actually be processed in parallel.  Also
allow them to complete out-of-order.

Fixes stalls in the uas driver.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c96c41ed0d38d68a6c8b6f84751afebafeae31be)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/core.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/usb/core.c b/hw/usb/core.c
index 05948ca..31960c2 100644
--- a/hw/usb/core.c
+++ b/hw/usb/core.c
@@ -403,7 +403,7 @@ void usb_handle_packet(USBDevice *dev, USBPacket *p)
         p->ep->halted = false;
     }
 
-    if (QTAILQ_EMPTY(&p->ep->queue) || p->ep->pipeline) {
+    if (QTAILQ_EMPTY(&p->ep->queue) || p->ep->pipeline || p->stream) {
         usb_process_one(p);
         if (p->status == USB_RET_ASYNC) {
             /* hcd drivers cannot handle async for isoc */
@@ -420,7 +420,8 @@ void usb_handle_packet(USBDevice *dev, USBPacket *p)
              * When pipelining is enabled usb-devices must always return async,
              * otherwise packets can complete out of order!
              */
-            assert(!p->ep->pipeline || QTAILQ_EMPTY(&p->ep->queue));
+            assert(p->stream || !p->ep->pipeline ||
+                   QTAILQ_EMPTY(&p->ep->queue));
             if (p->status != USB_RET_NAK) {
                 usb_packet_set_state(p, USB_PACKET_COMPLETE);
             }
@@ -434,7 +435,7 @@ void usb_packet_complete_one(USBDevice *dev, USBPacket *p)
 {
     USBEndpoint *ep = p->ep;
 
-    assert(QTAILQ_FIRST(&ep->queue) == p);
+    assert(p->stream || QTAILQ_FIRST(&ep->queue) == p);
     assert(p->status != USB_RET_ASYNC && p->status != USB_RET_NAK);
 
     if (p->status != USB_RET_SUCCESS ||
-- 
1.7.9.5

[Qemu-devel] [PATCH 21/38] w32: Fix access to host devices (regression)

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

QEMU failed to open host devices like \\.\PhysicalDrive0 (first hard disk)
since some time (commit 8a79380b8ef1b02d2abd705dd026a18863b09020?).

Those devices use hdev_open which did not use the latest API for options.
This resulted in a fatal runtime error:

  Block protocol 'host_device' doesn't support the option 'filename'

Duplicate code from raw_open to fix this.

Cc: qemu-stable@nongnu.org
Reported-by: David Brenner <david.brenner3@gmail.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 68dc036488dfea170627a55e6ee3dfd7f2c2063e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/raw-win32.c |   36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/block/raw-win32.c b/block/raw-win32.c
index 9b5b2af..d2d2d9f 100644
--- a/block/raw-win32.c
+++ b/block/raw-win32.c
@@ -535,13 +535,29 @@ static int hdev_open(BlockDriverState *bs, QDict *options, int flags)
 {
     BDRVRawState *s = bs->opaque;
     int access_flags, create_flags;
+    int ret = 0;
     DWORD overlapped;
     char device_name[64];
-    const char *filename = qdict_get_str(options, "filename");
+
+    Error *local_err = NULL;
+    const char *filename;
+
+    QemuOpts *opts = qemu_opts_create_nofail(&raw_runtime_opts);
+    qemu_opts_absorb_qdict(opts, options, &local_err);
+    if (error_is_set(&local_err)) {
+        qerror_report_err(local_err);
+        error_free(local_err);
+        ret = -EINVAL;
+        goto done;
+    }
+
+    filename = qemu_opt_get(opts, "filename");
 
     if (strstart(filename, "/dev/cdrom", NULL)) {
-        if (find_cdrom(device_name, sizeof(device_name)) < 0)
-            return -ENOENT;
+        if (find_cdrom(device_name, sizeof(device_name)) < 0) {
+            ret = -ENOENT;
+            goto done;
+        }
         filename = device_name;
     } else {
         /* transform drive letters into device name */
@@ -564,11 +580,17 @@ static int hdev_open(BlockDriverState *bs, QDict *options, int flags)
     if (s->hfile == INVALID_HANDLE_VALUE) {
         int err = GetLastError();
 
-        if (err == ERROR_ACCESS_DENIED)
-            return -EACCES;
-        return -1;
+        if (err == ERROR_ACCESS_DENIED) {
+            ret = -EACCES;
+        } else {
+            ret = -1;
+        }
+        goto done;
     }
-    return 0;
+
+done:
+    qemu_opts_del(opts);
+    return ret;
 }
 
 static BlockDriver bdrv_host_device = {
-- 
1.7.9.5

[Qemu-devel] [PATCH 22/38] memory: Provide separate handling of unassigned io ports accesses

[Michael Roth]

From: Jan Kiszka <jan.kiszka@siemens.com>

Accesses to unassigned io ports shall return -1 on read and be ignored
on write. Ensure these properties via dedicated ops, decoupling us from
the memory core's handling of unassigned accesses.

Cc: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3bb28b7208b349e7a1b326e3c6ef9efac1d462bf)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c                |    3 ++-
 include/exec/ioport.h |    4 ++++
 ioport.c              |   16 ++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/exec.c b/exec.c
index 2ea8f04..08eecb3 100644
--- a/exec.c
+++ b/exec.c
@@ -1821,7 +1821,8 @@ static void memory_map_init(void)
     address_space_init(&address_space_memory, system_memory, "memory");
 
     system_io = g_malloc(sizeof(*system_io));
-    memory_region_init(system_io, NULL, "io", 65536);
+    memory_region_init_io(system_io, NULL, &unassigned_io_ops, NULL, "io",
+                          65536);
     address_space_init(&address_space_io, system_io, "I/O");
 
     memory_listener_register(&core_memory_listener, &address_space_memory);
diff --git a/include/exec/ioport.h b/include/exec/ioport.h
index bdd4e96..b3848be 100644
--- a/include/exec/ioport.h
+++ b/include/exec/ioport.h
@@ -45,6 +45,10 @@ typedef struct MemoryRegionPortio {
 
 #define PORTIO_END_OF_LIST() { }
 
+#ifndef CONFIG_USER_ONLY
+extern const MemoryRegionOps unassigned_io_ops;
+#endif
+
 void cpu_outb(pio_addr_t addr, uint8_t val);
 void cpu_outw(pio_addr_t addr, uint16_t val);
 void cpu_outl(pio_addr_t addr, uint32_t val);
diff --git a/ioport.c b/ioport.c
index 79b7f1a..707cce8 100644
--- a/ioport.c
+++ b/ioport.c
@@ -44,6 +44,22 @@ typedef struct MemoryRegionPortioList {
     MemoryRegionPortio ports[];
 } MemoryRegionPortioList;
 
+static uint64_t unassigned_io_read(void *opaque, hwaddr addr, unsigned size)
+{
+    return -1ULL;
+}
+
+static void unassigned_io_write(void *opaque, hwaddr addr, uint64_t val,
+                                unsigned size)
+{
+}
+
+const MemoryRegionOps unassigned_io_ops = {
+    .read = unassigned_io_read,
+    .write = unassigned_io_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
 void cpu_outb(pio_addr_t addr, uint8_t val)
 {
     LOG_IOPORT("outb: %04"FMT_pioaddr" %02"PRIx8"\n", addr, val);
-- 
1.7.9.5

[Qemu-devel] [PATCH 23/38] Revert "memory: Return -1 again on reads from unsigned regions"

[Michael Roth]

From: Jan Kiszka <jan.kiszka@siemens.com>

This reverts commit 9b8c69243585a32d14b9bb9fcd52c37b0b5a1b71.

