[Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Paolo Bonzini]

The following changes since commit da2fdd0bd1514a44309dd5be162ebfb6c166a716:

  Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20160611' into staging (2016-06-13 10:12:44 +0100)

are available in the git repository at:

  git://github.com/bonzini/qemu.git tags/for-upstream

for you to fetch changes up to 2ab9b0ec185124607ff71ee4048e927016fad26d:

  vl: smp_parse: cleanups (2016-06-16 14:35:20 +0200)

----------------------------------------------------------------
* KVM startup speedup (Chao Peng)
* configure fixes and cleanups (David, Thomas)
* ctags fix (Sergey)
* NBD cleanups (Peter, Eric)
* "-L help" command line option (Richard)
* More esp.c bugfixes (me, Prasad)
* KVM_CAP_MAX_VCPU_ID support (Greg)

----------------------------------------------------------------
Andrew Jones (1):
      vl: smp_parse: cleanups

Chao Peng (1):
      target-i386: kvm: cache KVM_GET_SUPPORTED_CPUID data

Dr. David Alan Gilbert (2):
      Make avx2 configure test work with -O2
      avx2 configure: Use primitives in test

Eric Blake (9):
      nbd: Use BDRV_REQ_FUA for better FUA where supported
      nbd: More debug typo fixes, use correct formats
      nbd: Quit server after any write error
      nbd: Improve server handling of bogus commands
      nbd: Reject unknown request flags
      nbd: Group all Linux-specific ioctl code in one place
      nbd: Clean up ioctl handling of qemu-nbd -c
      nbd: Detect servers that send unexpected error values
      nbd: Avoid magic number for NBD max name size

Greg Kurz (2):
      linux-headers: update to Linux 4.6
      KVM: use KVM_CAP_MAX_VCPU_ID

Paolo Bonzini (5):
      os-posix: include sys/mman.h
      clean-includes: run it once more
      nbd: simplify the nbd_request and nbd_reply structs
      scsi: esp: respect FIFO invariant after message phase
      scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd

Peter Maydell (2):
      nbd: Don't use *_to_cpup() functions
      nbd: Don't use cpu_to_*w() functions

Prasad J Pandit (2):
      scsi: esp: check buffer length before reading scsi command
      scsi: esp: make cmdbuf big enough for maximum CDB size

Richard W.M. Jones (1):
      vl.c: Add '-L help' which lists data dirs.

Sergey Fedorov (1):
      Makefile: Fix tag file generation targets

Thomas Huth (4):
      configure: Remove unused CONFIG_ZERO_MALLOC setting
      configure: Enable -Werror for MinGW builds, too
      configure: Remove unused CONFIG_SIGEV_THREAD_ID switch
      scsi-disk: Use (unsigned long) typecasts when using "%lu" format string

 Makefile                                       |   4 +-
 audio/ossaudio.c                               |   1 -
 block/qcow2-cache.c                            |   5 -
 bsd-user/elfload.c                             |   1 -
 bsd-user/main.c                                |   1 -
 bsd-user/mmap.c                                |   1 -
 bsd-user/syscall.c                             |   1 -
 configure                                      |  57 ++------
 contrib/ivshmem-server/ivshmem-server.c        |   1 -
 exec.c                                         |   1 -
 hw/block/xen_disk.c                            |   1 -
 hw/char/xen_console.c                          |   1 -
 hw/display/xenfb.c                             |   1 -
 hw/i386/kvm/pci-assign.c                       |   1 -
 hw/misc/ivshmem.c                              |   2 -
 hw/misc/pc-testdev.c                           |   3 -
 hw/net/net_tx_pkt.c                            |   1 +
 hw/net/net_tx_pkt.h                            |   1 -
 hw/net/xen_nic.c                               |   1 -
 hw/scsi/esp.c                                  |  22 +--
 hw/scsi/scsi-disk.c                            |   8 +-
 hw/usb/xen-usb.c                               |   6 +-
 hw/vfio/common.c                               |   1 -
 hw/vfio/pci.c                                  |   1 -
 hw/virtio/virtio-balloon.c                     |   4 -
 hw/xen/xen_backend.c                           |   1 -
 hw/xen/xen_pt_msi.c                            |   1 -
 include/block/nbd.h                            |  19 ++-
 include/hw/scsi/esp.h                          |   3 +-
 include/hw/xen/xen.h                           |   1 -
 include/qemu/osdep.h                           |   2 -
 include/standard-headers/linux/pci_regs.h      |  20 ++-
 include/standard-headers/linux/virtio_config.h |   2 +
 include/sysemu/os-posix.h                      |   1 +
 kvm-all.c                                      |   9 +-
 linux-headers/asm-arm/unistd.h                 |   2 +
 linux-headers/asm-arm64/unistd.h               |   3 +
 linux-headers/asm-powerpc/unistd.h             |   2 +
 linux-headers/asm-s390/kvm.h                   |   1 +
 linux-headers/asm-s390/unistd.h                |   4 +-
 linux-headers/asm-x86/kvm.h                    |   6 +-
 linux-headers/asm-x86/unistd_x32.h             |   2 +
 linux-headers/linux/kvm.h                      |   1 +
 linux-user/elfload.c                           |   1 -
 linux-user/flatload.c                          |   1 -
 linux-user/main.c                              |   1 -
 linux-user/mmap.c                              |   1 -
 linux-user/strace.c                            |   1 -
 linux-user/syscall.c                           |   1 -
 migration/postcopy-ram.c                       |   1 -
 nbd/client.c                                   |  98 ++++++++-----
 nbd/server.c                                   | 191 ++++++++++++++-----------
 net/netmap.c                                   |   1 -
 os-posix.c                                     |   1 -
 qemu-char.c                                    |   1 -
 qemu-nbd.c                                     |   4 +-
 qemu-options.hx                                |   2 +
 scripts/clean-includes                         |   3 +
 target-arm/kvm.c                               |   1 -
 target-arm/kvm32.c                             |   1 -
 target-arm/kvm64.c                             |   1 -
 target-i386/kvm.c                              |  10 +-
 target-mips/kvm.c                              |   1 -
 target-ppc/kvm.c                               |   1 -
 target-s390x/kvm.c                             |   1 -
 tests/i440fx-test.c                            |   1 -
 tests/ivshmem-test.c                           |   1 -
 tests/vhost-user-bridge.c                      |   1 -
 tests/vhost-user-test.c                        |   1 -
 translate-all.c                                |   2 -
 util/cutils.c                                  |   8 +-
 util/memfd.c                                   |   2 -
 util/mmap-alloc.c                              |   1 -
 util/osdep.c                                   |   4 -
 util/oslib-posix.c                             |   1 -
 vl.c                                           |  47 +++---
 xen-hvm.c                                      |   1 -
 xen-mapcache.c                                 |   1 -
 78 files changed, 310 insertions(+), 292 deletions(-)
-- 
2.5.5

[Qemu-devel] [PULL 01/30] configure: Remove unused CONFIG_ZERO_MALLOC setting

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

CONFIG_ZERO_MALLOC was only used in qemu-malloc.c and
this file has been removed with the following commit:

	41a748265f4879b52b0e87ff9c93bed975163886
	Remove qemu_malloc/qemu_free

So we don't need this configuration setting anymore.
This patch also removes the z_version variable, since
this is now also not needed anymore.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <1465398683-3152-1-git-send-email-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/configure b/configure
index 8c2f90b..bd9318a 100755
--- a/configure
+++ b/configure
@@ -270,7 +270,6 @@ aix="no"
 blobs="yes"
 pkgversion=""
 pie=""
-zero_malloc=""
 qom_cast_debug="yes"
 trace_backends="log"
 trace_file="trace"
@@ -1389,8 +1388,6 @@ fi
 
 # Consult white-list to determine whether to enable werror
 # by default.  Only enable by default for git builds
-z_version=$(cut -f3 -d. $source_path/VERSION)
-
 if test -z "$werror" ; then
     if test -d "$source_path/.git" -a \
         "$linux" = "yes" ; then
@@ -4574,16 +4571,6 @@ if test "$libnfs" != "no" ; then
   fi
 fi
 
-# Disable zero malloc errors for official releases unless explicitly told to
-# enable/disable
-if test -z "$zero_malloc" ; then
-    if test "$z_version" = "50" ; then
-	zero_malloc="no"
-    else
-	zero_malloc="yes"
-    fi
-fi
-
 # Now we've finished running tests it's OK to add -Werror to the compiler flags
 if test "$werror" = "yes"; then
     QEMU_CFLAGS="-Werror $QEMU_CFLAGS"
@@ -5342,9 +5329,6 @@ if [ "$bsd" = "yes" ] ; then
   echo "CONFIG_BSD=y" >> $config_host_mak
 fi
 
-if test "$zero_malloc" = "yes" ; then
-  echo "CONFIG_ZERO_MALLOC=y" >> $config_host_mak
-fi
 if test "$localtime_r" = "yes" ; then
   echo "CONFIG_LOCALTIME_R=y" >> $config_host_mak
 fi
-- 
2.5.5

[Qemu-devel] [PULL 02/30] os-posix: include sys/mman.h

[Paolo Bonzini]

qemu/osdep.h checks whether MAP_ANONYMOUS is defined, but this check
is bogus without a previous inclusion of sys/mman.h.  Include it in
sysemu/os-posix.h and remove it from everywhere else.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 audio/ossaudio.c                        | 1 -
 block/qcow2-cache.c                     | 5 -----
 bsd-user/elfload.c                      | 1 -
 bsd-user/main.c                         | 1 -
 bsd-user/mmap.c                         | 1 -
 bsd-user/syscall.c                      | 1 -
 contrib/ivshmem-server/ivshmem-server.c | 1 -
 exec.c                                  | 1 -
 hw/block/xen_disk.c                     | 1 -
 hw/char/xen_console.c                   | 1 -
 hw/display/xenfb.c                      | 1 -
 hw/i386/kvm/pci-assign.c                | 1 -
 hw/misc/ivshmem.c                       | 2 --
 hw/misc/pc-testdev.c                    | 3 ---
 hw/net/xen_nic.c                        | 1 -
 hw/usb/xen-usb.c                        | 1 -
 hw/vfio/common.c                        | 1 -
 hw/vfio/pci.c                           | 1 -
 hw/virtio/virtio-balloon.c              | 4 ----
 hw/xen/xen_backend.c                    | 1 -
 hw/xen/xen_pt_msi.c                     | 1 -
 include/qemu/osdep.h                    | 2 --
 include/sysemu/os-posix.h               | 1 +
 kvm-all.c                               | 1 -
 linux-user/elfload.c                    | 1 -
 linux-user/flatload.c                   | 1 -
 linux-user/main.c                       | 1 -
 linux-user/mmap.c                       | 1 -
 linux-user/strace.c                     | 1 -
 linux-user/syscall.c                    | 1 -
 migration/postcopy-ram.c                | 1 -
 net/netmap.c                            | 1 -
 os-posix.c                              | 1 -
 qemu-char.c                             | 1 -
 scripts/clean-includes                  | 3 +++
 target-arm/kvm.c                        | 1 -
 target-arm/kvm32.c                      | 1 -
 target-arm/kvm64.c                      | 1 -
 target-i386/kvm.c                       | 1 -
 target-mips/kvm.c                       | 1 -
 target-ppc/kvm.c                        | 1 -
 target-s390x/kvm.c                      | 1 -
 tests/i440fx-test.c                     | 1 -
 tests/ivshmem-test.c                    | 1 -
 tests/vhost-user-bridge.c               | 1 -
 tests/vhost-user-test.c                 | 1 -
 translate-all.c                         | 2 --
 util/memfd.c                            | 2 --
 util/mmap-alloc.c                       | 1 -
 util/osdep.c                            | 4 ----
 util/oslib-posix.c                      | 1 -
 xen-hvm.c                               | 1 -
 xen-mapcache.c                          | 1 -
 53 files changed, 4 insertions(+), 67 deletions(-)

diff --git a/audio/ossaudio.c b/audio/ossaudio.c
index a0d9cda..0edd7ea 100644
--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -22,7 +22,6 @@
  * THE SOFTWARE.
  */
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/soundcard.h>
 #include "qemu-common.h"
diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c
index 208a060..580631c 100644
--- a/block/qcow2-cache.c
+++ b/block/qcow2-cache.c
@@ -24,11 +24,6 @@
 
 /* Needed for CONFIG_MADVISE */
 #include "qemu/osdep.h"
-
-#if defined(CONFIG_MADVISE) || defined(CONFIG_POSIX_MADVISE)
-#include <sys/mman.h>
-#endif
-
 #include "block/block_int.h"
 #include "qemu-common.h"
 #include "qcow2.h"
diff --git a/bsd-user/elfload.c b/bsd-user/elfload.c
index 898ee05..41a1309 100644
--- a/bsd-user/elfload.c
+++ b/bsd-user/elfload.c
@@ -1,7 +1,6 @@
 /* This is the Linux kernel elf-loading code, ported into user space */
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "qemu.h"
 #include "disas/disas.h"
diff --git a/bsd-user/main.c b/bsd-user/main.c
index 9f592be..abe9a26 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -18,7 +18,6 @@
  */
 #include "qemu/osdep.h"
 #include <machine/trap.h>
-#include <sys/mman.h>
 
 #include "qemu.h"
 #include "qemu/path.h"
diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
index 6ab5334..610f91b 100644
--- a/bsd-user/mmap.c
+++ b/bsd-user/mmap.c
@@ -17,7 +17,6 @@
  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "qemu.h"
 #include "qemu-common.h"
diff --git a/bsd-user/syscall.c b/bsd-user/syscall.c
index 47cf865..a9fe869 100644
--- a/bsd-user/syscall.c
+++ b/bsd-user/syscall.c
@@ -19,7 +19,6 @@
 #include "qemu/osdep.h"
 #include "qemu/cutils.h"
 #include "qemu/path.h"
-#include <sys/mman.h>
 #include <sys/syscall.h>
 #include <sys/param.h>
 #include <sys/sysctl.h>
diff --git a/contrib/ivshmem-server/ivshmem-server.c b/contrib/ivshmem-server/ivshmem-server.c
index bf4ee0b..e2f295b 100644
--- a/contrib/ivshmem-server/ivshmem-server.c
+++ b/contrib/ivshmem-server/ivshmem-server.c
@@ -10,7 +10,6 @@
 #include "qemu/host-utils.h"
 #include "qemu/sockets.h"
 