The commit was wrong: We only return -1 on invalid accesses, not on
valid but unbacked ones. This broke various corner cases.

Cc: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 68a7439a150d6b4da99082ab454b9328b151bc25)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 memory.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/memory.c b/memory.c
index 886f838..5a10fd0 100644
--- a/memory.c
+++ b/memory.c
@@ -872,7 +872,7 @@ static uint64_t unassigned_mem_read(void *opaque, hwaddr addr,
     if (current_cpu != NULL) {
         cpu_unassigned_access(current_cpu, addr, false, false, 0, size);
     }
-    return -1ULL;
+    return 0;
 }
 
 static void unassigned_mem_write(void *opaque, hwaddr addr,
-- 
1.7.9.5

[Qemu-devel] [PATCH 24/38] exec: check offset_within_address_space for register subpage

[Michael Roth]

From: Hu Tao <hutao@cn.fujitsu.com>

If offset_within_address_space falls in a page, then we register a
subpage. So check offset_within_address_space rather than
offset_within_region.

Cc: qemu-stable@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: "Andreas Färber" <afaerber@suse.de>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Blue Swirl <blauwirbel@gmail.com>
Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 88266249701032211c1d7449460d063fbc01bf12)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/exec.c b/exec.c
index 08eecb3..f6674e5 100644
--- a/exec.c
+++ b/exec.c
@@ -869,7 +869,7 @@ static void mem_add(MemoryListener *listener, MemoryRegionSection *section)
         now = remain;
         if (int128_lt(remain.size, page_size)) {
             register_subpage(d, &now);
-        } else if (remain.offset_within_region & ~TARGET_PAGE_MASK) {
+        } else if (remain.offset_within_address_space & ~TARGET_PAGE_MASK) {
             now.size = page_size;
             register_subpage(d, &now);
         } else {
-- 
1.7.9.5

[Qemu-devel] [PATCH 25/38] ne2000: mark I/O as LITTLE_ENDIAN

[Michael Roth]

From: Aurelien Jarno <aurelien@aurel32.net>

Now that the memory subsystem is propagating the endianness correctly,
the ne2000 device should have its I/O ports marked as LITTLE_ENDIAN, as
PCI devices are little endian.

This makes the ne2000 NIC to work again on PowerPC.

Cc: qemu-stable@nongnu.org
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 45d883dcf208160e2db308d1b368beb74f37dc7e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/ne2000.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 31afd28..c961258 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -693,7 +693,7 @@ static void ne2000_write(void *opaque, hwaddr addr,
 static const MemoryRegionOps ne2000_ops = {
     .read = ne2000_read,
     .write = ne2000_write,
-    .endianness = DEVICE_NATIVE_ENDIAN,
+    .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
 /***********************************************************/
-- 
1.7.9.5

[Qemu-devel] [PATCH 26/38] ehci: save device pointer in EHCIState

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

We'll need a pointer to the actual pci/sysbus device,
stick a pointer to it into the EHCIState struct.

https://bugzilla.redhat.com/show_bug.cgi?id=1005495

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit adbecc89731cf3e0ae656d50ea9fa58c589c4bdc)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-ehci.c |    7 +++----
 hw/usb/hcd-ehci.h |    1 +
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 010a0d0..e9fb20c 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1241,13 +1241,11 @@ static int ehci_init_transfer(EHCIPacket *p)
 {
     uint32_t cpage, offset, bytes, plen;
     dma_addr_t page;
-    USBBus *bus = &p->queue->ehci->bus;
-    BusState *qbus = BUS(bus);
 
     cpage  = get_field(p->qtd.token, QTD_TOKEN_CPAGE);
     bytes  = get_field(p->qtd.token, QTD_TOKEN_TBYTES);
     offset = p->qtd.bufptr[0] & ~QTD_BUFPTR_MASK;
-    qemu_sglist_init(&p->sgl, qbus->parent, 5, p->queue->ehci->as);
+    qemu_sglist_init(&p->sgl, p->queue->ehci->device, 5, p->queue->ehci->as);
 
     while (bytes > 0) {
         if (cpage > 4) {
@@ -1486,7 +1484,7 @@ static int ehci_process_itd(EHCIState *ehci,
                 return -1;
             }
 
-            qemu_sglist_init(&ehci->isgl, DEVICE(ehci), 2, ehci->as);
+            qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
             if (off + len > 4096) {
                 /* transfer crosses page border */
                 uint32_t len2 = off + len - 4096;
@@ -2529,6 +2527,7 @@ void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp)
 
     s->frame_timer = qemu_new_timer_ns(vm_clock, ehci_frame_timer, s);
     s->async_bh = qemu_bh_new(ehci_frame_timer, s);
+    s->device = dev;
 
     qemu_register_reset(ehci_reset, s);
     qemu_add_vm_change_state_handler(usb_ehci_vm_state_change, s);
diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index 15a28e8..065c9fa 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -255,6 +255,7 @@ typedef QTAILQ_HEAD(EHCIQueueHead, EHCIQueue) EHCIQueueHead;
 
 struct EHCIState {
     USBBus bus;
+    DeviceState *device;
     qemu_irq irq;
     MemoryRegion mem;
     AddressSpace *as;
-- 
1.7.9.5

[Qemu-devel] [PATCH 27/38] qxl: fix local renderer

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

The local spice renderer assumes the primary surface is located at the
start of the "ram" bar.  This used to be a requirement in qxl hardware
revision 1.  In revision 2+ this is relaxed.  Nevertheless guest drivers
continued to use the traditional location, for historical and backward
compatibility reasons.  The qxl kms driver doesn't though as it depends
on qxl revision 4+ anyway.

Result is that local rendering is hosed for recent linux guests, you'll
get pixel garbage with non-spice ui (gtk, sdl, vnc) and when doing
screendumps.  Fix that by doing a proper mapping of the guest-specified
memory location.

https://bugzilla.redhat.com/show_bug.cgi?id=948717

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c58c7b959b93b864a27fd6b3646ee1465ab8832b)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/qxl-render.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index 269b1a7..d34b0c4 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -31,10 +31,6 @@ static void qxl_blit(PCIQXLDevice *qxl, QXLRect *rect)
     if (is_buffer_shared(surface)) {
         return;
     }
-    if (!qxl->guest_primary.data) {
-        trace_qxl_render_blit_guest_primary_initialized();
-        qxl->guest_primary.data = memory_region_get_ram_ptr(&qxl->vga.vram);
-    }
     trace_qxl_render_blit(qxl->guest_primary.qxl_stride,
             rect->left, rect->right, rect->top, rect->bottom);
     src = qxl->guest_primary.data;
@@ -104,7 +100,12 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
 
     if (qxl->guest_primary.resized) {
         qxl->guest_primary.resized = 0;
-        qxl->guest_primary.data = memory_region_get_ram_ptr(&qxl->vga.vram);
+        qxl->guest_primary.data = qxl_phys2virt(qxl,
+                                                qxl->guest_primary.surface.mem,
+                                                MEMSLOT_GROUP_GUEST);
+        if (!qxl->guest_primary.data) {
+            return;
+        }
         qxl_set_rect_to_surface(qxl, &qxl->dirty[0]);
         qxl->num_dirty_rects = 1;
         trace_qxl_render_guest_primary_resized(
@@ -128,6 +129,10 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
         }
         dpy_gfx_replace_surface(vga->con, surface);
     }
+
+    if (!qxl->guest_primary.data) {
+        return;
+    }
     for (i = 0; i < qxl->num_dirty_rects; i++) {
         if (qemu_spice_rect_is_empty(qxl->dirty+i)) {
             break;
-- 
1.7.9.5

[Qemu-devel] [PATCH 28/38] pc: Initializing ram_memory under Xen.

[Michael Roth]

From: Anthony PERARD <anthony.perard@citrix.com>

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
CC: qemu-stable@nongnu.org
(cherry picked from commit 04d7bad8a4fb23e6d9af9d06ce3ddc28a251d94d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/pc_piix.c    |    2 +-
 include/hw/xen/xen.h |    4 +---
 xen-all.c            |    7 ++++---
 xen-stub.c           |    2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 6e1e654..3df2ff9 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -93,7 +93,7 @@ static void pc_init1(MemoryRegion *system_memory,
     FWCfgState *fw_cfg = NULL;
     PcGuestInfo *guest_info;
 
-    if (xen_enabled() && xen_hvm_init() != 0) {
+    if (xen_enabled() && xen_hvm_init(&ram_memory) != 0) {
         fprintf(stderr, "xen hardware virtual machine initialisation failed\n");
         exit(1);
     }
diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h
index 6d42dd1..e1f88bf 100644
--- a/include/hw/xen/xen.h
+++ b/include/hw/xen/xen.h
@@ -37,17 +37,15 @@ void xen_cmos_set_s3_resume(void *opaque, int irq, int level);
 qemu_irq *xen_interrupt_controller_init(void);
 
 int xen_init(void);
-int xen_hvm_init(void);
+int xen_hvm_init(MemoryRegion **ram_memory);
 void xenstore_store_pv_console_info(int i, struct CharDriverState *chr);
 
 #if defined(NEED_CPU_H) && !defined(CONFIG_USER_ONLY)
-struct MemoryRegion;
 void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size,
                    struct MemoryRegion *mr);
 void xen_modified_memory(ram_addr_t start, ram_addr_t length);
 #endif
 
-struct MemoryRegion;
 void xen_register_framebuffer(struct MemoryRegion *mr);
 
 #if defined(CONFIG_XEN) && CONFIG_XEN_CTRL_INTERFACE_VERSION < 400
diff --git a/xen-all.c b/xen-all.c
index 21246e0..e1d0694 100644
--- a/xen-all.c
+++ b/xen-all.c
@@ -154,7 +154,7 @@ qemu_irq *xen_interrupt_controller_init(void)
 
 /* Memory Ops */
 
-static void xen_ram_init(ram_addr_t ram_size)
+static void xen_ram_init(ram_addr_t ram_size, MemoryRegion **ram_memory_p)
 {
     MemoryRegion *sysmem = get_system_memory();
     ram_addr_t below_4g_mem_size, above_4g_mem_size = 0;
@@ -168,6 +168,7 @@ static void xen_ram_init(ram_addr_t ram_size)
         block_len += HVM_BELOW_4G_MMIO_LENGTH;
     }
     memory_region_init_ram(&ram_memory, NULL, "xen.ram", block_len);
+    *ram_memory_p = &ram_memory;
     vmstate_register_ram_global(&ram_memory);
 
     if (ram_size >= HVM_BELOW_4G_RAM_END) {
@@ -1059,7 +1060,7 @@ static void xen_read_physmap(XenIOState *state)
     free(entries);
 }
 
-int xen_hvm_init(void)
+int xen_hvm_init(MemoryRegion **ram_memory)
 {
     int i, rc;
     unsigned long ioreq_pfn;
@@ -1134,7 +1135,7 @@ int xen_hvm_init(void)
 
     /* Init RAM management */
     xen_map_cache_init(xen_phys_offset_to_gaddr, state);
-    xen_ram_init(ram_size);
+    xen_ram_init(ram_size, ram_memory);
 
     qemu_add_vm_change_state_handler(xen_hvm_change_state_handler, state);
 
diff --git a/xen-stub.c b/xen-stub.c
index 47c8e73..ad189a6 100644
--- a/xen-stub.c
+++ b/xen-stub.c
@@ -64,7 +64,7 @@ void xen_modified_memory(ram_addr_t start, ram_addr_t length)
 {
 }
 
-int xen_hvm_init(void)
+int xen_hvm_init(MemoryRegion **ram_memory)
 {
     return 0;
 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 29/38] pc_q35: Initialize Xen.

[Michael Roth]

From: Anthony PERARD <anthony.perard@citrix.com>

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 254c12825f93f405658ca3366cd34f8a8ad23511)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/pc_q35.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 10e770e..dd13130 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -81,6 +81,11 @@ static void pc_q35_init(QEMUMachineInitArgs *args)
     DeviceState *icc_bridge;
     PcGuestInfo *guest_info;
 
+    if (xen_enabled() && xen_hvm_init(&ram_memory) != 0) {
+        fprintf(stderr, "xen hardware virtual machine initialisation failed\n");
+        exit(1);
+    }
+
     icc_bridge = qdev_create(NULL, TYPE_ICC_BRIDGE);
     object_property_add_child(qdev_get_machine(), "icc-bridge",
                               OBJECT(icc_bridge), NULL);
-- 
1.7.9.5

[Qemu-devel] [PATCH 30/38] qapi-types.py: Fix enum struct sizes on i686

[Michael Roth]

From: Cole Robinson <crobinso@redhat.com>

Unlike other list types, enum wasn't adding any padding, which caused
a mismatch between the generated struct size and GenericList struct
size. More details in a678e26cbe89f7a27cbce794c2c2784571ee9d21

This crashed qemu if calling qmp query-tpm-types for example, which
upsets libvirt capabilities probing. Reproducer on i686:

(sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio

https://bugs.launchpad.net/qemu/+bug/1219207

Cc: qemu-stable@nongnu.org
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit 02dc4bf5684d3fb46786fab2ecff98214b1df9fe)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/qapi-types.py |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/qapi-types.py b/scripts/qapi-types.py
index 5ee46ea..5d31b06 100644
--- a/scripts/qapi-types.py
+++ b/scripts/qapi-types.py
@@ -51,7 +51,10 @@ def generate_fwd_enum_struct(name, members):
     return mcgen('''
 typedef struct %(name)sList
 {
-    %(name)s value;
+    union {
+        %(name)s value;
+        uint64_t padding;
+    };
     struct %(name)sList *next;
 } %(name)sList;
 ''',
-- 
1.7.9.5

[Qemu-devel] [PATCH 31/38] pcnet-pci: mark I/O and MMIO as LITTLE_ENDIAN

[Michael Roth]

From: Aurelien Jarno <aurelien@aurel32.net>

Now that the memory subsystem is propagating the endianness correctly,
the pcnet-pci device should have its I/O ports and MMIO memory marked
as LITTLE_ENDIAN, as PCI devices are little endian.

This makes the pcnet-pci NIC to work again on big endian MIPS Malta
(default NIC).