-#include <sys/mman.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 
diff --git a/exec.c b/exec.c
index a9d465b..61adb32 100644
--- a/exec.c
+++ b/exec.c
@@ -19,7 +19,6 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #ifndef _WIN32
-#include <sys/mman.h>
 #endif
 
 #include "qemu/cutils.h"
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 064c116..ba7ce54 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -21,7 +21,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 #include <sys/uio.h>
 
 #include "hw/hw.h"
diff --git a/hw/char/xen_console.c b/hw/char/xen_console.c
index cbf1dcc..83108b0 100644
--- a/hw/char/xen_console.c
+++ b/hw/char/xen_console.c
@@ -22,7 +22,6 @@
 #include "qemu/osdep.h"
 #include <sys/select.h>
 #include <termios.h>
-#include <sys/mman.h>
 
 #include "hw/hw.h"
 #include "sysemu/char.h"
diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 570b097..46b7d5e 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -25,7 +25,6 @@
  */
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "hw/hw.h"
 #include "ui/console.h"
diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index db2cbd2..dd9e73b 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -22,7 +22,6 @@
  */
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include <sys/mman.h>
 #include "hw/hw.h"
 #include "hw/i386/pc.h"
 #include "qemu/error-report.h"
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 90be9f7..c4dde3a 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -36,8 +36,6 @@
 
 #include "hw/misc/ivshmem.h"
 
-#include <sys/mman.h>
-
 #define PCI_VENDOR_ID_IVSHMEM   PCI_VENDOR_ID_REDHAT_QUMRANET
 #define PCI_DEVICE_ID_IVSHMEM   0x1110
 
diff --git a/hw/misc/pc-testdev.c b/hw/misc/pc-testdev.c
index 086893d..b81d820 100644
--- a/hw/misc/pc-testdev.c
+++ b/hw/misc/pc-testdev.c
@@ -36,9 +36,6 @@
 */
 
 #include "qemu/osdep.h"
-#if defined(CONFIG_POSIX)
-#include <sys/mman.h>
-#endif
 #include "hw/hw.h"
 #include "hw/qdev.h"
 #include "hw/isa/isa.h"
diff --git a/hw/net/xen_nic.c b/hw/net/xen_nic.c
index 7281730..0b4ddae 100644
--- a/hw/net/xen_nic.c
+++ b/hw/net/xen_nic.c
@@ -22,7 +22,6 @@
 #include "qemu/osdep.h"
 #include <sys/socket.h>
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 #include <sys/wait.h>
 
 #include "hw/hw.h"
diff --git a/hw/usb/xen-usb.c b/hw/usb/xen-usb.c
index 664df04..09e9656 100644
--- a/hw/usb/xen-usb.c
+++ b/hw/usb/xen-usb.c
@@ -22,7 +22,6 @@
 #include <libusb.h>
 #include <stdio.h>
 #include <sys/types.h>
-#include <sys/mman.h>
 #include <sys/time.h>
 
 #include "qemu/osdep.h"
diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index e51ed3a..5ff5e92 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -20,7 +20,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 #include <linux/vfio.h>
 
 #include "hw/vfio/vfio-common.h"
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index deab0c6..53b87b7 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -21,7 +21,6 @@
 #include "qemu/osdep.h"
 #include <linux/vfio.h>
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 
 #include "hw/pci/msi.h"
 #include "hw/pci/msix.h"
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 8c15e09..557d3f9 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -27,10 +27,6 @@
 #include "qapi-event.h"
 #include "trace.h"
 
-#if defined(__linux__)
-#include <sys/mman.h>
-#endif
-
 #include "hw/virtio/virtio-bus.h"
 #include "hw/virtio/virtio-access.h"
 
diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index c63f9df..e7ce724 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -23,7 +23,6 @@
  */
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 #include <sys/signal.h>
 
 #include "hw/hw.h"
diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
index 9a16f2b..62add06 100644
--- a/hw/xen/xen_pt_msi.c
+++ b/hw/xen/xen_pt_msi.c
@@ -10,7 +10,6 @@
  */
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "hw/xen/xen_backend.h"
 #include "xen_pt.h"
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 6937694..e63da28 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -197,8 +197,6 @@ void qemu_anon_ram_free(void *ptr, size_t size);
 
 #if defined(CONFIG_MADVISE)
 
-#include <sys/mman.h>
-
 #define QEMU_MADV_WILLNEED  MADV_WILLNEED
 #define QEMU_MADV_DONTNEED  MADV_DONTNEED
 #ifdef MADV_DONTFORK
diff --git a/include/sysemu/os-posix.h b/include/sysemu/os-posix.h
index 07e3e5a..9c7dfdf 100644
--- a/include/sysemu/os-posix.h
+++ b/include/sysemu/os-posix.h
@@ -26,6 +26,7 @@
 #ifndef QEMU_OS_POSIX_H
 #define QEMU_OS_POSIX_H
 
+#include <sys/mman.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
diff --git a/kvm-all.c b/kvm-all.c
index fbd2d93..71af270 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -15,7 +15,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 
 #include <linux/kvm.h>
 
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index bb2558f..f807baf 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2,7 +2,6 @@
 #include "qemu/osdep.h"
 #include <sys/param.h>
 
-#include <sys/mman.h>
 #include <sys/resource.h>
 
 #include "qemu.h"
diff --git a/linux-user/flatload.c b/linux-user/flatload.c
index f9139c3..48ad1c5 100644
--- a/linux-user/flatload.c
+++ b/linux-user/flatload.c
@@ -34,7 +34,6 @@
 /****************************************************************************/
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "qemu.h"
 #include "flat.h"
diff --git a/linux-user/main.c b/linux-user/main.c
index f8a8764..b9a4e0e 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -18,7 +18,6 @@
  */
 #include "qemu/osdep.h"
 #include "qemu-version.h"
-#include <sys/mman.h>
 #include <sys/syscall.h>
 #include <sys/resource.h>
 
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 3519147..c4371d9 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -17,7 +17,6 @@
  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 #include <linux/mman.h>
 #include <linux/unistd.h>
 
diff --git a/linux-user/strace.c b/linux-user/strace.c
index c5980a1..4046b81 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -5,7 +5,6 @@
 #include <sys/shm.h>
 #include <sys/select.h>
 #include <sys/mount.h>
-#include <sys/mman.h>
 #include <sched.h>
 #include "qemu.h"
 
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 71ccbd9..1c17b74 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -32,7 +32,6 @@
 #include <sys/personality.h>
 #include <sys/prctl.h>
 #include <sys/resource.h>
-#include <sys/mman.h>
 #include <sys/swap.h>
 #include <linux/capability.h>
 #include <sched.h>
diff --git a/migration/postcopy-ram.c b/migration/postcopy-ram.c
index 47250b6..abe8c60 100644
--- a/migration/postcopy-ram.c
+++ b/migration/postcopy-ram.c
@@ -51,7 +51,6 @@ struct PostcopyDiscardState {
 #if defined(__linux__)
 
 #include <poll.h>
-#include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/syscall.h>
 #include <asm/types.h> /* for __u64 */
diff --git a/net/netmap.c b/net/netmap.c
index 6cc0db5..64967b9 100644
--- a/net/netmap.c
+++ b/net/netmap.c
@@ -26,7 +26,6 @@
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
 #include <net/if.h>
-#include <sys/mman.h>
 #define NETMAP_WITH_LIBS
 #include <net/netmap.h>
 #include <net/netmap_user.h>
diff --git a/os-posix.c b/os-posix.c
index 107fde3..3755265 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -26,7 +26,6 @@
 #include "qemu/osdep.h"
 #include <sys/wait.h>
 /*needed for MAP_POPULATE before including qemu-options.h */
-#include <sys/mman.h>
 #include <pwd.h>
 #include <grp.h>
 #include <libgen.h>
diff --git a/qemu-char.c b/qemu-char.c
index b13ecbb..c926e9a 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -47,7 +47,6 @@
 #include <sys/times.h>
 #include <sys/wait.h>
 #include <termios.h>
-#include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
diff --git a/scripts/clean-includes b/scripts/clean-includes
index 37b73b5..4412a55 100755
--- a/scripts/clean-includes
+++ b/scripts/clean-includes
@@ -105,6 +105,8 @@ for f in "$@"; do
     *include/qemu/osdep.h | \
     *include/qemu/compiler.h | \
     *include/glib-compat.h | \
+    *include/sysemu/os-posix.h | \
+    *include/sysemu/os-win32.h | \
     *include/standard-headers/ )
       # Removing include lines from osdep.h itself would be counterproductive.
       echo "SKIPPING $f (special case header)"
@@ -145,6 +147,7 @@ for f in "$@"; do
            <stdlib.h> <stdio.h> <string.h> <strings.h> <inttypes.h>
            <limits.h> <unistd.h> <time.h> <ctype.h> <errno.h> <fcntl.h>
            <sys/stat.h> <sys/time.h> <assert.h> <signal.h> <glib.h>
+           <sys/stat.h> <sys/time.h> <assert.h> <signal.h> <glib.h> <sys/mman.h>
            "sysemu/os-posix.h, sysemu/os-win32.h "glib-compat.h"
            "qemu/typedefs.h"
             ))' "$f"
diff --git a/target-arm/kvm.c b/target-arm/kvm.c
index 83da447..5c2bd7a 100644
--- a/target-arm/kvm.c
+++ b/target-arm/kvm.c
@@ -10,7 +10,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 
 #include <linux/kvm.h>
 
diff --git a/target-arm/kvm32.c b/target-arm/kvm32.c
index c03e3e5..af3c0b5 100644
--- a/target-arm/kvm32.c
+++ b/target-arm/kvm32.c
@@ -10,7 +10,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 
 #include <linux/kvm.h>
 
diff --git a/target-arm/kvm64.c b/target-arm/kvm64.c
index e2a34f6..c84d4c7 100644
--- a/target-arm/kvm64.c
+++ b/target-arm/kvm64.c
@@ -11,7 +11,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 #include <sys/ptrace.h>
 
 #include <linux/elf.h>
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index abf50e6..7b092ee 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -15,7 +15,6 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 #include <sys/utsname.h>
 
 #include <linux/kvm.h>
diff --git a/target-mips/kvm.c b/target-mips/kvm.c
index a854e4d..f3f832d 100644
--- a/target-mips/kvm.c
+++ b/target-mips/kvm.c
@@ -11,7 +11,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 
 #include <linux/kvm.h>
 
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 24d6032..744a6ff 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -17,7 +17,6 @@
 #include "qemu/osdep.h"
 #include <dirent.h>
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 #include <sys/vfs.h>
 
 #include <linux/kvm.h>
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index 8f46fd0..8c5dcab 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -23,7 +23,6 @@
 
 #include "qemu/osdep.h"
 #include <sys/ioctl.h>
-#include <sys/mman.h>
 
 #include <linux/kvm.h>
 #include <asm/ptrace.h>
diff --git a/tests/i440fx-test.c b/tests/i440fx-test.c
index bff999c..c1d9b3e 100644
--- a/tests/i440fx-test.c
+++ b/tests/i440fx-test.c
@@ -13,7 +13,6 @@
  */
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "libqtest.h"
 #include "libqos/pci.h"
diff --git a/tests/ivshmem-test.c b/tests/ivshmem-test.c
index 010860a..0957ee7 100644
--- a/tests/ivshmem-test.c
+++ b/tests/ivshmem-test.c
@@ -10,7 +10,6 @@
 
 #include "qemu/osdep.h"
 #include <glib/gstdio.h>
-#include <sys/mman.h>
 #include "contrib/ivshmem-server/ivshmem-server.h"
 #include "libqos/pci-pc.h"
 #include "libqtest.h"
diff --git a/tests/vhost-user-bridge.c b/tests/vhost-user-bridge.c
index 0779ba2..57c8f91 100644
--- a/tests/vhost-user-bridge.c
+++ b/tests/vhost-user-bridge.c
@@ -33,7 +33,6 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <sys/unistd.h>
-#include <sys/mman.h>
 #include <sys/eventfd.h>
 #include <arpa/inet.h>
 #include <netdb.h>
diff --git a/tests/vhost-user-test.c b/tests/vhost-user-test.c
index 2724fe9..b2b1665 100644
--- a/tests/vhost-user-test.c
+++ b/tests/vhost-user-test.c
@@ -17,7 +17,6 @@
 #include "sysemu/sysemu.h"
 
 #include <linux/vhost.h>
-#include <sys/mman.h>
 #include <sys/vfs.h>
 #include <qemu/sockets.h>
 
diff --git a/translate-all.c b/translate-all.c
index e8b88b4..3f402df 100644
--- a/translate-all.c
+++ b/translate-all.c
@@ -18,8 +18,6 @@
  */
 #ifdef _WIN32
 #include <windows.h>
-#else
-#include <sys/mman.h>
 #endif
 #include "qemu/osdep.h"
 
diff --git a/util/memfd.c b/util/memfd.c
index b374238..4571d1a 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -29,8 +29,6 @@
 
 #include <glib/gprintf.h>
 
-#include <sys/mman.h>
-
 #include "qemu/memfd.h"
 
 #ifdef CONFIG_MEMFD
diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
index 0b4cc7f..629d97a 100644
--- a/util/mmap-alloc.c
+++ b/util/mmap-alloc.c
@@ -11,7 +11,6 @@
  */
 #include "qemu/osdep.h"
 #include <qemu/mmap-alloc.h>
-#include <sys/mman.h>
 
 #define HUGETLBFS_MAGIC       0x958458f6
 
diff --git a/util/osdep.c b/util/osdep.c
index 9a7a439..ff004e8 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -25,10 +25,6 @@
 