Cc: qemu-stable@nongnu.org
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit a26405b350c0d31d5ef53f3b459aeb6eaaf50db0)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/pcnet-pci.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/net/pcnet-pci.c b/hw/net/pcnet-pci.c
index 2c2301c..23fc33c 100644
--- a/hw/net/pcnet-pci.c
+++ b/hw/net/pcnet-pci.c
@@ -134,7 +134,7 @@ static void pcnet_ioport_write(void *opaque, hwaddr addr,
 static const MemoryRegionOps pcnet_io_ops = {
     .read = pcnet_ioport_read,
     .write = pcnet_ioport_write,
-    .endianness = DEVICE_NATIVE_ENDIAN,
+    .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
 static void pcnet_mmio_writeb(void *opaque, hwaddr addr, uint32_t val)
@@ -256,7 +256,7 @@ static const MemoryRegionOps pcnet_mmio_ops = {
         .read = { pcnet_mmio_readb, pcnet_mmio_readw, pcnet_mmio_readl },
         .write = { pcnet_mmio_writeb, pcnet_mmio_writew, pcnet_mmio_writel },
     },
-    .endianness = DEVICE_NATIVE_ENDIAN,
+    .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
 static void pci_physical_memory_write(void *dma_opaque, hwaddr addr,
-- 
1.7.9.5

[Qemu-devel] [PATCH 32/38] chardev: fix pty_chr_timer

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

pty_chr_timer first calls pty_chr_update_read_handler(), then clears
timer_tag (because it is a one-shot timer).   This is the wrong order
though.  pty_chr_update_read_handler might re-arm time timer, and the
new timer_tag gets overwitten in that case.

This leads to crashes when unplugging a pty chardev:  pty_chr_close
thinks no timer is running -> timer isn't canceled -> pty_chr_timer gets
called with stale CharDevState -> BOOM.

This patch fixes the ordering.
Kill the pointless goto while being at it.

https://bugzilla.redhat.com/show_bug.cgi?id=994414

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit b0d768c35e08d2057b63e8e77e7a513c447199fa)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c |   12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index 1be1cf6..1621fbd 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -1026,15 +1026,11 @@ static gboolean pty_chr_timer(gpointer opaque)
     struct CharDriverState *chr = opaque;
     PtyCharDriver *s = chr->opaque;
 
-    if (s->connected) {
-        goto out;
-    }
-
-    /* Next poll ... */
-    pty_chr_update_read_handler(chr);
-
-out:
     s->timer_tag = 0;
+    if (!s->connected) {
+        /* Next poll ... */
+        pty_chr_update_read_handler(chr);
+    }
     return FALSE;
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 33/38] kvmvapic: Catch invalid ROM size

[Michael Roth]

From: Jan Kiszka <jan.kiszka@siemens.com>

If not caught early, a zero-length ROM will cause a NULL-pointer access
later on in patch_hypercalls when allocating a zero-length ROM copy and
trying to read from it.

CC: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 18e5eec4db96a00907eb588a2b803401637c7f67)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvmvapic.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index 15beb80..7ac0fe1 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -578,7 +578,7 @@ static int patch_hypercalls(VAPICROMState *s)
  * enable write access to the option ROM so that variables can be updated by
  * the guest.
  */
-static void vapic_map_rom_writable(VAPICROMState *s)
+static int vapic_map_rom_writable(VAPICROMState *s)
 {
     hwaddr rom_paddr = s->rom_state_paddr & ROM_BLOCK_MASK;
     MemoryRegionSection section;
@@ -599,6 +599,9 @@ static void vapic_map_rom_writable(VAPICROMState *s)
     /* read ROM size from RAM region */
     ram = memory_region_get_ram_ptr(section.mr);
     rom_size = ram[rom_paddr + 2] * ROM_BLOCK_SIZE;
+    if (rom_size == 0) {
+        return -1;
+    }
     s->rom_size = rom_size;
 
     /* We need to round to avoid creating subpages
@@ -612,11 +615,15 @@ static void vapic_map_rom_writable(VAPICROMState *s)
     memory_region_add_subregion_overlap(as, rom_paddr, &s->rom, 1000);
     s->rom_mapped_writable = true;
     memory_region_unref(section.mr);
+
+    return 0;
 }
 
 static int vapic_prepare(VAPICROMState *s)
 {
-    vapic_map_rom_writable(s);
+    if (vapic_map_rom_writable(s) < 0) {
+        return -1;
+    }
 
     if (patch_hypercalls(s) < 0) {
         return -1;
-- 
1.7.9.5

[Qemu-devel] [PATCH 34/38] kvmvapic: Enter inactive state on hardware reset

[Michael Roth]

From: Jan Kiszka <jan.kiszka@siemens.com>

ROM layout may change after reset of devices are hotplugged, so we have
to pick up the physical address again when the ROM is initialized. This
is best achieved by resetting the state to INACTIVE.

CC: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c056bc3f3464cfae1c94b7dd633d3ec13b13b655)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvmvapic.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index 7ac0fe1..f2e335d 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -510,9 +510,7 @@ static void vapic_reset(DeviceState *dev)
 {
     VAPICROMState *s = VAPIC(dev);
 
-    if (s->state == VAPIC_ACTIVE) {
-        s->state = VAPIC_STANDBY;
-    }
+    s->state = VAPIC_INACTIVE;
     vapic_enable_tpr_reporting(false);
 }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 35/38] kvmvapic: Clear also physical ROM address when entering INACTIVE state

[Michael Roth]

From: Jan Kiszka <jan.kiszka@siemens.com>

To avoid misinterpreting INACTIVE after migration as old qemu-kvm's
STANDBY, also clear rom_state_paddr when going back to this state.

CC: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4357930b8a7d2fcff2d8121ec518117428a781e7)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvmvapic.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index f2e335d..cf6c714 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -511,6 +511,7 @@ static void vapic_reset(DeviceState *dev)
     VAPICROMState *s = VAPIC(dev);
 
     s->state = VAPIC_INACTIVE;
+    s->rom_state_paddr = 0;
     vapic_enable_tpr_reporting(false);
 }
 
@@ -664,6 +665,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
         }
         if (vapic_prepare(s) < 0) {
             s->state = VAPIC_INACTIVE;
+            s->rom_state_paddr = 0;
             break;
         }
         break;
-- 
1.7.9.5

[Qemu-devel] [PATCH 36/38] tci: Fix qemu-alpha on 32 bit hosts (wrong assertions)

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Debian busybox-static for alpha has a load address of 0x0000000120000000
which is mapped to 0x0000000020000000 for 32 bit hosts.

qemu-alpha uses the TCG opcodes qemu_ld32, qemu_ld64, qemu_st32 and
qemu_st64 which all raise the assertion (taddr == host_addr).

Remove all assertions of this type because they are either wrong or
unnecessary (when sizeof(tcg_target_ulong) >= sizeof(target_ulong)).

Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 07ac4dc5db22a31e47b149abdbc5ea99013cf4de)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tci.c |   12 ------------
 1 file changed, 12 deletions(-)

diff --git a/tci.c b/tci.c
index c742c8d..af58576 100644
--- a/tci.c
+++ b/tci.c
@@ -1085,7 +1085,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp8 = helper_ldb_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp8 = *(uint8_t *)(host_addr + GUEST_BASE);
 #endif
             tci_write_reg8(t0, tmp8);
@@ -1097,7 +1096,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp8 = helper_ldb_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp8 = *(uint8_t *)(host_addr + GUEST_BASE);
 #endif
             tci_write_reg8s(t0, tmp8);
@@ -1109,7 +1107,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp16 = helper_ldw_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp16 = tswap16(*(uint16_t *)(host_addr + GUEST_BASE));
 #endif
             tci_write_reg16(t0, tmp16);
@@ -1121,7 +1118,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp16 = helper_ldw_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp16 = tswap16(*(uint16_t *)(host_addr + GUEST_BASE));
 #endif
             tci_write_reg16s(t0, tmp16);
@@ -1134,7 +1130,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp32 = helper_ldl_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp32 = tswap32(*(uint32_t *)(host_addr + GUEST_BASE));
 #endif
             tci_write_reg32(t0, tmp32);
@@ -1146,7 +1141,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp32 = helper_ldl_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp32 = tswap32(*(uint32_t *)(host_addr + GUEST_BASE));
 #endif
             tci_write_reg32s(t0, tmp32);
@@ -1159,7 +1153,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp32 = helper_ldl_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp32 = tswap32(*(uint32_t *)(host_addr + GUEST_BASE));
 #endif
             tci_write_reg32(t0, tmp32);
@@ -1174,7 +1167,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             tmp64 = helper_ldq_mmu(env, taddr, tci_read_i(&tb_ptr));
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             tmp64 = tswap64(*(uint64_t *)(host_addr + GUEST_BASE));
 #endif
             tci_write_reg(t0, tmp64);
@@ -1190,7 +1182,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             helper_stb_mmu(env, taddr, t0, t2);
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             *(uint8_t *)(host_addr + GUEST_BASE) = t0;
 #endif
             break;
@@ -1202,7 +1193,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             helper_stw_mmu(env, taddr, t0, t2);
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             *(uint16_t *)(host_addr + GUEST_BASE) = tswap16(t0);
 #endif
             break;
@@ -1214,7 +1204,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             helper_stl_mmu(env, taddr, t0, t2);
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             *(uint32_t *)(host_addr + GUEST_BASE) = tswap32(t0);
 #endif
             break;
@@ -1226,7 +1215,6 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             helper_stq_mmu(env, taddr, tmp64, t2);
 #else
             host_addr = (tcg_target_ulong)taddr;
-            assert(taddr == host_addr);
             *(uint64_t *)(host_addr + GUEST_BASE) = tswap64(tmp64);
 #endif
             break;
-- 
1.7.9.5

[Qemu-devel] [PATCH 37/38] blockdev: do not default cache.no-flush to true

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

That's why all my VMs were so fast lately. :)

This changed in 1.6.0 by mistake in patch 29c4e2b (blockdev: Split up
'cache' option, 2013-07-18).

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 1df6fa4bc6754a170cf511a78e2e6fef84eb5228)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blockdev.c b/blockdev.c
index bc7016a..097932c 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -460,7 +460,7 @@ static DriveInfo *blockdev_init(QemuOpts *all_opts,
     if (qemu_opt_get_bool(opts, "cache.direct", false)) {
         bdrv_flags |= BDRV_O_NOCACHE;
     }
-    if (qemu_opt_get_bool(opts, "cache.no-flush", true)) {
+    if (qemu_opt_get_bool(opts, "cache.no-flush", false)) {
         bdrv_flags |= BDRV_O_NO_FLUSH;
     }
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 38/38] virtio-blk: do not relay a previous driver's WCE configuration to the current

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

The following sequence happens:
- the SeaBIOS virtio-blk driver does not support the WCE feature, which
causes QEMU to disable writeback caching

- the Linux virtio-blk driver resets the device, finds WCE is available
but writeback caching is disabled; tells block layer to not send cache
flush commands

- the Linux virtio-blk driver sets the DRIVER_OK bit, which causes
writeback caching to be re-enabled, but the Linux virtio-blk driver does
not know of this side effect and cache flushes remain disabled

The bug is at the third step.  If the guest does know about CONFIG_WCE,
QEMU should ignore the WCE feature's state.  The guest will control the
cache mode solely using configuration space.  This change makes Linux
do flushes correctly, but Linux will keep SeaBIOS's writethrough mode.

Hence, whenever the guest is reset, the cache mode of the disk should
be reset to whatever was specified in the "-drive" option.  With this
change, the Linux virtio-blk driver finds that writeback caching is
enabled, and tells the block layer to send cache flush commands
appropriately.

Reported-by: Rusty Russell <rusty@au1.ibm.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit ef5bc96268ceec64769617dc53b0ac3a20ff351c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/block/virtio-blk.c          |   24 ++++++++++++++++++++++--
 include/hw/virtio/virtio-blk.h |    1 +
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index e2f55cc..49a23c3 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -460,9 +460,9 @@ static void virtio_blk_dma_restart_cb(void *opaque, int running,
 
 static void virtio_blk_reset(VirtIODevice *vdev)
 {
-#ifdef CONFIG_VIRTIO_BLK_DATA_PLANE
     VirtIOBlock *s = VIRTIO_BLK(vdev);
 
+#ifdef CONFIG_VIRTIO_BLK_DATA_PLANE
     if (s->dataplane) {
         virtio_blk_data_plane_stop(s->dataplane);
     }
@@ -473,6 +473,7 @@ static void virtio_blk_reset(VirtIODevice *vdev)
      * are per-device request lists.
      */
     bdrv_drain_all();
+    bdrv_set_enable_write_cache(s->bs, s->original_wce);
 }
 
 /* coalesce internal state, copy to pci i/o region 0
@@ -564,7 +565,25 @@ static void virtio_blk_set_status(VirtIODevice *vdev, uint8_t status)
     }
 
     features = vdev->guest_features;
-    bdrv_set_enable_write_cache(s->bs, !!(features & (1 << VIRTIO_BLK_F_WCE)));
+
+    /* A guest that supports VIRTIO_BLK_F_CONFIG_WCE must be able to send
+     * cache flushes.  Thus, the "auto writethrough" behavior is never
+     * necessary for guests that support the VIRTIO_BLK_F_CONFIG_WCE feature.
+     * Leaving it enabled would break the following sequence:
+     *
+     *     Guest started with "-drive cache=writethrough"
+     *     Guest sets status to 0
+     *     Guest sets DRIVER bit in status field
+     *     Guest reads host features (WCE=0, CONFIG_WCE=1)
+     *     Guest writes guest features (WCE=0, CONFIG_WCE=1)
+     *     Guest writes 1 to the WCE configuration field (writeback mode)
+     *     Guest sets DRIVER_OK bit in status field
+     *
+     * s->bs would erroneously be placed in writethrough mode.
+     */
+    if (!(features & (1 << VIRTIO_BLK_F_CONFIG_WCE))) {
+        bdrv_set_enable_write_cache(s->bs, !!(features & (1 << VIRTIO_BLK_F_WCE)));
+    }
 }
 
 static void virtio_blk_save(QEMUFile *f, void *opaque)
@@ -674,6 +693,7 @@ static int virtio_blk_device_init(VirtIODevice *vdev)
     }
 
     blkconf_serial(&blk->conf, &blk->serial);
+    s->original_wce = bdrv_enable_write_cache(blk->conf.bs);
     if (blkconf_geometry(&blk->conf, NULL, 65535, 255, 255) < 0) {
         return -1;
     }
diff --git a/include/hw/virtio/virtio-blk.h b/include/hw/virtio/virtio-blk.h
index b87cf49..41885da 100644
--- a/include/hw/virtio/virtio-blk.h
+++ b/include/hw/virtio/virtio-blk.h
@@ -123,6 +123,7 @@ typedef struct VirtIOBlock {
     BlockConf *conf;
     VirtIOBlkConf blk;
     unsigned short sector_mask;
+    bool original_wce;
     VMChangeStateEntry *change;
 #ifdef CONFIG_VIRTIO_BLK_DATA_PLANE
     Notifier migration_state_notifier;
-- 
1.7.9.5