 /* Needed early for CONFIG_BSD etc. */
 
-#if defined(CONFIG_MADVISE) || defined(CONFIG_POSIX_MADVISE)
-#include <sys/mman.h>
-#endif
-
 #ifdef CONFIG_SOLARIS
 #include <sys/statvfs.h>
 /* See MySQL bug #7156 (http://bugs.mysql.com/bug.php?id=7156) for
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index 4adde93..e2e1d4d 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -36,7 +36,6 @@
 #include "trace.h"
 #include "qapi/error.h"
 #include "qemu/sockets.h"
-#include <sys/mman.h>
 #include <libgen.h>
 #include <sys/signal.h>
 #include "qemu/cutils.h"
diff --git a/xen-hvm.c b/xen-hvm.c
index a0da8d7..98ea44f 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -9,7 +9,6 @@
  */
 
 #include "qemu/osdep.h"
-#include <sys/mman.h>
 
 #include "cpu.h"
 #include "hw/pci/pci.h"
diff --git a/xen-mapcache.c b/xen-mapcache.c
index 49f394a..8f3a592 100644
--- a/xen-mapcache.c
+++ b/xen-mapcache.c
@@ -17,7 +17,6 @@
 #include "qemu/bitmap.h"
 
 #include <xen/hvm/params.h>
-#include <sys/mman.h>
 
 #include "sysemu/xen-mapcache.h"
 #include "trace.h"
-- 
2.5.5

[Qemu-devel] [PULL 03/30] clean-includes: run it once more

[Paolo Bonzini]

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/net/net_tx_pkt.c  | 1 +
 hw/net/net_tx_pkt.h  | 1 -
 hw/usb/xen-usb.c     | 5 +----
 include/hw/xen/xen.h | 1 -
 4 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index e4478be..efd43b4 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -15,6 +15,7 @@
  *
  */
 
+#include "qemu/osdep.h"
 #include "net_tx_pkt.h"
 #include "net/eth.h"
 #include "net/checksum.h"
diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h
index 07b9a20..212ecc6 100644
--- a/hw/net/net_tx_pkt.h
+++ b/hw/net/net_tx_pkt.h
@@ -18,7 +18,6 @@
 #ifndef NET_TX_PKT_H
 #define NET_TX_PKT_H
 
-#include "qemu/osdep.h"
 #include "net/eth.h"
 #include "exec/hwaddr.h"
 
diff --git a/hw/usb/xen-usb.c b/hw/usb/xen-usb.c
index 09e9656..0fd34c6 100644
--- a/hw/usb/xen-usb.c
+++ b/hw/usb/xen-usb.c
@@ -19,12 +19,9 @@
  *  GNU GPL, version 2 or (at your option) any later version.
  */
 
+#include "qemu/osdep.h"
 #include <libusb.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/time.h>
 
-#include "qemu/osdep.h"
 #include "qemu-common.h"
 #include "qemu/config-file.h"
 #include "hw/sysbus.h"
diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h
index 6365483..b2cd992 100644
--- a/include/hw/xen/xen.h
+++ b/include/hw/xen/xen.h
@@ -8,7 +8,6 @@
  */
 
 #include "qemu-common.h"
-#include "qemu/typedefs.h"
 #include "exec/cpu-common.h"
 #include "hw/irq.h"
 
-- 
2.5.5

[Qemu-devel] [PULL 04/30] configure: Enable -Werror for MinGW builds, too

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

MinGW seems to compile currently without warnings, so it should
be safe to enable -Werror now for this environment, too.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1465373606-18486-1-git-send-email-thuth@redhat.com>
Tested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index bd9318a..cbe013b 100755
--- a/configure
+++ b/configure
@@ -1390,7 +1390,7 @@ fi
 # by default.  Only enable by default for git builds
 if test -z "$werror" ; then
     if test -d "$source_path/.git" -a \
-        "$linux" = "yes" ; then
+        \( "$linux" = "yes" -o "$mingw32" = "yes" \) ; then
         werror="yes"
     else
         werror="no"
-- 
2.5.5

[Qemu-devel] [PULL 05/30] Makefile: Fix tag file generation targets

[Paolo Bonzini]

From: Sergey Fedorov <serge.fdrv@gmail.com>

"ctags" produces a file named "tags", not "ctags". It doesn't look
reasonable to use phony target name as a file name to remove. Just use
exact file names to remove in "ctags" and "TAGS" target receipts.

Signed-off-by: Sergey Fedorov <serge.fdrv@gmail.com>
Signed-off-by: Sergey Fedorov <sergey.fedorov@linaro.org>
Message-Id: <1465495115-24665-1-git-send-email-sergey.fedorov@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index ed4032a..53e4119 100644
--- a/Makefile
+++ b/Makefile
@@ -498,12 +498,12 @@ test speed: all
 
 .PHONY: ctags
 ctags:
-	rm -f $@
+	rm -f tags
 	find "$(SRC_PATH)" -name '*.[hc]' -exec ctags --append {} +
 
 .PHONY: TAGS
 TAGS:
-	rm -f $@
+	rm -f TAGS
 	find "$(SRC_PATH)" -name '*.[hc]' -exec etags --append {} +
 
 cscope:
-- 
2.5.5

[Qemu-devel] [PULL 06/30] Make avx2 configure test work with -O2

[Paolo Bonzini]

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

When configured with --extra-cflags=-O2 gcc optimised out the test
and the readelf failed the check leaving avx2 disabled.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <1465557378-24105-2-git-send-email-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index cbe013b..3c0e279 100755
--- a/configure
+++ b/configure
@@ -1781,7 +1781,7 @@ fi
 cat > $TMPC << EOF
 static void bar(void) {}
 static void *bar_ifunc(void) {return (void*) bar;}
-static void foo(void) __attribute__((ifunc("bar_ifunc")));
+void foo(void) __attribute__((ifunc("bar_ifunc")));
 int main(void) { foo(); return 0; }
 EOF
 if compile_prog "-mavx2" "" ; then
-- 
2.5.5

[Qemu-devel] [PULL 07/30] avx2 configure: Use primitives in test

[Paolo Bonzini]

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

Use the avx2 primitives during the test, thus making sure that the
compiler and assembler could actually use avx2.

This also detects the failure case on gcc 4.8.x with -save-temps
and avoids the need for the gcc version check in cutils.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <1465557378-24105-3-git-send-email-dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure     | 17 ++++++++++++-----
 util/cutils.c |  8 +-------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/configure b/configure
index 3c0e279..c57d6a7 100755
--- a/configure
+++ b/configure
@@ -1779,13 +1779,20 @@ fi
 # avx2 optimization requirement check
 
 cat > $TMPC << EOF
-static void bar(void) {}
+#pragma GCC push_options
+#pragma GCC target("avx2")
+#include <cpuid.h>
+#include <immintrin.h>
+
+static int bar(void *a) {
+    return _mm256_movemask_epi8(_mm256_cmpeq_epi8(*(__m256i *)a, (__m256i){0}));
+}
 static void *bar_ifunc(void) {return (void*) bar;}
-void foo(void) __attribute__((ifunc("bar_ifunc")));
-int main(void) { foo(); return 0; }
+int foo(void *a) __attribute__((ifunc("bar_ifunc")));
+int main(int argc, char *argv[]) { return foo(argv[0]);}
 EOF
-if compile_prog "-mavx2" "" ; then
-    if readelf --syms $TMPE |grep "IFUNC.*foo" >/dev/null 2>&1; then
+if compile_object "" ; then
+    if readelf --syms $TMPO |grep "IFUNC.*foo" >/dev/null 2>&1; then
         avx2_opt="yes"
     fi
 fi
diff --git a/util/cutils.c b/util/cutils.c
index 43d1afb..5830a68 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -256,13 +256,7 @@ static size_t buffer_find_nonzero_offset_inner(const void *buf, size_t len)
     return i * sizeof(VECTYPE);
 }
 
-/*
- * GCC before version 4.9 has a bug which will cause the target
- * attribute work incorrectly and failed to compile in some case,
- * restrict the gcc version to 4.9+ to prevent the failure.
- */
-
-#if defined CONFIG_AVX2_OPT && QEMU_GNUC_PREREQ(4, 9)
+#if defined CONFIG_AVX2_OPT
 #pragma GCC push_options
 #pragma GCC target("avx2")
 #include <cpuid.h>
-- 
2.5.5

[Qemu-devel] [PULL 08/30] configure: Remove unused CONFIG_SIGEV_THREAD_ID switch

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

The CONFIG_SIGEV_THREAD_ID switch is unused since the related code
has been removed by commit 6d327171551a12b937c5718073b9848d0274c74d
("aio / timers: Remove alarm timers"), so it can safely be removed
nowadays.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1465571084-19885-1-git-send-email-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/configure b/configure
index c57d6a7..10cb212 100755
--- a/configure
+++ b/configure
@@ -4182,24 +4182,6 @@ if compile_prog "" "" ; then
 fi
 
 ##########################################
-# check if we have usable SIGEV_THREAD_ID
-
-sigev_thread_id=no
-cat > $TMPC << EOF
-#include <signal.h>
-int main(void) {
-  struct sigevent ev;
-  ev.sigev_notify = SIGEV_THREAD_ID;
-  ev._sigev_un._tid = 0;
-  asm volatile("" : : "g"(&ev));
-  return 0;
-}
-EOF
-if compile_prog "" "" ; then
-    sigev_thread_id=yes
-fi
-
-##########################################
 # check if trace backend exists
 
 $python "$source_path/scripts/tracetool.py" "--backends=$trace_backends" --check-backends  > /dev/null 2> /dev/null
@@ -4856,7 +4838,6 @@ echo "preadv support    $preadv"
 echo "fdatasync         $fdatasync"
 echo "madvise           $madvise"
 echo "posix_madvise     $posix_madvise"
-echo "sigev_thread_id   $sigev_thread_id"
 echo "uuid support      $uuid"
 echo "libcap-ng support $cap_ng"
 echo "vhost-net support $vhost_net"
@@ -5271,9 +5252,6 @@ fi
 if test "$posix_madvise" = "yes" ; then
   echo "CONFIG_POSIX_MADVISE=y" >> $config_host_mak
 fi
-if test "$sigev_thread_id" = "yes" ; then
-  echo "CONFIG_SIGEV_THREAD_ID=y" >> $config_host_mak
-fi
 
 if test "$spice" = "yes" ; then
   echo "CONFIG_SPICE=y" >> $config_host_mak
-- 
2.5.5

[Qemu-devel] [PULL 09/30] nbd: Don't use *_to_cpup() functions

[Paolo Bonzini]

From: Peter Maydell <peter.maydell@linaro.org>

The *_to_cpup() functions are not very useful, as they simply do
a pointer dereference and then a *_to_cpu(). Instead use either:
 * ld*_*_p(), if the data is at an address that might not be
   correctly aligned for the load
 * a local dereference and *_to_cpu(), if the pointer is
   the correct type and known to be correctly aligned

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <1465570836-22211-1-git-send-email-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c |  8 ++++----
 nbd/server.c | 10 +++++-----
 qemu-nbd.c   |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 31b88f3..bb8981f 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -572,7 +572,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
             error_setg(errp, "Failed to read export flags");
             goto fail;
         }
-        *flags = be32_to_cpup(flags);
+        *flags = be32_to_cpu(*flags);
     } else {
         error_setg(errp, "Bad magic received");
         goto fail;
@@ -726,9 +726,9 @@ ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply *reply)
        [ 7 .. 15]    handle
      */
 
-    magic = be32_to_cpup((uint32_t*)buf);
-    reply->error  = be32_to_cpup((uint32_t*)(buf + 4));
-    reply->handle = be64_to_cpup((uint64_t*)(buf + 8));
+    magic = ldl_be_p(buf);
+    reply->error  = ldl_be_p(buf + 4);
+    reply->handle = ldq_be_p(buf + 8);
 
     reply->error = nbd_errno_to_system_errno(reply->error);
 
diff --git a/nbd/server.c b/nbd/server.c
index b2cfeb9..91471f1 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -646,11 +646,11 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, struct nbd_request *request)
        [24 .. 27]   len
      */
 
-    magic = be32_to_cpup((uint32_t*)buf);
-    request->type  = be32_to_cpup((uint32_t*)(buf + 4));
-    request->handle = be64_to_cpup((uint64_t*)(buf + 8));
-    request->from  = be64_to_cpup((uint64_t*)(buf + 16));
-    request->len   = be32_to_cpup((uint32_t*)(buf + 24));
+    magic = ldl_be_p(buf);
+    request->type   = ldl_be_p(buf + 4);
+    request->handle = ldq_be_p(buf + 8);
+    request->from   = ldq_be_p(buf + 16);
+    request->len    = ldl_be_p(buf + 24);
 
     TRACE("Got request: "
           "{ magic = 0x%x, .type = %d, from = %" PRIu64" , len = %u }",
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 6554f0a..9519db3 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -154,8 +154,8 @@ static void read_partition(uint8_t *p, struct partition_record *r)
     r->end_cylinder = p[7] | ((p[6] << 2) & 0x300);
     r->end_sector = p[6] & 0x3f;
 
-    r->start_sector_abs = le32_to_cpup((uint32_t *)(p +  8));
-    r->nb_sectors_abs   = le32_to_cpup((uint32_t *)(p + 12));
+    r->start_sector_abs = ldl_le_p(p + 8);
+    r->nb_sectors_abs   = ldl_le_p(p + 12);
 }
 
 static int find_partition(BlockBackend *blk, int partition,
-- 
2.5.5

[Qemu-devel] [PULL 10/30] nbd: Don't use cpu_to_*w() functions

[Paolo Bonzini]

From: Peter Maydell <peter.maydell@linaro.org>

The cpu_to_*w() functions just compose a pointer dereference
with a byteswap. Instead use st*_p(), which handles potential
pointer misalignment and avoids the need to cast the pointer.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <1465575342-12146-1-git-send-email-peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index bb8981f..6d9c74d 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -686,11 +686,11 @@ ssize_t nbd_send_request(QIOChannel *ioc, struct nbd_request *request)
           "{ .from = %" PRIu64", .len = %u, .handle = %" PRIu64", .type=%i}",
           request->from, request->len, request->handle, request->type);
 