Re: [Qemu-devel] [PATCH 11/38] xhci: fix endpoint interval calculation

[Gerd Hoffmann]

On Mi, 2013-09-25 at 07:57 -0500, Michael Roth wrote:
> From: Gerd Hoffmann <kraxel@redhat.com>
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> (cherry picked from commit ca7162782a293f525633e5816470498dd86a51cf)

Also needed: 4d7a81c06f5f17e019a2d3a18300500bd64f6f40

cheers,
  Gerd

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Cole Robinson]

On 09/25/2013 08:57 AM, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.6.1:
> 
> https://github.com/mdroth/qemu/commits/stable-1.6-staging
> 

Here are some other patches we are carrying in Fedora. I don't think they are
appropriate for stable, but just mentioning them for completeness:

https://lists.nongnu.org/archive/html/qemu-devel/2013-08/msg05056.html
https://bugzilla.redhat.com/show_bug.cgi?id=986790
Fixes a crash with -M isapc
Patch isn't in git yet

http://article.gmane.org/gmane.comp.emulators.qemu/209369
https://bugzilla.redhat.com/show_bug.cgi?id=1000947
Fix a crash from lsi_soft_reset
Patches aren't in git yet, and might not be stable candidates anyways

Paolo, those patches are all yours, mind updating/pinging/reposting ?

Thanks,
Cole

Re: [Qemu-devel] [Qemu-stable] [PATCH 13/38] block: expect errors from bdrv_co_is_allocated

[Doug Goldstein]

On Wed, Sep 25, 2013 at 7:57 AM, Michael Roth <mdroth@linux.vnet.ibm.com> wrote:
> From: Paolo Bonzini <pbonzini@redhat.com>
>
> Some bdrv_is_allocated callers do not expect errors, but the fallback
> in qcow2.c might make other callers trip on assertion failures or
> infinite loops.
>
> Fix the callers to always look for errors.
>
> Cc: qemu-stable@nongnu.org
> Reviewed-by: Eric Blake <eblake@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> (cherry picked from commit d663640c04f2aab810915c556390211d75457704)
>
> Conflicts:
>
>         block/cow.c
>
> *modified to avoid dependency on upstream's e641c1e8
>
> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> ---
>  block.c        |    7 +++++--
>  block/cow.c    |    6 +++++-
>  block/qcow2.c  |    4 +---
>  block/stream.c |    2 +-
>  qemu-img.c     |   16 ++++++++++++++--
>  qemu-io-cmds.c |    4 ++++
>  6 files changed, 30 insertions(+), 9 deletions(-)
>
> diff --git a/block.c b/block.c
> index d5ce8d3..8ce8b91 100644
> --- a/block.c
> +++ b/block.c
> @@ -1803,8 +1803,11 @@ int bdrv_commit(BlockDriverState *bs)
>      buf = g_malloc(COMMIT_BUF_SECTORS * BDRV_SECTOR_SIZE);
>
>      for (sector = 0; sector < total_sectors; sector += n) {
> -        if (bdrv_is_allocated(bs, sector, COMMIT_BUF_SECTORS, &n)) {
> -
> +        ret = bdrv_is_allocated(bs, sector, COMMIT_BUF_SECTORS, &n);
> +        if (ret < 0) {
> +            goto ro_cleanup;
> +        }
> +        if (ret) {
>              if (bdrv_read(bs, sector, buf, n) != 0) {
>                  ret = -EIO;
>                  goto ro_cleanup;
> diff --git a/block/cow.c b/block/cow.c
> index 1cc2e89..e1b73d6 100644
> --- a/block/cow.c
> +++ b/block/cow.c
> @@ -189,7 +189,11 @@ static int coroutine_fn cow_read(BlockDriverState *bs, int64_t sector_num,
>      int ret, n;
>
>      while (nb_sectors > 0) {
> -        if (bdrv_co_is_allocated(bs, sector_num, nb_sectors, &n)) {
> +        ret = bdrv_co_is_allocated(bs, sector_num, nb_sectors, &n);

Is suppose to be ret = cow_co_is_allocated() ?

> +        if (ret < 0) {
> +            return ret;
> +        }
> +        if (ret) {
>              ret = bdrv_pread(bs->file,
>                          s->cow_sectors_offset + sector_num * 512,
>                          buf, n * 512);
> diff --git a/block/qcow2.c b/block/qcow2.c
> index 3376901..7f7282e 100644
> --- a/block/qcow2.c
> +++ b/block/qcow2.c
> @@ -648,13 +648,11 @@ static int coroutine_fn qcow2_co_is_allocated(BlockDriverState *bs,
>      int ret;
>
>      *pnum = nb_sectors;
> -    /* FIXME We can get errors here, but the bdrv_co_is_allocated interface
> -     * can't pass them on today */
>      qemu_co_mutex_lock(&s->lock);
>      ret = qcow2_get_cluster_offset(bs, sector_num << 9, pnum, &cluster_offset);
>      qemu_co_mutex_unlock(&s->lock);
>      if (ret < 0) {
> -        *pnum = 0;
> +        return ret;
>      }
>
>      return (cluster_offset != 0) || (ret == QCOW2_CLUSTER_ZERO);
> diff --git a/block/stream.c b/block/stream.c
> index 7fe9e48..4e8d177 100644
> --- a/block/stream.c
> +++ b/block/stream.c
> @@ -120,7 +120,7 @@ wait:
>          if (ret == 1) {
>              /* Allocated in the top, no need to copy.  */
>              copy = false;
> -        } else {
> +        } else if (ret >= 0) {
>              /* Copy if allocated in the intermediate images.  Limit to the
>               * known-unallocated area [sector_num, sector_num+n).  */
>              ret = bdrv_co_is_allocated_above(bs->backing_hd, base,
> diff --git a/qemu-img.c b/qemu-img.c
> index b9a848d..b01998b 100644
> --- a/qemu-img.c
> +++ b/qemu-img.c
> @@ -1485,8 +1485,15 @@ static int img_convert(int argc, char **argv)
>                     are present in both the output's and input's base images (no
>                     need to copy them). */
>                  if (out_baseimg) {
> -                    if (!bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
> -                                           n, &n1)) {
> +                    ret = bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
> +                                            n, &n1);
> +                    if (ret < 0) {
> +                        error_report("error while reading metadata for sector "
> +                                     "%" PRId64 ": %s",
> +                                     sector_num - bs_offset, strerror(-ret));
> +                        goto out;
> +                    }
> +                    if (!ret) {
>                          sector_num += n1;
>                          continue;
>                      }
> @@ -2076,6 +2083,11 @@ static int img_rebase(int argc, char **argv)
>
>              /* If the cluster is allocated, we don't need to take action */
>              ret = bdrv_is_allocated(bs, sector, n, &n);
> +            if (ret < 0) {
> +                error_report("error while reading image metadata: %s",
> +                             strerror(-ret));
> +                goto out;
> +            }
>              if (ret) {
>                  continue;
>              }
> diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
> index ffbcf31..ffe48ad 100644
> --- a/qemu-io-cmds.c
> +++ b/qemu-io-cmds.c
> @@ -1829,6 +1829,10 @@ static int alloc_f(BlockDriverState *bs, int argc, char **argv)
>      sector_num = offset >> 9;
>      while (remaining) {
>          ret = bdrv_is_allocated(bs, sector_num, remaining, &num);
> +        if (ret < 0) {
> +            printf("is_allocated failed: %s\n", strerror(-ret));
> +            return 0;
> +        }
>          sector_num += num;
>          remaining -= num;
>          if (ret) {
> --
> 1.7.9.5
>
>