-    cpu_to_be32w((uint32_t*)buf, NBD_REQUEST_MAGIC);
-    cpu_to_be32w((uint32_t*)(buf + 4), request->type);
-    cpu_to_be64w((uint64_t*)(buf + 8), request->handle);
-    cpu_to_be64w((uint64_t*)(buf + 16), request->from);
-    cpu_to_be32w((uint32_t*)(buf + 24), request->len);
+    stl_be_p(buf, NBD_REQUEST_MAGIC);
+    stl_be_p(buf + 4, request->type);
+    stq_be_p(buf + 8, request->handle);
+    stq_be_p(buf + 16, request->from);
+    stl_be_p(buf + 24, request->len);
 
     ret = write_sync(ioc, buf, sizeof(buf));
     if (ret < 0) {
-- 
2.5.5

[Qemu-devel] [PULL 11/30] nbd: simplify the nbd_request and nbd_reply structs

[Paolo Bonzini]

These structs are never used to represent the bytes that go over the
network.  The big-endian network data is built into a uint8_t array
in nbd_{receive,send}_{request,reply}.  Remove the unused magic field,
reorder the struct to avoid holes, and remove the packed attribute.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 include/block/nbd.h | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/block/nbd.h b/include/block/nbd.h
index b86a976..747bb0a 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -25,19 +25,20 @@
 #include "io/channel-socket.h"
 #include "crypto/tlscreds.h"
 
+/* Note: these are _NOT_ the same as the network representation of an NBD
+ * request and reply!
+ */
 struct nbd_request {
-    uint32_t magic;
-    uint32_t type;
     uint64_t handle;
     uint64_t from;
     uint32_t len;
-} QEMU_PACKED;
+    uint32_t type;
+};
 
 struct nbd_reply {
-    uint32_t magic;
-    uint32_t error;
     uint64_t handle;
-} QEMU_PACKED;
+    uint32_t error;
+};
 
 #define NBD_FLAG_HAS_FLAGS      (1 << 0)        /* Flags are there */
 #define NBD_FLAG_READ_ONLY      (1 << 1)        /* Device is read-only */
-- 
2.5.5

[Qemu-devel] [PULL 12/30] target-i386: kvm: cache KVM_GET_SUPPORTED_CPUID data

[Paolo Bonzini]

From: Chao Peng <chao.p.peng@linux.intel.com>

KVM_GET_SUPPORTED_CPUID ioctl is called frequently when initializing
CPU. Depends on CPU features and CPU count, the number of calls can be
extremely high which slows down QEMU booting significantly. In our
testing, we saw 5922 calls with switches:

    -cpu SandyBridge -smp 6,sockets=6,cores=1,threads=1

This ioctl takes more than 100ms, which is almost half of the total
QEMU startup time.

While for most cases the data returned from two different invocations
are not changed, that means, we can cache the data to avoid trapping
into kernel for the second time. To make sure the cache safe one
assumption is desirable: the ioctl is stateless. This is not true for
CPUID leaves in general (such as CPUID leaf 0xD, whose value depends
on guest XCR0 and IA32_XSS) but it is true of KVM_GET_SUPPORTED_CPUID,
which runs before there is a value for XCR0 and IA32_XSS.

Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Message-Id: <1465784487-23482-1-git-send-email-chao.p.peng@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target-i386/kvm.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 7b092ee..ff92b1d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -106,6 +106,8 @@ static int has_xsave;
 static int has_xcrs;
 static int has_pit_state2;
 
+static struct kvm_cpuid2 *cpuid_cache;
+
 int kvm_has_pit_state2(void)
 {
     return has_pit_state2;
@@ -199,9 +201,14 @@ static struct kvm_cpuid2 *get_supported_cpuid(KVMState *s)
 {
     struct kvm_cpuid2 *cpuid;
     int max = 1;
+
+    if (cpuid_cache != NULL) {
+        return cpuid_cache;
+    }
     while ((cpuid = try_get_cpuid(s, max)) == NULL) {
         max *= 2;
     }
+    cpuid_cache = cpuid;
     return cpuid;
 }
 
@@ -319,8 +326,6 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
         ret |= cpuid_1_edx & CPUID_EXT2_AMD_ALIASES;
     }
 
-    g_free(cpuid);
-
     /* fallback for older kernels */
     if ((function == KVM_CPUID_FEATURES) && !found) {
         ret = get_para_features(s);
-- 
2.5.5

[Qemu-devel] [PULL 13/30] scsi-disk: Use (unsigned long) typecasts when using "%lu" format string

[Paolo Bonzini]

From: Thomas Huth <thuth@redhat.com>

Some source code analyzers like cppcheck spill out a warning if
the sign of the argument does not match the format string.

Ticket: https://bugs.launchpad.net/qemu/+bug/1589564
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1465805418-15906-1-git-send-email-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/scsi-disk.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 1881969..36f8a85 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2060,13 +2060,13 @@ static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
         }
         break;
     case MODE_SELECT:
-        DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
+        DPRINTF("Mode Select(6) (len %lu)\n", (unsigned long)r->req.cmd.xfer);
         break;
     case MODE_SELECT_10:
-        DPRINTF("Mode Select(10) (len %lu)\n", (long)r->req.cmd.xfer);
+        DPRINTF("Mode Select(10) (len %lu)\n", (unsigned long)r->req.cmd.xfer);
         break;
     case UNMAP:
-        DPRINTF("Unmap (len %lu)\n", (long)r->req.cmd.xfer);
+        DPRINTF("Unmap (len %lu)\n", (unsigned long)r->req.cmd.xfer);
         break;
     case VERIFY_10:
     case VERIFY_12:
@@ -2080,7 +2080,7 @@ static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
     case WRITE_SAME_16:
         DPRINTF("WRITE SAME %d (len %lu)\n",
                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
-                (long)r->req.cmd.xfer);
+                (unsigned long)r->req.cmd.xfer);
         break;
     default:
         DPRINTF("Unknown SCSI command (%2.2x=%s)\n", buf[0],
-- 
2.5.5

[Qemu-devel] [PULL 14/30] linux-headers: update to Linux 4.6

[Paolo Bonzini]

From: Greg Kurz <gkurz@linux.vnet.ibm.com>

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Message-Id: <146424973656.5666.1543626214358208452.stgit@bahia.huguette.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 include/standard-headers/linux/pci_regs.h      | 20 +++++++++++++++++++-
 include/standard-headers/linux/virtio_config.h |  2 ++
 linux-headers/asm-arm/unistd.h                 |  2 ++
 linux-headers/asm-arm64/unistd.h               |  3 +++
 linux-headers/asm-powerpc/unistd.h             |  2 ++
 linux-headers/asm-s390/kvm.h                   |  1 +
 linux-headers/asm-s390/unistd.h                |  4 +++-
 linux-headers/asm-x86/kvm.h                    |  6 +++---
 linux-headers/asm-x86/unistd_x32.h             |  2 ++
 linux-headers/linux/kvm.h                      |  1 +
 10 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
index 1becea8..4040951 100644
--- a/include/standard-headers/linux/pci_regs.h
+++ b/include/standard-headers/linux/pci_regs.h
@@ -670,7 +670,8 @@
 #define PCI_EXT_CAP_ID_SECPCI	0x19	/* Secondary PCIe Capability */
 #define PCI_EXT_CAP_ID_PMUX	0x1A	/* Protocol Multiplexing */
 #define PCI_EXT_CAP_ID_PASID	0x1B	/* Process Address Space ID */
-#define PCI_EXT_CAP_ID_MAX	PCI_EXT_CAP_ID_PASID
+#define PCI_EXT_CAP_ID_DPC	0x1D	/* Downstream Port Containment */
+#define PCI_EXT_CAP_ID_MAX	PCI_EXT_CAP_ID_DPC
 
 #define PCI_EXT_CAP_DSN_SIZEOF	12
 #define PCI_EXT_CAP_MCAST_ENDPOINT_SIZEOF 40
@@ -946,4 +947,21 @@
 #define PCI_TPH_CAP_ST_SHIFT	16	/* st table shift */
 #define PCI_TPH_BASE_SIZEOF	12	/* size with no st table */
 
+/* Downstream Port Containment */
+#define PCI_EXP_DPC_CAP			4	/* DPC Capability */
+#define  PCI_EXP_DPC_CAP_RP_EXT		0x20	/* Root Port Extensions for DPC */
+#define  PCI_EXP_DPC_CAP_POISONED_TLP	0x40	/* Poisoned TLP Egress Blocking Supported */
+#define  PCI_EXP_DPC_CAP_SW_TRIGGER	0x80	/* Software Triggering Supported */
+#define  PCI_EXP_DPC_CAP_DL_ACTIVE	0x1000	/* ERR_COR signal on DL_Active supported */
+
+#define PCI_EXP_DPC_CTL			6	/* DPC control */
+#define  PCI_EXP_DPC_CTL_EN_NONFATAL 	0x02	/* Enable trigger on ERR_NONFATAL message */
+#define  PCI_EXP_DPC_CTL_INT_EN 	0x08	/* DPC Interrupt Enable */
+
+#define PCI_EXP_DPC_STATUS		8	/* DPC Status */
+#define  PCI_EXP_DPC_STATUS_TRIGGER	0x01	/* Trigger Status */
+#define  PCI_EXP_DPC_STATUS_INTERRUPT	0x08	/* Interrupt Status */
+
+#define PCI_EXP_DPC_SOURCE_ID		10	/* DPC Source Identifier */
+
 #endif /* LINUX_PCI_REGS_H */
diff --git a/include/standard-headers/linux/virtio_config.h b/include/standard-headers/linux/virtio_config.h
index bcc445b..b30d0cb 100644
--- a/include/standard-headers/linux/virtio_config.h
+++ b/include/standard-headers/linux/virtio_config.h
@@ -40,6 +40,8 @@
 #define VIRTIO_CONFIG_S_DRIVER_OK	4
 /* Driver has finished configuring features */
 #define VIRTIO_CONFIG_S_FEATURES_OK	8
+/* Device entered invalid state, driver must reset it */
+#define VIRTIO_CONFIG_S_NEEDS_RESET	0x40
 /* We've given up on this device. */
 #define VIRTIO_CONFIG_S_FAILED		0x80
 
diff --git a/linux-headers/asm-arm/unistd.h b/linux-headers/asm-arm/unistd.h
index 3f6f727..ceb5450 100644
--- a/linux-headers/asm-arm/unistd.h
+++ b/linux-headers/asm-arm/unistd.h
@@ -418,6 +418,8 @@
 #define __NR_membarrier			(__NR_SYSCALL_BASE+389)
 #define __NR_mlock2			(__NR_SYSCALL_BASE+390)
 #define __NR_copy_file_range		(__NR_SYSCALL_BASE+391)
+#define __NR_preadv2			(__NR_SYSCALL_BASE+392)
+#define __NR_pwritev2			(__NR_SYSCALL_BASE+393)
 
 /*
  * The following SWIs are ARM private.
diff --git a/linux-headers/asm-arm64/unistd.h b/linux-headers/asm-arm64/unistd.h
index 1caadc2..043d17a 100644
--- a/linux-headers/asm-arm64/unistd.h
+++ b/linux-headers/asm-arm64/unistd.h
@@ -13,4 +13,7 @@
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
+
+#define __ARCH_WANT_RENAMEAT
+
 #include <asm-generic/unistd.h>
diff --git a/linux-headers/asm-powerpc/unistd.h b/linux-headers/asm-powerpc/unistd.h
index cd92d98..1e66eba 100644
--- a/linux-headers/asm-powerpc/unistd.h
+++ b/linux-headers/asm-powerpc/unistd.h
@@ -390,5 +390,7 @@
 #define __NR_membarrier		365
 #define __NR_mlock2		378
 #define __NR_copy_file_range	379
+#define __NR_preadv2		380
+#define __NR_pwritev2		381
 
 #endif /* _ASM_POWERPC_UNISTD_H_ */
diff --git a/linux-headers/asm-s390/kvm.h b/linux-headers/asm-s390/kvm.h
index a59499b..09ae5dc 100644
--- a/linux-headers/asm-s390/kvm.h
+++ b/linux-headers/asm-s390/kvm.h
@@ -25,6 +25,7 @@
 #define KVM_DEV_FLIC_APF_DISABLE_WAIT	5
 #define KVM_DEV_FLIC_ADAPTER_REGISTER	6
 #define KVM_DEV_FLIC_ADAPTER_MODIFY	7
+#define KVM_DEV_FLIC_CLEAR_IO_IRQ	8
 /*
  * We can have up to 4*64k pending subchannels + 8 adapter interrupts,
  * as well as up  to ASYNC_PF_PER_VCPU*KVM_MAX_VCPUS pfault done interrupts.
diff --git a/linux-headers/asm-s390/unistd.h b/linux-headers/asm-s390/unistd.h
index 885837e..8a404fd 100644
--- a/linux-headers/asm-s390/unistd.h
+++ b/linux-headers/asm-s390/unistd.h
@@ -311,7 +311,9 @@
 #define __NR_shutdown		373
 #define __NR_mlock2		374
 #define __NR_copy_file_range	375
-#define NR_syscalls 376
+#define __NR_preadv2		376
+#define __NR_pwritev2		377
+#define NR_syscalls 378
 
 /* 
  * There are some system calls that are not present on 64 bit, some
diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h
index cd54147..739c0c5 100644
--- a/linux-headers/asm-x86/kvm.h
+++ b/linux-headers/asm-x86/kvm.h
@@ -216,9 +216,9 @@ struct kvm_cpuid_entry2 {
 	__u32 padding[3];
 };
 
-#define KVM_CPUID_FLAG_SIGNIFCANT_INDEX		BIT(0)
-#define KVM_CPUID_FLAG_STATEFUL_FUNC		BIT(1)
-#define KVM_CPUID_FLAG_STATE_READ_NEXT		BIT(2)
+#define KVM_CPUID_FLAG_SIGNIFCANT_INDEX		(1 << 0)
+#define KVM_CPUID_FLAG_STATEFUL_FUNC		(1 << 1)
+#define KVM_CPUID_FLAG_STATE_READ_NEXT		(1 << 2)
 
 /* for KVM_SET_CPUID2 */
 struct kvm_cpuid2 {
diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
index 8f77ee8..0230779 100644
--- a/linux-headers/asm-x86/unistd_x32.h
+++ b/linux-headers/asm-x86/unistd_x32.h
@@ -306,7 +306,9 @@
 #define __NR_vmsplice (__X32_SYSCALL_BIT + 532)
 #define __NR_move_pages (__X32_SYSCALL_BIT + 533)
 #define __NR_preadv (__X32_SYSCALL_BIT + 534)
+#define __NR_preadv2 (__X32_SYSCALL_BIT + 534)
 #define __NR_pwritev (__X32_SYSCALL_BIT + 535)
+#define __NR_pwritev2 (__X32_SYSCALL_BIT + 535)
 #define __NR_rt_tgsigqueueinfo (__X32_SYSCALL_BIT + 536)
 #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
 #define __NR_sendmmsg (__X32_SYSCALL_BIT + 538)
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 3bae71a..e60e21b 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -865,6 +865,7 @@ struct kvm_ppc_smmu_info {
 #define KVM_CAP_SPAPR_TCE_64 125
 #define KVM_CAP_ARM_PMU_V3 126
 #define KVM_CAP_VCPU_ATTRIBUTES 127
+#define KVM_CAP_MAX_VCPU_ID 128
 
 #ifdef KVM_CAP_IRQ_ROUTING
 
-- 
2.5.5

[Qemu-devel] [PULL 15/30] KVM: use KVM_CAP_MAX_VCPU_ID

[Paolo Bonzini]

From: Greg Kurz <gkurz@linux.vnet.ibm.com>

As stated in linux/Documentation/virtual/kvm/api.txt:

The maximum possible value for max_vcpu_id can be retrieved using the
KVM_CAP_MAX_VCPU_ID of the KVM_CHECK_EXTENSION ioctl() at run-time.