-- 
Doug Goldstein

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Doug Goldstein]

On Wed, Sep 25, 2013 at 8:54 AM, Cole Robinson <crobinso@redhat.com> wrote:
> On 09/25/2013 08:57 AM, Michael Roth wrote:
>> Hi everyone,
>>
>> The following new patches are queued for QEMU stable v1.6.1:
>>
>> https://github.com/mdroth/qemu/commits/stable-1.6-staging
>>
>
> Here are some other patches we are carrying in Fedora. I don't think they are
> appropriate for stable, but just mentioning them for completeness:
>
> https://lists.nongnu.org/archive/html/qemu-devel/2013-08/msg05056.html
> https://bugzilla.redhat.com/show_bug.cgi?id=986790
> Fixes a crash with -M isapc
> Patch isn't in git yet
>
> http://article.gmane.org/gmane.comp.emulators.qemu/209369
> https://bugzilla.redhat.com/show_bug.cgi?id=1000947
> Fix a crash from lsi_soft_reset
> Patches aren't in git yet, and might not be stable candidates anyways
>
> Paolo, those patches are all yours, mind updating/pinging/reposting ?
>
> Thanks,
> Cole
>
>
>

I pinged on the first one since we had a similar bug in Gentoo and
I've carried that patch as well. I'm also pinging a number of other
patches I've been carrying.


-- 
Doug Goldstein

Re: [Qemu-devel] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Stefan Weil]

Am 25.09.2013 14:57, schrieb Michael Roth:
> Hi everyone,
>
> The following new patches are queued for QEMU stable v1.6.1:
>
> https://github.com/mdroth/qemu/commits/stable-1.6-staging
>
> The release is planned for 2013-10-02:
>
> http://wiki.qemu.org/Planning/1.6
>
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release. The cut-off date is
> 2013-09-30 for new patches.
>
> Testing/feedback is greatly appreciated.
>
> Thanks!

Hi Michael,

please consider this one, too:

http://patchwork.ozlabs.org/patch/277991/

Cheers,
Stefan

Re: [Qemu-devel] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Fam Zheng]

On Wed, 09/25 07:57, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.6.1:
> 
> https://github.com/mdroth/qemu/commits/stable-1.6-staging
> 
> The release is planned for 2013-10-02:
> 
> http://wiki.qemu.org/Planning/1.6
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release. The cut-off date is
> 2013-09-30 for new patches.
> 

This is also a candidate:

http://patchwork.ozlabs.org/patch/277122/

Thanks,
Fam

Re: [Qemu-devel] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Stefan Weil]

Am 25.09.2013 14:57, schrieb Michael Roth:
> Hi everyone,
>
> The following new patches are queued for QEMU stable v1.6.1:
>
> https://github.com/mdroth/qemu/commits/stable-1.6-staging
>
> The release is planned for 2013-10-02:
>
> http://wiki.qemu.org/Planning/1.6
>
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release. The cut-off date is
> 2013-09-30 for new patches.
>
> Testing/feedback is greatly appreciated.
>
> Thanks!
>

Please add this one from Michael Tokarev, too:
http://patchwork.ozlabs.org/patch/276560/

It fixes a compiler warning from MinGW-w32 gcc in QEMU 1.5.3.

Thanks,
Stefan

Re: [Qemu-devel] [Qemu-stable] [PATCH 13/38] block: expect errors from bdrv_co_is_allocated

[Paolo Bonzini]

Il 25/09/2013 23:27, Doug Goldstein ha scritto:
> On Wed, Sep 25, 2013 at 7:57 AM, Michael Roth <mdroth@linux.vnet.ibm.com> wrote:
>> From: Paolo Bonzini <pbonzini@redhat.com>
>>
>> Some bdrv_is_allocated callers do not expect errors, but the fallback
>> in qcow2.c might make other callers trip on assertion failures or
>> infinite loops.
>>
>> Fix the callers to always look for errors.
>>
>> Cc: qemu-stable@nongnu.org
>> Reviewed-by: Eric Blake <eblake@redhat.com>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
>> (cherry picked from commit d663640c04f2aab810915c556390211d75457704)
>>
>> Conflicts:
>>
>>         block/cow.c
>>
>> *modified to avoid dependency on upstream's e641c1e8
>>
>> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
>> ---
>>  block.c        |    7 +++++--
>>  block/cow.c    |    6 +++++-
>>  block/qcow2.c  |    4 +---
>>  block/stream.c |    2 +-
>>  qemu-img.c     |   16 ++++++++++++++--
>>  qemu-io-cmds.c |    4 ++++
>>  6 files changed, 30 insertions(+), 9 deletions(-)
>>
>> diff --git a/block.c b/block.c
>> index d5ce8d3..8ce8b91 100644
>> --- a/block.c
>> +++ b/block.c
>> @@ -1803,8 +1803,11 @@ int bdrv_commit(BlockDriverState *bs)
>>      buf = g_malloc(COMMIT_BUF_SECTORS * BDRV_SECTOR_SIZE);
>>
>>      for (sector = 0; sector < total_sectors; sector += n) {
>> -        if (bdrv_is_allocated(bs, sector, COMMIT_BUF_SECTORS, &n)) {
>> -
>> +        ret = bdrv_is_allocated(bs, sector, COMMIT_BUF_SECTORS, &n);
>> +        if (ret < 0) {
>> +            goto ro_cleanup;
>> +        }
>> +        if (ret) {
>>              if (bdrv_read(bs, sector, buf, n) != 0) {
>>                  ret = -EIO;
>>                  goto ro_cleanup;
>> diff --git a/block/cow.c b/block/cow.c
>> index 1cc2e89..e1b73d6 100644
>> --- a/block/cow.c
>> +++ b/block/cow.c
>> @@ -189,7 +189,11 @@ static int coroutine_fn cow_read(BlockDriverState *bs, int64_t sector_num,
>>      int ret, n;
>>
>>      while (nb_sectors > 0) {
>> -        if (bdrv_co_is_allocated(bs, sector_num, nb_sectors, &n)) {
>> +        ret = bdrv_co_is_allocated(bs, sector_num, nb_sectors, &n);
> 
> Is suppose to be ret = cow_co_is_allocated() ?

No, it's correct to have it like this in the backport.