If the KVM_CAP_MAX_VCPU_ID does not exist, you should assume that
max_vcpu_id is the same as the value returned from KVM_CAP_MAX_VCPUS.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Message-Id: <146424974323.5666.5471538288045048119.stgit@bahia.huguette.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 kvm-all.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kvm-all.c b/kvm-all.c
index 71af270..a88f917 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -1519,10 +1519,16 @@ static int kvm_max_vcpus(KVMState *s)
     return (ret) ? ret : kvm_recommended_vcpus(s);
 }
 
+static int kvm_max_vcpu_id(KVMState *s)
+{
+    int ret = kvm_check_extension(s, KVM_CAP_MAX_VCPU_ID);
+    return (ret) ? ret : kvm_max_vcpus(s);
+}
+
 bool kvm_vcpu_id_is_valid(int vcpu_id)
 {
     KVMState *s = KVM_STATE(current_machine->accelerator);
-    return vcpu_id >= 0 && vcpu_id < kvm_max_vcpus(s);
+    return vcpu_id >= 0 && vcpu_id < kvm_max_vcpu_id(s);
 }
 
 static int kvm_init(MachineState *ms)
-- 
2.5.5

[Qemu-devel] [PULL 16/30] vl.c: Add '-L help' which lists data dirs.

[Paolo Bonzini]

From: "Richard W.M. Jones" <rjones@redhat.com>

QEMU compiles a list of data directories from various sources.  When
consuming a QEMU binary it's useful to be able to get this list of
data directories: a primary reason is so you can list what BIOSes or
keymaps ship with this version of QEMU.  However without reproducing
the method that QEMU uses internally, it's not possible to get the
list of data directories.

This commit adds a simple '-L help' option that just lists out the
data directories as qemu calculates them:

$ ./x86_64-softmmu/qemu-system-x86_64 -L help
/home/rjones/d/qemu/pc-bios
/usr/local/share/qemu

$ ./x86_64-softmmu/qemu-system-x86_64 -L /tmp -L help
/tmp
/home/rjones/d/qemu/pc-bios
/usr/local/share/qemu

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463416475-11728-2-git-send-email-rjones@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-options.hx |  2 ++
 vl.c            | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index 0e42ba5..17f15ad 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3214,6 +3214,8 @@ STEXI
 @item -L  @var{path}
 @findex -L
 Set the directory for the BIOS, VGA BIOS and keymaps.
+
+To list all the data directories, use @code{-L help}.
 ETEXI
 
 DEF("bios", HAS_ARG, QEMU_OPTION_bios, \
diff --git a/vl.c b/vl.c
index b0bcc25..99c3030 100644
--- a/vl.c
+++ b/vl.c
@@ -2973,6 +2973,7 @@ int main(int argc, char **argv, char **envp)
     FILE *vmstate_dump_file = NULL;
     Error *main_loop_err = NULL;
     Error *err = NULL;
+    bool list_data_dirs = false;
 
     qemu_init_cpu_loop();
     qemu_mutex_lock_iothread();
@@ -3359,7 +3360,9 @@ int main(int argc, char **argv, char **envp)
                 add_device_config(DEV_GDB, optarg);
                 break;
             case QEMU_OPTION_L:
-                if (data_dir_idx < ARRAY_SIZE(data_dir)) {
+                if (is_help_option(optarg)) {
+                    list_data_dirs = true;
+                } else if (data_dir_idx < ARRAY_SIZE(data_dir)) {
                     data_dir[data_dir_idx++] = optarg;
                 }
                 break;
@@ -4091,6 +4094,14 @@ int main(int argc, char **argv, char **envp)
         data_dir[data_dir_idx++] = CONFIG_QEMU_DATADIR;
     }
 
+    /* -L help lists the data directories and exits. */
+    if (list_data_dirs) {
+        for (i = 0; i < data_dir_idx; i++) {
+            printf("%s\n", data_dir[i]);
+        }
+        exit(0);
+    }
+
     smp_parse(qemu_opts_find(qemu_find_opts("smp-opts"), NULL));
 
     machine_class->max_cpus = machine_class->max_cpus ?: 1; /* Default to UP */
-- 
2.5.5

[Qemu-devel] [PULL 17/30] nbd: Use BDRV_REQ_FUA for better FUA where supported

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

Rather than always flushing ourselves, let the block layer
forward the FUA on to the underlying device - where all
underlying layers also understand FUA, we are now more
efficient; and where any underlying layer doesn't understand
it, now the block layer takes care of the full flush fallback
on our behalf.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463006384-7734-2-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/server.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 91471f1..7063edb 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1038,6 +1038,7 @@ static void nbd_trip(void *opaque)
     struct nbd_reply reply;
     ssize_t ret;
     uint32_t command;
+    int flags;
 
     TRACE("Reading request.");
     if (client->closing) {
@@ -1114,23 +1115,18 @@ static void nbd_trip(void *opaque)
 
         TRACE("Writing to device");
 
+        flags = 0;
+        if (request.type & NBD_CMD_FLAG_FUA) {
+            flags |= BDRV_REQ_FUA;
+        }
         ret = blk_pwrite(exp->blk, request.from + exp->dev_offset,
-                         req->data, request.len, 0);
+                         req->data, request.len, flags);
         if (ret < 0) {
             LOG("writing to file failed");
             reply.error = -ret;
             goto error_reply;
         }
 
-        if (request.type & NBD_CMD_FLAG_FUA) {
-            ret = blk_co_flush(exp->blk);
-            if (ret < 0) {
-                LOG("flush failed");
-                reply.error = -ret;
-                goto error_reply;
-            }
-        }
-
         if (nbd_co_send_reply(req, &reply, 0) < 0) {
             goto out;
         }
-- 
2.5.5

[Qemu-devel] [PULL 18/30] nbd: More debug typo fixes, use correct formats

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

Clean up some debug message oddities missed earlier; this includes
some typos, and recognizing that %d is not necessarily compatible
with uint32_t. Also add a couple messages that I found useful
while debugging things.

Signed-off-by: Eric Blake <eblake@redhat.com>

Message-Id: <1463006384-7734-3-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c | 41 ++++++++++++++++++++++-------------------
 nbd/server.c | 48 +++++++++++++++++++++++++++---------------------
 2 files changed, 49 insertions(+), 40 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 6d9c74d..c08aa85 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -109,25 +109,27 @@ static int nbd_handle_reply_err(QIOChannel *ioc, uint32_t opt, uint32_t type,
 
     switch (type) {
     case NBD_REP_ERR_UNSUP:
-        TRACE("server doesn't understand request %d, attempting fallback",
-              opt);
+        TRACE("server doesn't understand request %" PRIx32
+              ", attempting fallback", opt);
         result = 0;
         goto cleanup;
 
     case NBD_REP_ERR_POLICY:
-        error_setg(errp, "Denied by server for option %x", opt);
+        error_setg(errp, "Denied by server for option %" PRIx32, opt);
         break;
 
     case NBD_REP_ERR_INVALID:
-        error_setg(errp, "Invalid data length for option %x", opt);
+        error_setg(errp, "Invalid data length for option %" PRIx32, opt);
         break;
 
     case NBD_REP_ERR_TLS_REQD:
-        error_setg(errp, "TLS negotiation required before option %x", opt);
+        error_setg(errp, "TLS negotiation required before option %" PRIx32,
+                   opt);
         break;
 
     default:
-        error_setg(errp, "Unknown error code when asking for option %x", opt);
+        error_setg(errp, "Unknown error code when asking for option %" PRIx32,
+                   opt);
         break;
     }
 
@@ -165,7 +167,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
     }
     opt = be32_to_cpu(opt);
     if (opt != NBD_OPT_LIST) {
-        error_setg(errp, "Unexpected option type %x expected %x",
+        error_setg(errp, "Unexpected option type %" PRIx32 " expected %x",
                    opt, NBD_OPT_LIST);
         return -1;
     }
@@ -207,7 +209,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
             return -1;
         }
         if (namelen > 255) {
-            error_setg(errp, "export name length too long %d", namelen);
+            error_setg(errp, "export name length too long %" PRIu32, namelen);
             return -1;
         }
 
@@ -234,7 +236,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
             g_free(buf);
         }
     } else {
-        error_setg(errp, "Unexpected reply type %x expected %x",
+        error_setg(errp, "Unexpected reply type %" PRIx32 " expected %x",
                    type, NBD_REP_SERVER);
         return -1;
     }
@@ -349,7 +351,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     opt = be32_to_cpu(opt);
     if (opt != NBD_OPT_STARTTLS) {
-        error_setg(errp, "Unexpected option type %x expected %x",
+        error_setg(errp, "Unexpected option type %" PRIx32 " expected %x",
                    opt, NBD_OPT_STARTTLS);
         return NULL;
     }
@@ -361,7 +363,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     type = be32_to_cpu(type);
     if (type != NBD_REP_ACK) {
-        error_setg(errp, "Server rejected request to start TLS %x",
+        error_setg(errp, "Server rejected request to start TLS %" PRIx32,
                    type);
         return NULL;
     }
@@ -373,7 +375,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     length = be32_to_cpu(length);
     if (length != 0) {
-        error_setg(errp, "Start TLS response was not zero %x",
+        error_setg(errp, "Start TLS response was not zero %" PRIu32,
                    length);
         return NULL;
     }
@@ -384,7 +386,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
         return NULL;
     }
     data.loop = g_main_loop_new(g_main_context_default(), FALSE);
-    TRACE("Starting TLS hanshake");
+    TRACE("Starting TLS handshake");
     qio_channel_tls_handshake(tioc,
                               nbd_tls_handshake,
                               &data,
@@ -474,7 +476,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
         }
         globalflags = be16_to_cpu(globalflags);
         *flags = globalflags << 16;
-        TRACE("Global flags are %x", globalflags);
+        TRACE("Global flags are %" PRIx32, globalflags);
         if (globalflags & NBD_FLAG_FIXED_NEWSTYLE) {
             fixedNewStyle = true;
             TRACE("Server supports fixed new style");
@@ -550,7 +552,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
         }
         exportflags = be16_to_cpu(exportflags);
         *flags |= exportflags;
-        TRACE("Export flags are %x", exportflags);
+        TRACE("Export flags are %" PRIx16, exportflags);
     } else if (magic == NBD_CLIENT_MAGIC) {
         if (name) {
             error_setg(errp, "Server does not support export names");
@@ -683,7 +685,8 @@ ssize_t nbd_send_request(QIOChannel *ioc, struct nbd_request *request)
     ssize_t ret;
 
     TRACE("Sending request to server: "
-          "{ .from = %" PRIu64", .len = %u, .handle = %" PRIu64", .type=%i}",
+          "{ .from = %" PRIu64", .len = %" PRIu32 ", .handle = %" PRIu64
+          ", .type=%" PRIu16 " }",
           request->from, request->len, request->handle, request->type);
 
     stl_be_p(buf, NBD_REQUEST_MAGIC);
@@ -732,12 +735,12 @@ ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply *reply)
 
     reply->error = nbd_errno_to_system_errno(reply->error);
 
-    TRACE("Got reply: "
-          "{ magic = 0x%x, .error = %d, handle = %" PRIu64" }",
+    TRACE("Got reply: { magic = 0x%" PRIx32 ", .error = % " PRId32
+          ", handle = %" PRIu64" }",
           magic, reply->error, reply->handle);
 
     if (magic != NBD_REPLY_MAGIC) {
-        LOG("invalid magic (got 0x%x)", magic);
+        LOG("invalid magic (got 0x%" PRIx32 ")", magic);
         return -EINVAL;
     }
     return 0;
diff --git a/nbd/server.c b/nbd/server.c
index 7063edb..d377803 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -196,7 +196,7 @@ static int nbd_negotiate_send_rep(QIOChannel *ioc, uint32_t type, uint32_t opt)
     uint64_t magic;
     uint32_t len;
 
-    TRACE("Reply opt=%x type=%x", type, opt);
+    TRACE("Reply opt=%" PRIx32 " type=%" PRIx32, type, opt);
 
     magic = cpu_to_be64(NBD_REP_MAGIC);
     if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) {
@@ -226,7 +226,7 @@ static int nbd_negotiate_send_rep_list(QIOChannel *ioc, NBDExport *exp)
     uint64_t magic, name_len;
     uint32_t opt, type, len;
 
-    TRACE("Advertizing export name '%s'", exp->name ? exp->name : "");
+    TRACE("Advertising export name '%s'", exp->name ? exp->name : "");
     name_len = strlen(exp->name);
     magic = cpu_to_be64(NBD_REP_MAGIC);
     if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) {
@@ -392,12 +392,12 @@ static int nbd_negotiate_options(NBDClient *client)
     TRACE("Checking client flags");
     be32_to_cpus(&flags);
     if (flags & NBD_FLAG_C_FIXED_NEWSTYLE) {
-        TRACE("Support supports fixed newstyle handshake");
+        TRACE("Client supports fixed newstyle handshake");
         fixedNewstyle = true;
         flags &= ~NBD_FLAG_C_FIXED_NEWSTYLE;
     }
     if (flags != 0) {
-        TRACE("Unknown client flags 0x%x received", flags);
+        TRACE("Unknown client flags 0x%" PRIx32 " received", flags);
         return -EIO;
     }
 
@@ -431,12 +431,12 @@ static int nbd_negotiate_options(NBDClient *client)
         }
         length = be32_to_cpu(length);
 
-        TRACE("Checking option 0x%x", clientflags);
+        TRACE("Checking option 0x%" PRIx32, clientflags);
         if (client->tlscreds &&
             client->ioc == (QIOChannel *)client->sioc) {
             QIOChannel *tioc;
             if (!fixedNewstyle) {
-                TRACE("Unsupported option 0x%x", clientflags);
+                TRACE("Unsupported option 0x%" PRIx32, clientflags);
                 return -EINVAL;
             }
             switch (clientflags) {
@@ -455,7 +455,8 @@ static int nbd_negotiate_options(NBDClient *client)
                 return -EINVAL;
 
             default:
-                TRACE("Option 0x%x not permitted before TLS", clientflags);
+                TRACE("Option 0x%" PRIx32 " not permitted before TLS",
+                      clientflags);
                 if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
                     return -EIO;
                 }
@@ -493,7 +494,7 @@ static int nbd_negotiate_options(NBDClient *client)
                 }
                 break;
             default:
-                TRACE("Unsupported option 0x%x", clientflags);
+                TRACE("Unsupported option 0x%" PRIx32, clientflags);
                 if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
                     return -EIO;
                 }
@@ -511,7 +512,7 @@ static int nbd_negotiate_options(NBDClient *client)
                 return nbd_negotiate_handle_export_name(client, length);
 
             default:
-                TRACE("Unsupported option 0x%x", clientflags);
+                TRACE("Unsupported option 0x%" PRIx32, clientflags);
                 return -EINVAL;
             }
         }
@@ -560,6 +561,8 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
     oldStyle = client->exp != NULL && !client->tlscreds;
     if (oldStyle) {
         assert ((client->exp->nbdflags & ~65535) == 0);
+        TRACE("advertising size %" PRIu64 " and flags %" PRIx16,
+              client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 8, NBD_CLIENT_MAGIC);
         stq_be_p(buf + 16, client->exp->size);
         stw_be_p(buf + 26, client->exp->nbdflags | myflags);
@@ -589,6 +592,8 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
         }
 
         assert ((client->exp->nbdflags & ~65535) == 0);
+        TRACE("advertising size %" PRIu64 " and flags %" PRIx16,
+              client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 18, client->exp->size);
         stw_be_p(buf + 26, client->exp->nbdflags | myflags);
         if (nbd_negotiate_write(client->ioc, buf + 18, sizeof(buf) - 18) !=
@@ -652,12 +657,12 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, struct nbd_request *request)
     request->from   = ldq_be_p(buf + 16);
     request->len    = ldl_be_p(buf + 24);
 
-    TRACE("Got request: "
-          "{ magic = 0x%x, .type = %d, from = %" PRIu64" , len = %u }",
+    TRACE("Got request: { magic = 0x%" PRIx32 ", .type = %" PRIx32
+          ", from = %" PRIu64 " , len = %" PRIu32 " }",
           magic, request->type, request->from, request->len);
 
     if (magic != NBD_REQUEST_MAGIC) {
-        LOG("invalid magic (got 0x%x)", magic);
+        LOG("invalid magic (got 0x%" PRIx32 ")", magic);
         return -EINVAL;
     }
     return 0;
@@ -670,7 +675,8 @@ static ssize_t nbd_send_reply(QIOChannel *ioc, struct nbd_reply *reply)
 
     reply->error = system_errno_to_nbd_errno(reply->error);
 
-    TRACE("Sending response to client: { .error = %d, handle = %" PRIu64 " }",
+    TRACE("Sending response to client: { .error = %" PRId32
+          ", handle = %" PRIu64 " }",
           reply->error, reply->handle);
 
     /* Reply
@@ -999,7 +1005,7 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
     command = request->type & NBD_CMD_MASK_COMMAND;
     if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
         if (request->len > NBD_MAX_BUFFER_SIZE) {
-            LOG("len (%u) is larger than max len (%u)",
+            LOG("len (%" PRIu32" ) is larger than max len (%u)",
                 request->len, NBD_MAX_BUFFER_SIZE);
             rc = -EINVAL;
             goto out;
@@ -1012,7 +1018,7 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
         }
     }
     if (command == NBD_CMD_WRITE) {
-        TRACE("Reading %u byte(s)", request->len);
+        TRACE("Reading %" PRIu32 " byte(s)", request->len);
 
         if (read_sync(client->ioc, req->data, request->len) != request->len) {
             LOG("reading from socket failed");
@@ -1063,10 +1069,10 @@ static void nbd_trip(void *opaque)
     }
     command = request.type & NBD_CMD_MASK_COMMAND;
     if (command != NBD_CMD_DISC && (request.from + request.len) > exp->size) {
-            LOG("From: %" PRIu64 ", Len: %u, Size: %" PRIu64
-            ", Offset: %" PRIu64 "\n",
-                    request.from, request.len,
-                    (uint64_t)exp->size, (uint64_t)exp->dev_offset);
+            LOG("From: %" PRIu64 ", Len: %" PRIu32", Size: %" PRIu64
+                ", Offset: %" PRIu64 "\n",
+                request.from, request.len,
+                (uint64_t)exp->size, (uint64_t)exp->dev_offset);
         LOG("requested operation past EOF--bad client?");
         goto invalid_request;
     }
@@ -1100,7 +1106,7 @@ static void nbd_trip(void *opaque)
             goto error_reply;
         }
 
-        TRACE("Read %u byte(s)", request.len);
+        TRACE("Read %" PRIu32" byte(s)", request.len);
         if (nbd_co_send_reply(req, &reply, request.len) < 0)
             goto out;
         break;
@@ -1169,7 +1175,7 @@ static void nbd_trip(void *opaque)
         }
         break;
     default:
-        LOG("invalid request type (%u) received", request.type);
+        LOG("invalid request type (%" PRIu32 ") received", request.type);
     invalid_request:
         reply.error = EINVAL;
     error_reply:
-- 
2.5.5

[Qemu-devel] [PULL 19/30] nbd: Quit server after any write error

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

We should never ignore failure from nbd_negotiate_send_rep(); if
we are unable to write to the client, then it is not worth trying
to continue the negotiation.  Fortunately, the problem is not
too severe - chances are that the errors being ignored here (mainly
inability to write the reply to the client) are indications of
a closed connection or something similar, which will also affect
the next attempt to interact with the client and eventually reach
a point where the errors are detected to end the loop.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463006384-7734-4-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/server.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index d377803..8b0fc0f 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -334,7 +334,10 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client,
         return NULL;
     }
 
-    nbd_negotiate_send_rep(client->ioc, NBD_REP_ACK, NBD_OPT_STARTTLS);
+    if (nbd_negotiate_send_rep(client->ioc, NBD_REP_ACK,
+                               NBD_OPT_STARTTLS) < 0) {
+        return NULL;
+    }
 
     tioc = qio_channel_tls_new_server(ioc,
                                       client->tlscreds,
@@ -460,8 +463,11 @@ static int nbd_negotiate_options(NBDClient *client)
                 if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
                     return -EIO;
                 }
-                nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD,
-                                       clientflags);
+                ret = nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD,
+                                             clientflags);
+                if (ret < 0) {
+                    return ret;
+                }
                 break;
             }
         } else if (fixedNewstyle) {
@@ -485,12 +491,17 @@ static int nbd_negotiate_options(NBDClient *client)
                 }
                 if (client->tlscreds) {
                     TRACE("TLS already enabled");
-                    nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_INVALID,
-                                           clientflags);
+                    ret = nbd_negotiate_send_rep(client->ioc,
+                                                 NBD_REP_ERR_INVALID,
+                                                 clientflags);
                 } else {
                     TRACE("TLS not configured");
-                    nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_POLICY,
-                                           clientflags);
+                    ret = nbd_negotiate_send_rep(client->ioc,
+                                                 NBD_REP_ERR_POLICY,
+                                                 clientflags);
+                }
+                if (ret < 0) {
+                    return ret;
                 }
                 break;
             default:
@@ -498,8 +509,11 @@ static int nbd_negotiate_options(NBDClient *client)
                 if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
                     return -EIO;
                 }
-                nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_UNSUP,
-                                       clientflags);
+                ret = nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_UNSUP,
+                                             clientflags);
+                if (ret < 0) {
+                    return ret;
+                }
                 break;
             }
         } else {
-- 
2.5.5

[Qemu-devel] [PULL 20/30] nbd: Improve server handling of bogus commands

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

We have a few bugs in how we handle invalid client commands:

- A client can send an NBD_CMD_DISC where from + len overflows,
convincing us to reply with an error and stay connected, even
though the protocol requires us to silently disconnect. Fix by
hoisting the special case sooner.

- A client can send an NBD_CMD_WRITE where from + len overflows,
where we reply to the client with EINVAL without consuming the
payload; this will normally cause us to fail if the next thing
read is not the right magic, but in rare cases, could cause us
to interpret the data payload as valid commands and do things
not requested by the client. Fix by adding a complete flag to
track whether we are in sync or must disconnect.

Furthermore, we have split the checks for bogus from/len across
two functions, when it is easier to do it all at once.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463006384-7734-5-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/server.c | 66 +++++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 47 insertions(+), 19 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 8b0fc0f..0e71f78 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -52,6 +52,7 @@ struct NBDRequest {
     QSIMPLEQ_ENTRY(NBDRequest) entry;
     NBDClient *client;
     uint8_t *data;
+    bool complete;
 };
 
 struct NBDExport {
@@ -989,7 +990,13 @@ static ssize_t nbd_co_send_reply(NBDRequest *req, struct nbd_reply *reply,
     return rc;
 }
 
-static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *request)
+/* Collect a client request.  Return 0 if request looks valid, -EAGAIN
+ * to keep trying the collection, -EIO to drop connection right away,
+ * and any other negative value to report an error to the client
+ * (although the caller may still need to disconnect after reporting
+ * the error).  */
+static ssize_t nbd_co_receive_request(NBDRequest *req,
+                                      struct nbd_request *request)
 {
     NBDClient *client = req->client;
     uint32_t command;
@@ -1007,16 +1014,31 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
         goto out;
     }
 
+    TRACE("Decoding type");
+
+    command = request->type & NBD_CMD_MASK_COMMAND;
+    if (command != NBD_CMD_WRITE) {
+        /* No payload, we are ready to read the next request.  */
+        req->complete = true;
+    }
+
+    if (command == NBD_CMD_DISC) {
+        /* Special case: we're going to disconnect without a reply,
+         * whether or not flags, from, or len are bogus */
+        TRACE("Request type is DISCONNECT");
+        rc = -EIO;
+        goto out;
+    }
+
+    /* Check for sanity in the parameters, part 1.  Defer as many
+     * checks as possible until after reading any NBD_CMD_WRITE
+     * payload, so we can try and keep the connection alive.  */
     if ((request->from + request->len) < request->from) {
-        LOG("integer overflow detected! "
-            "you're probably being attacked");
+        LOG("integer overflow detected, you're probably being attacked");
         rc = -EINVAL;
         goto out;
     }
 
-    TRACE("Decoding type");
-
-    command = request->type & NBD_CMD_MASK_COMMAND;
     if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
         if (request->len > NBD_MAX_BUFFER_SIZE) {
             LOG("len (%" PRIu32" ) is larger than max len (%u)",
@@ -1039,7 +1061,18 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
             rc = -EIO;
             goto out;
         }
+        req->complete = true;
     }
+
+    /* Sanity checks, part 2. */
+    if (request->from + request->len > client->exp->size) {
+        LOG("operation past EOF; From: %" PRIu64 ", Len: %" PRIu32
+            ", Size: %" PRIu64, request->from, request->len,
+            (uint64_t)client->exp->size);
+        rc = command == NBD_CMD_WRITE ? -ENOSPC : -EINVAL;
+        goto out;
+    }
+
     rc = 0;
 
 out:
@@ -1082,14 +1115,6 @@ static void nbd_trip(void *opaque)
         goto error_reply;
     }
     command = request.type & NBD_CMD_MASK_COMMAND;
-    if (command != NBD_CMD_DISC && (request.from + request.len) > exp->size) {
-            LOG("From: %" PRIu64 ", Len: %" PRIu32", Size: %" PRIu64
-                ", Offset: %" PRIu64 "\n",
-                request.from, request.len,
-                (uint64_t)exp->size, (uint64_t)exp->dev_offset);
-        LOG("requested operation past EOF--bad client?");
-        goto invalid_request;
-    }
 
     if (client->closing) {
         /*
@@ -1151,10 +1176,11 @@ static void nbd_trip(void *opaque)
             goto out;
         }
         break;
+
     case NBD_CMD_DISC:
-        TRACE("Request type is DISCONNECT");
-        errno = 0;
-        goto out;
+        /* unreachable, thanks to special case in nbd_co_receive_request() */
+        abort();
+
     case NBD_CMD_FLUSH:
         TRACE("Request type is FLUSH");
 