>> +        if (ret < 0) {
>> +            return ret;
>> +        }
>> +        if (ret) {
>>              ret = bdrv_pread(bs->file,
>>                          s->cow_sectors_offset + sector_num * 512,
>>                          buf, n * 512);
>> diff --git a/block/qcow2.c b/block/qcow2.c
>> index 3376901..7f7282e 100644
>> --- a/block/qcow2.c
>> +++ b/block/qcow2.c
>> @@ -648,13 +648,11 @@ static int coroutine_fn qcow2_co_is_allocated(BlockDriverState *bs,
>>      int ret;
>>
>>      *pnum = nb_sectors;
>> -    /* FIXME We can get errors here, but the bdrv_co_is_allocated interface
>> -     * can't pass them on today */
>>      qemu_co_mutex_lock(&s->lock);
>>      ret = qcow2_get_cluster_offset(bs, sector_num << 9, pnum, &cluster_offset);
>>      qemu_co_mutex_unlock(&s->lock);
>>      if (ret < 0) {
>> -        *pnum = 0;
>> +        return ret;
>>      }
>>
>>      return (cluster_offset != 0) || (ret == QCOW2_CLUSTER_ZERO);
>> diff --git a/block/stream.c b/block/stream.c
>> index 7fe9e48..4e8d177 100644
>> --- a/block/stream.c
>> +++ b/block/stream.c
>> @@ -120,7 +120,7 @@ wait:
>>          if (ret == 1) {
>>              /* Allocated in the top, no need to copy.  */
>>              copy = false;
>> -        } else {
>> +        } else if (ret >= 0) {
>>              /* Copy if allocated in the intermediate images.  Limit to the
>>               * known-unallocated area [sector_num, sector_num+n).  */
>>              ret = bdrv_co_is_allocated_above(bs->backing_hd, base,
>> diff --git a/qemu-img.c b/qemu-img.c
>> index b9a848d..b01998b 100644
>> --- a/qemu-img.c
>> +++ b/qemu-img.c
>> @@ -1485,8 +1485,15 @@ static int img_convert(int argc, char **argv)
>>                     are present in both the output's and input's base images (no
>>                     need to copy them). */
>>                  if (out_baseimg) {
>> -                    if (!bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
>> -                                           n, &n1)) {
>> +                    ret = bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
>> +                                            n, &n1);
>> +                    if (ret < 0) {
>> +                        error_report("error while reading metadata for sector "
>> +                                     "%" PRId64 ": %s",
>> +                                     sector_num - bs_offset, strerror(-ret));
>> +                        goto out;
>> +                    }
>> +                    if (!ret) {
>>                          sector_num += n1;
>>                          continue;
>>                      }
>> @@ -2076,6 +2083,11 @@ static int img_rebase(int argc, char **argv)
>>
>>              /* If the cluster is allocated, we don't need to take action */
>>              ret = bdrv_is_allocated(bs, sector, n, &n);
>> +            if (ret < 0) {
>> +                error_report("error while reading image metadata: %s",
>> +                             strerror(-ret));
>> +                goto out;
>> +            }
>>              if (ret) {
>>                  continue;
>>              }
>> diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
>> index ffbcf31..ffe48ad 100644
>> --- a/qemu-io-cmds.c
>> +++ b/qemu-io-cmds.c
>> @@ -1829,6 +1829,10 @@ static int alloc_f(BlockDriverState *bs, int argc, char **argv)
>>      sector_num = offset >> 9;
>>      while (remaining) {
>>          ret = bdrv_is_allocated(bs, sector_num, remaining, &num);
>> +        if (ret < 0) {
>> +            printf("is_allocated failed: %s\n", strerror(-ret));
>> +            return 0;
>> +        }
>>          sector_num += num;
>>          remaining -= num;
>>          if (ret) {
>> --
>> 1.7.9.5
>>
>>
> 

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Paolo Bonzini]

Il 25/09/2013 15:54, Cole Robinson ha scritto:
> https://lists.nongnu.org/archive/html/qemu-devel/2013-08/msg05056.html
> https://bugzilla.redhat.com/show_bug.cgi?id=986790
> Fixes a crash with -M isapc
> Patch isn't in git yet
> 
> http://article.gmane.org/gmane.comp.emulators.qemu/209369
> https://bugzilla.redhat.com/show_bug.cgi?id=1000947
> Fix a crash from lsi_soft_reset
> Patches aren't in git yet, and might not be stable candidates anyways
> 
> Paolo, those patches are all yours, mind updating/pinging/reposting ?

Doug pinged the first for me.  It would be nice if Anthony could apply
it and it could go in 1.6.1.

I'm busy right now to handle the second one.

"[PATCH 00/11] virtio: cleanup and fix hot-unplug" is also important but
hasn't been reviewed yet afaik.

Paolo

Re: [Qemu-devel] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Michael Tokarev]

26.09.2013 23:38, Stefan Weil пишет:
> Am 25.09.2013 14:57, schrieb Michael Roth:
>> Hi everyone,
>>
>> The following new patches are queued for QEMU stable v1.6.1:
>>
>> https://github.com/mdroth/qemu/commits/stable-1.6-staging
>>
>> The release is planned for 2013-10-02:
>>
>> http://wiki.qemu.org/Planning/1.6
>>
>> Please respond here or CC qemu-stable@nongnu.org on any patches you
>> think should be included in the release. The cut-off date is
>> 2013-09-30 for new patches.
>>
>> Testing/feedback is greatly appreciated.
>>
>> Thanks!
>>
>
> Please add this one from Michael Tokarev, too:
> http://patchwork.ozlabs.org/patch/276560/

A small correction/nitpick: it is not from me originally,
it is from Wenchao Xia, but indeed, I verified and signed
it.

> It fixes a compiler warning from MinGW-w32 gcc in QEMU 1.5.3.

I'm not sure it qualifies for -stable however, because it
merely fixes a compiler warning, the code is actually correct
both ways.  Ofcourse the compile with -Werror will fail with
SOME compilers/versions, but is it the only place where we
have warnings?

Thanks!

/mjt

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Michael Tokarev]

25.09.2013 16:57, Michael Roth wrote:
> Hi everyone,
>
> The following new patches are queued for QEMU stable v1.6.1:
>
> https://github.com/mdroth/qemu/commits/stable-1.6-staging

It looks like at least some stuff from the series

  http://thread.gmane.org/gmane.comp.emulators.qemu/234440

is also needed for 1.6.1, because this series fixes CVE-2013-4377
(see https://bugzilla.redhat.com/show_bug.cgi?id=1012633 ).

Paolo, may you help to provide the fix for 1.6 for this?

Thanks,

/mjt

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.6.1, freeze on 2013-09-30

[Michael Tokarev]

27.09.2013 12:07, Michael Tokarev пишет:
> 25.09.2013 16:57, Michael Roth wrote:
>> Hi everyone,
>>
>> The following new patches are queued for QEMU stable v1.6.1:
>>
>> https://github.com/mdroth/qemu/commits/stable-1.6-staging
>
> It looks like at least some stuff from the series
>
>   http://thread.gmane.org/gmane.comp.emulators.qemu/234440
>
> is also needed for 1.6.1, because this series fixes CVE-2013-4377
> (see https://bugzilla.redhat.com/show_bug.cgi?id=1012633 ).
>
> Paolo, may you help to provide the fix for 1.6 for this?

This whole series is Cc: qemu-stable@, I haven't noticed that
before... ;)

Thanks,

/mjt