@@ -1190,10 +1216,12 @@ static void nbd_trip(void *opaque)
         break;
     default:
         LOG("invalid request type (%" PRIu32 ") received", request.type);
-    invalid_request:
         reply.error = EINVAL;
     error_reply:
-        if (nbd_co_send_reply(req, &reply, 0) < 0) {
+        /* We must disconnect after NBD_CMD_WRITE if we did not
+         * read the payload.
+         */
+        if (nbd_co_send_reply(req, &reply, 0) < 0 || !req->complete) {
             goto out;
         }
         break;
-- 
2.5.5

[Qemu-devel] [PULL 21/30] nbd: Reject unknown request flags

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

The NBD protocol says that clients should not send a command flag
that has not been negotiated (whether by the client requesting an
option during a handshake, or because we advertise support for the
flag in response to NBD_OPT_EXPORT_NAME), and that servers should
reject invalid flags with EINVAL.  We were silently ignoring the
flags instead.  The client can't rely on our behavior, since it is
their fault for passing the bad flag in the first place, but it's
better to be robust up front than to possibly behave differently
than the client was expecting with the attempted flag.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alex Bligh <alex@alex.org.uk>
Message-Id: <1463006384-7734-6-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/server.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nbd/server.c b/nbd/server.c
index 0e71f78..b9c839e 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1072,6 +1072,11 @@ static ssize_t nbd_co_receive_request(NBDRequest *req,
         rc = command == NBD_CMD_WRITE ? -ENOSPC : -EINVAL;
         goto out;
     }
+    if (request->type & ~NBD_CMD_MASK_COMMAND & ~NBD_CMD_FLAG_FUA) {
+        LOG("unsupported flags (got 0x%x)",
+            request->type & ~NBD_CMD_MASK_COMMAND);
+        return -EINVAL;
+    }
 
     rc = 0;
 
-- 
2.5.5

[Qemu-devel] [PULL 22/30] nbd: Group all Linux-specific ioctl code in one place

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

NBD ioctl()s are used to manage an NBD client session where
initial handshake is done in userspace, but then the transmission
phase is handed off to the kernel through a /dev/nbdX device.
As such, all ioctls sent to the kernel on the /dev/nbdX fd belong
in client.c; nbd_disconnect() was out-of-place in server.c.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463006384-7734-7-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c | 13 +++++++++++++
 nbd/server.c | 18 ------------------
 2 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index c08aa85..5604aa9 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -667,6 +667,15 @@ int nbd_client(int fd)
     errno = serrno;
     return ret;
 }
+
+int nbd_disconnect(int fd)
+{
+    ioctl(fd, NBD_CLEAR_QUE);
+    ioctl(fd, NBD_DISCONNECT);
+    ioctl(fd, NBD_CLEAR_SOCK);
+    return 0;
+}
+
 #else
 int nbd_init(int fd, QIOChannelSocket *ioc, uint32_t flags, off_t size)
 {
@@ -677,6 +686,10 @@ int nbd_client(int fd)
 {
     return -ENOTSUP;
 }
+int nbd_disconnect(int fd)
+{
+    return -ENOTSUP;
+}
 #endif
 
 ssize_t nbd_send_request(QIOChannel *ioc, struct nbd_request *request)
diff --git a/nbd/server.c b/nbd/server.c
index b9c839e..a21b536 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -624,24 +624,6 @@ fail:
     return rc;
 }
 
-#ifdef __linux__
-
-int nbd_disconnect(int fd)
-{
-    ioctl(fd, NBD_CLEAR_QUE);
-    ioctl(fd, NBD_DISCONNECT);
-    ioctl(fd, NBD_CLEAR_SOCK);
-    return 0;
-}
-
-#else
-
-int nbd_disconnect(int fd)
-{
-    return -ENOTSUP;
-}
-#endif
-
 static ssize_t nbd_receive_request(QIOChannel *ioc, struct nbd_request *request)
 {
     uint8_t buf[NBD_REQUEST_SIZE];
-- 
2.5.5

[Qemu-devel] [PULL 23/30] nbd: Clean up ioctl handling of qemu-nbd -c

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

The kernel ioctl() interface into NBD is limited to 'unsigned long';
we MUST pass in input with that type (and not int or size_t, as
there may be platform ABIs where the wrong types promote incorrectly
through var-args).  Furthermore, on 32-bit platforms, the kernel
is limited to a maximum export size of 2T (our BLKSIZE of 512 times
a SIZE_BLOCKS constrained by 32 bit unsigned long).

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463006384-7734-8-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 5604aa9..20e6daf 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -593,9 +593,15 @@ fail:
 #ifdef __linux__
 int nbd_init(int fd, QIOChannelSocket *sioc, uint32_t flags, off_t size)
 {
+    unsigned long sectors = size / BDRV_SECTOR_SIZE;
+    if (size / BDRV_SECTOR_SIZE != sectors) {
+        LOG("Export size %lld too large for 32-bit kernel", (long long) size);
+        return -E2BIG;
+    }
+
     TRACE("Setting NBD socket");
 
-    if (ioctl(fd, NBD_SET_SOCK, sioc->fd) < 0) {
+    if (ioctl(fd, NBD_SET_SOCK, (unsigned long) sioc->fd) < 0) {
         int serrno = errno;
         LOG("Failed to set NBD socket");
         return -serrno;
@@ -603,21 +609,25 @@ int nbd_init(int fd, QIOChannelSocket *sioc, uint32_t flags, off_t size)
 
     TRACE("Setting block size to %lu", (unsigned long)BDRV_SECTOR_SIZE);
 
-    if (ioctl(fd, NBD_SET_BLKSIZE, (size_t)BDRV_SECTOR_SIZE) < 0) {
+    if (ioctl(fd, NBD_SET_BLKSIZE, (unsigned long)BDRV_SECTOR_SIZE) < 0) {
         int serrno = errno;
         LOG("Failed setting NBD block size");
         return -serrno;
     }
 
-    TRACE("Setting size to %zd block(s)", (size_t)(size / BDRV_SECTOR_SIZE));
+    TRACE("Setting size to %lu block(s)", sectors);
+    if (size % BDRV_SECTOR_SIZE) {
+        TRACE("Ignoring trailing %d bytes of export",
+              (int) (size % BDRV_SECTOR_SIZE));
+    }
 
-    if (ioctl(fd, NBD_SET_SIZE_BLOCKS, (size_t)(size / BDRV_SECTOR_SIZE)) < 0) {
+    if (ioctl(fd, NBD_SET_SIZE_BLOCKS, sectors) < 0) {
         int serrno = errno;
         LOG("Failed setting size (in blocks)");
         return -serrno;
     }
 
-    if (ioctl(fd, NBD_SET_FLAGS, flags) < 0) {
+    if (ioctl(fd, NBD_SET_FLAGS, (unsigned long) flags) < 0) {
         if (errno == ENOTTY) {
             int read_only = (flags & NBD_FLAG_READ_ONLY) != 0;
             TRACE("Setting readonly attribute");
-- 
2.5.5

[Qemu-devel] [PULL 24/30] nbd: Detect servers that send unexpected error values

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

Add some debugging to flag servers that are not compliant to
the NBD protocol.  This would have flagged the server bug
fixed in commit c0301fcc.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alex Bligh <alex@alex.org.uk>

Message-Id: <1463006384-7734-11-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nbd/client.c b/nbd/client.c
index 20e6daf..e8bf9fb 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -33,8 +33,10 @@ static int nbd_errno_to_system_errno(int err)
         return ENOMEM;
     case NBD_ENOSPC:
         return ENOSPC;
-    case NBD_EINVAL:
     default:
+        TRACE("Squashing unexpected error %d to EINVAL", err);
+        /* fallthrough */
+    case NBD_EINVAL:
         return EINVAL;
     }
 }
-- 
2.5.5

[Qemu-devel] [PULL 25/30] nbd: Avoid magic number for NBD max name size

[Paolo Bonzini]

From: Eric Blake <eblake@redhat.com>

Declare a constant and use that when determining if an export
name fits within the constraints we are willing to support.

Note that upstream NBD recently documented that clients MUST
support export names of 256 bytes (not including trailing NUL),
and SHOULD support names up to 4096 bytes.  4096 is a bit big
(we would lose benefits of stack-allocation of a name array),
and we already have other limits in place (for example, qcow2
snapshot names are clamped around 1024).  So for now, just
stick to the required minimum, as that's easier to audit than
a full-scale support for larger names.

Signed-off-by: Eric Blake <eblake@redhat.com>

Message-Id: <1463006384-7734-12-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 include/block/nbd.h | 6 ++++++
 nbd/client.c        | 2 +-
 nbd/server.c        | 4 ++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/block/nbd.h b/include/block/nbd.h
index 747bb0a..df1f804 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -77,6 +77,12 @@ enum {
 
 /* Maximum size of a single READ/WRITE data buffer */
 #define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024)
+/* Maximum size of an export name. The NBD spec requires 256 and
+ * suggests that servers support up to 4096, but we stick to only the
+ * required size so that we can stack-allocate the names, and because
+ * going larger would require an audit of more code to make sure we
+ * aren't overflowing some other buffer. */
+#define NBD_MAX_NAME_SIZE 256
 
 ssize_t nbd_wr_syncv(QIOChannel *ioc,
                      struct iovec *iov,
diff --git a/nbd/client.c b/nbd/client.c
index e8bf9fb..287487c 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -210,7 +210,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
             error_setg(errp, "incorrect option name length");
             return -1;
         }
-        if (namelen > 255) {
+        if (namelen > NBD_MAX_NAME_SIZE) {
             error_setg(errp, "export name length too long %" PRIu32, namelen);
             return -1;
         }
diff --git a/nbd/server.c b/nbd/server.c
index a21b536..ba950973 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -286,13 +286,13 @@ static int nbd_negotiate_handle_list(NBDClient *client, uint32_t length)
 static int nbd_negotiate_handle_export_name(NBDClient *client, uint32_t length)
 {
     int rc = -EINVAL;
-    char name[256];
+    char name[NBD_MAX_NAME_SIZE + 1];
 
     /* Client sends:
         [20 ..  xx]   export name (length bytes)
      */
     TRACE("Checking length");
-    if (length > 255) {
+    if (length >= sizeof(name)) {
         LOG("Bad length received");
         goto fail;
     }
-- 
2.5.5

[Qemu-devel] [PULL 26/30] scsi: esp: check buffer length before reading scsi command

[Paolo Bonzini]

From: Prasad J Pandit <pjp@fedoraproject.org>

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/esp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 3adb685..4b94bbc 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
         s->dma_memory_read(s->dma_opaque, buf, dmalen);
     } else {
         dmalen = s->ti_size;
+        if (dmalen > TI_BUFSZ) {
+            return 0;
+        }
         memcpy(buf, s->ti_buf, dmalen);
         buf[0] = buf[2] >> 5;
     }
-- 
2.5.5

[Qemu-devel] [PULL 27/30] scsi: esp: respect FIFO invariant after message phase

[Paolo Bonzini]

The FIFO contains two bytes; hence the write ptr should be two bytes ahead
of the read pointer.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/esp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4b94bbc..3f08598 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
     } else {
         s->ti_size = 2;
         s->ti_rptr = 0;
-        s->ti_wptr = 0;
+        s->ti_wptr = 2;
         s->rregs[ESP_RFLAGS] = 2;
     }
     esp_raise_irq(s);
-- 
2.5.5

[Qemu-devel] [PULL 28/30] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd

[Paolo Bonzini]

Avoid duplicated code between esp_do_dma and handle_ti.  esp_do_dma
has the same code that handle_ti contains after the call to esp_do_dma;
but the code in handle_ti is never reached because it is in an "else if".
Remove the else and also the pointless return.

esp_do_dma also has a partially dead assignment of the to_device
variable.  Sink it to the point where it's actually used.

Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
only transfers data and not a command.  This is true because get_cmd
cancels the old request synchronously before its caller handle_satn_stop
sets do_cmd to 1.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/esp.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 3f08598..64680b3 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s)
     uint32_t len;
     int to_device;
 
-    to_device = (s->ti_size < 0);
     len = s->dma_left;
     if (s->do_cmd) {
         trace_esp_do_dma(s->cmdlen, len);
         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
-        s->ti_size = 0;
-        s->cmdlen = 0;
-        s->do_cmd = 0;
-        do_cmd(s, s->cmdbuf);
         return;
     }
     if (s->async_len == 0) {
@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s)
     if (len > s->async_len) {
         len = s->async_len;
     }
+    to_device = (s->ti_size < 0);
     if (to_device) {
         s->dma_memory_read(s->dma_opaque, s->async_buf, len);
     } else {
@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
 {
     ESPState *s = req->hba_private;
 
+    assert(!s->do_cmd);
     trace_esp_transfer_data(s->dma_left, s->ti_size);
     s->async_len = len;
     s->async_buf = scsi_req_get_buf(req);
@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s)
         s->dma_left = minlen;
         s->rregs[ESP_RSTAT] &= ~STAT_TC;
         esp_do_dma(s);
-    } else if (s->do_cmd) {
+    }
+    if (s->do_cmd) {
         trace_esp_handle_ti_cmd(s->cmdlen);
         s->ti_size = 0;
         s->cmdlen = 0;
         s->do_cmd = 0;
         do_cmd(s, s->cmdbuf);
-        return;
     }
 }
 
-- 
2.5.5

[Qemu-devel] [PULL 29/30] scsi: esp: make cmdbuf big enough for maximum CDB size

[Paolo Bonzini]

From: Prasad J Pandit <pjp@fedoraproject.org>

While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes.  Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/esp.c         | 6 ++++--
 include/hw/scsi/esp.h | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 64680b3..baa0a2c 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s)
     len = s->dma_left;
     if (s->do_cmd) {
         trace_esp_do_dma(s->cmdlen, len);
+        assert (s->cmdlen <= sizeof(s->cmdbuf) &&
+                len <= sizeof(s->cmdbuf) - s->cmdlen);
         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
         return;
     }
@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s)
     s->dma_counter = dmalen;
 
     if (s->do_cmd)
-        minlen = (dmalen < 32) ? dmalen : 32;
+        minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
     else if (s->ti_size < 0)
         minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
     else
@@ -449,7 +451,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
         break;
     case ESP_FIFO:
         if (s->do_cmd) {
-            if (s->cmdlen < TI_BUFSZ) {
+            if (s->cmdlen < ESP_CMDBUF_SZ) {
                 s->cmdbuf[s->cmdlen++] = val & 0xff;
             } else {
                 trace_esp_error_fifo_overrun();
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
index 6c79527..d2c4886 100644
--- a/include/hw/scsi/esp.h
+++ b/include/hw/scsi/esp.h
@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
 
 #define ESP_REGS 16
 #define TI_BUFSZ 16
+#define ESP_CMDBUF_SZ 32
 
 typedef struct ESPState ESPState;
 
@@ -31,7 +32,7 @@ struct ESPState {
     SCSIBus bus;
     SCSIDevice *current_dev;
     SCSIRequest *current_req;
-    uint8_t cmdbuf[TI_BUFSZ];
+    uint8_t cmdbuf[ESP_CMDBUF_SZ];
     uint32_t cmdlen;
     uint32_t do_cmd;
 
-- 
2.5.5

[Qemu-devel] [PULL 30/30] vl: smp_parse: cleanups

[Paolo Bonzini]

From: Andrew Jones <drjones@redhat.com>

No functional changes; only some code movement and removal of
dead code (impossible conditions). Also, max_cpus can be
initialized to 1, like smp_cpus, because it's either set by the
user or set to smp_cpus, when smp_cpus is set by the user, or
set to 1, when nothing is set.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-Id: <1465580427-13596-2-git-send-email-drjones@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 vl.c | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/vl.c b/vl.c
index 99c3030..e69ebfd 100644
--- a/vl.c
+++ b/vl.c
@@ -154,7 +154,7 @@ CharDriverState *sclp_hds[MAX_SCLP_CONSOLES];
 int win2k_install_hack = 0;
 int singlestep = 0;
 int smp_cpus = 1;
-int max_cpus = 0;
+int max_cpus = 1;
 int smp_cores = 1;
 int smp_threads = 1;
 int acpi_enabled = 1;
@@ -1223,7 +1223,6 @@ static QemuOptsList qemu_smp_opts = {
 static void smp_parse(QemuOpts *opts)
 {
     if (opts) {
-
         unsigned cpus    = qemu_opt_get_number(opts, "cpus", 0);
         unsigned sockets = qemu_opt_get_number(opts, "sockets", 0);
         unsigned cores   = qemu_opt_get_number(opts, "cores", 0);
@@ -1251,6 +1250,17 @@ static void smp_parse(QemuOpts *opts)
         }
 
         max_cpus = qemu_opt_get_number(opts, "maxcpus", cpus);
+
+        if (max_cpus > MAX_CPUMASK_BITS) {
+            error_report("unsupported number of maxcpus");
+            exit(1);
+        }
+
+        if (max_cpus < cpus) {
+            error_report("maxcpus must be equal to or greater than smp");
+            exit(1);
+        }
+
         if (sockets * cores * threads > max_cpus) {
             error_report("cpu topology: "
                          "sockets (%u) * cores (%u) * threads (%u) > "
@@ -1260,25 +1270,11 @@ static void smp_parse(QemuOpts *opts)
         }
 
         smp_cpus = cpus;
-        smp_cores = cores > 0 ? cores : 1;
-        smp_threads = threads > 0 ? threads : 1;
-
-    }
-
-    if (max_cpus == 0) {
-        max_cpus = smp_cpus;
-    }
-
-    if (max_cpus > MAX_CPUMASK_BITS) {
-        error_report("unsupported number of maxcpus");
-        exit(1);
-    }
-    if (max_cpus < smp_cpus) {
-        error_report("maxcpus must be equal to or greater than smp");
-        exit(1);
+        smp_cores = cores;
+        smp_threads = threads;
     }
 
-    if (smp_cpus > 1 || smp_cores > 1 || smp_threads > 1) {
+    if (smp_cpus > 1) {
         Error *blocker = NULL;
         error_setg(&blocker, QERR_REPLAY_NOT_SUPPORTED, "smp");
         replay_add_blocker(blocker);
-- 
2.5.5

Re: [Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Peter Maydell]

On 16 June 2016 at 15:15, Paolo Bonzini <pbonzini@redhat.com> wrote:
> The following changes since commit da2fdd0bd1514a44309dd5be162ebfb6c166a716:
>
>   Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20160611' into staging (2016-06-13 10:12:44 +0100)
>
> are available in the git repository at:
>
>   git://github.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 2ab9b0ec185124607ff71ee4048e927016fad26d:
>
>   vl: smp_parse: cleanups (2016-06-16 14:35:20 +0200)
>
> ----------------------------------------------------------------
> * KVM startup speedup (Chao Peng)
> * configure fixes and cleanups (David, Thomas)
> * ctags fix (Sergey)
> * NBD cleanups (Peter, Eric)
> * "-L help" command line option (Richard)
> * More esp.c bugfixes (me, Prasad)
> * KVM_CAP_MAX_VCPU_ID support (Greg)

Hi. I'm afraid this generates format string warnings on OSX:

/Users/pm215/src/qemu-for-merges/nbd/server.c:580:34: warning: format
specifies type 'unsigned short' but the argument has type 'unsigned
int' [-Wformat]
              client->exp->size, client->exp->nbdflags | myflags);
                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:44:21: note:
expanded from macro 'TRACE'
        LOG(msg, ## __VA_ARGS__); \
                    ^
/Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:50:50: note:
expanded from macro 'LOG'
            __FILE__, __FUNCTION__, __LINE__, ## __VA_ARGS__); \
                                                 ^
/Users/pm215/src/qemu-for-merges/nbd/server.c:611:34: warning: format
specifies type 'unsigned short' but the argument has type 'unsigned
int' [-Wformat]
              client->exp->size, client->exp->nbdflags | myflags);
                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:44:21: note:
expanded from macro 'TRACE'
        LOG(msg, ## __VA_ARGS__); \
                    ^
/Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:50:50: note:
expanded from macro 'LOG'
            __FILE__, __FUNCTION__, __LINE__, ## __VA_ARGS__); \
                                                 ^
  CC    nbd/client.o
  CC    nbd/common.o
  CC    block/curl.o
/Users/pm215/src/qemu-for-merges/nbd/client.c:715:57: warning: format
specifies type 'unsigned short' but the argument has type 'uint32_t'
(aka 'unsigned int') [-Wformat]
          request->from, request->len, request->handle, request->type);
                                                        ^~~~~~~~~~~~~
/Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:44:21: note:
expanded from macro 'TRACE'
        LOG(msg, ## __VA_ARGS__); \
                    ^
/Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:50:50: note:
expanded from macro 'LOG'
            __FILE__, __FUNCTION__, __LINE__, ## __VA_ARGS__); \
                                                 ^
2 warnings generated.


thanks
-- PMM

Re: [Qemu-devel] [PULL 14/30] linux-headers: update to Linux 4.6

[Christian Borntraeger]

On 06/16/2016 04:16 PM, Paolo Bonzini wrote:
> From: Greg Kurz <gkurz@linux.vnet.ibm.com>
> 
> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> Message-Id: <146424973656.5666.1543626214358208452.stgit@bahia.huguette.org>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

We are already at 4.7-rc2.

commit ff804f15a120dee62bdcf17a8db84bf59d83d6eb

    linux-headers: update
    
    Update to 4.7-rc2.

Re: [Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Paolo Bonzini]

On 16/06/2016 18:02, Peter Maydell wrote:
> Hi. I'm afraid this generates format string warnings on OSX:

Interesting, I did test clang this time.  I'll fix it but really this 
is a compiler bug.  It's *impossible* to pass a short variable 
argument, hence va_arg(ap, short) *must* be the same as va_arg(ap, int).

I should start making a list of pointless clang warnings.

Paolo

diff --git a/nbd/server.c b/nbd/server.c
index ba950973..a677e26 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -576,7 +576,7 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
     oldStyle = client->exp != NULL && !client->tlscreds;
     if (oldStyle) {
         assert ((client->exp->nbdflags & ~65535) == 0);
-        TRACE("advertising size %" PRIu64 " and flags %" PRIx16,
+        TRACE("advertising size %" PRIu64 " and flags %x",
               client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 8, NBD_CLIENT_MAGIC);
         stq_be_p(buf + 16, client->exp->size);
@@ -607,7 +607,7 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
         }
 
         assert ((client->exp->nbdflags & ~65535) == 0);
-        TRACE("advertising size %" PRIu64 " and flags %" PRIx16,
+        TRACE("advertising size %" PRIu64 " and flags %x",
               client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 18, client->exp->size);
         stw_be_p(buf + 26, client->exp->nbdflags | myflags);


> /Users/pm215/src/qemu-for-merges/nbd/server.c:580:34: warning: format
> specifies type 'unsigned short' but the argument has type 'unsigned
> int' [-Wformat]
>               client->exp->size, client->exp->nbdflags | myflags);
>                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:44:21: note:
> expanded from macro 'TRACE'
>         LOG(msg, ## __VA_ARGS__); \
>                     ^
> /Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:50:50: note:
> expanded from macro 'LOG'
>             __FILE__, __FUNCTION__, __LINE__, ## __VA_ARGS__); \
>                                                  ^
> /Users/pm215/src/qemu-for-merges/nbd/server.c:611:34: warning: format
> specifies type 'unsigned short' but the argument has type 'unsigned
> int' [-Wformat]
>               client->exp->size, client->exp->nbdflags | myflags);
>                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:44:21: note:
> expanded from macro 'TRACE'
>         LOG(msg, ## __VA_ARGS__); \
>                     ^
> /Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:50:50: note:
> expanded from macro 'LOG'
>             __FILE__, __FUNCTION__, __LINE__, ## __VA_ARGS__); \
>                                                  ^
>   CC    nbd/client.o
>   CC    nbd/common.o
>   CC    block/curl.o
> /Users/pm215/src/qemu-for-merges/nbd/client.c:715:57: warning: format
> specifies type 'unsigned short' but the argument has type 'uint32_t'
> (aka 'unsigned int') [-Wformat]
>           request->from, request->len, request->handle, request->type);
>                                                         ^~~~~~~~~~~~~
> /Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:44:21: note:
> expanded from macro 'TRACE'
>         LOG(msg, ## __VA_ARGS__); \
>                     ^
> /Users/pm215/src/qemu-for-merges/nbd/nbd-internal.h:50:50: note:
> expanded from macro 'LOG'
>             __FILE__, __FUNCTION__, __LINE__, ## __VA_ARGS__); \
>                                                  ^

Re: [Qemu-devel] [PULL 14/30] linux-headers: update to Linux 4.6

[Greg Kurz]

On Thu, 16 Jun 2016 18:09:05 +0200
Christian Borntraeger <borntraeger@de.ibm.com> wrote:

> On 06/16/2016 04:16 PM, Paolo Bonzini wrote:
> > From: Greg Kurz <gkurz@linux.vnet.ibm.com>
> > 
> > Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> > Message-Id: <146424973656.5666.1543626214358208452.stgit@bahia.huguette.org>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>  
> 
> We are already at 4.7-rc2.
> 
> commit ff804f15a120dee62bdcf17a8db84bf59d83d6eb
> 
>     linux-headers: update
>     
>     Update to 4.7-rc2.
> 
> 
> 

The patches are identical and it looks like I did not put the right kernel
version in the subject. :-\

I guess we should keep Connie's patch... and Paolo to drop mine and do
another pull request. Sorry for the noise.

--
Greg

Re: [Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Peter Maydell]

On 16 June 2016 at 17:29, Paolo Bonzini <pbonzini@redhat.com> wrote:
> On 16/06/2016 18:02, Peter Maydell wrote:
>> Hi. I'm afraid this generates format string warnings on OSX:
>
> Interesting, I did test clang this time.  I'll fix it but really this
> is a compiler bug.  It's *impossible* to pass a short variable
> argument, hence va_arg(ap, short) *must* be the same as va_arg(ap, int).

This one's an OSX/Apple special -- it isn't part of the stock clang.
(It has its good points -- this is the only 64-bit platform that
will warn about format string issues that will break compile on
32-bit hosts.)

I guess the point of the warning in this particular case is to
say "you passed something that could be wider than a short but
you used a format specifier which is for a short/unsigned short"
(ie your format might be unintentionally dropping the top 16 bits
of the data).

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Paolo Bonzini]

On 16/06/2016 18:55, Peter Maydell wrote:
>> > Interesting, I did test clang this time.  I'll fix it but really this
>> > is a compiler bug.  It's *impossible* to pass a short variable
>> > argument, hence va_arg(ap, short) *must* be the same as va_arg(ap, int).
> This one's an OSX/Apple special -- it isn't part of the stock clang.
> (It has its good points -- this is the only 64-bit platform that
> will warn about format string issues that will break compile on
> 32-bit hosts.)
> 
> I guess the point of the warning in this particular case is to
> say "you passed something that could be wider than a short but
> you used a format specifier which is for a short/unsigned short"
> (ie your format might be unintentionally dropping the top 16 bits
> of the data).

Does it fire even of

    void f(unsigned short x)
    {
       printf ("%hx", x | 1);
    }

?

Because technically that's an int too (and that's why I think this
particular warning is not a great thing)...

Paolo

Re: [Qemu-devel] [PULL 00/30] KVM, build, NBD, SCSI patches for 2016-06-16

[Peter Maydell]

On 16 June 2016 at 18:01, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Does it fire even of
>
>     void f(unsigned short x)
>     {
>        printf ("%hx", x | 1);
>     }
>
> ?
>
> Because technically that's an int too (and that's why I think this
> particular warning is not a great thing)...

Yes, it does. If you want to shut it up then you can do
(unsigned short)(x | 1).

-- PMM

Re: [Qemu-devel] [PULL 30/30] vl: smp_parse: cleanups

[Igor Mammedov]

On Thu, 16 Jun 2016 16:16:25 +0200
Paolo Bonzini <pbonzini@redhat.com> wrote:

> From: Andrew Jones <drjones@redhat.com>
> 
> No functional changes; only some code movement and removal of
> dead code (impossible conditions). Also, max_cpus can be
> initialized to 1, like smp_cpus, because it's either set by the
> user or set to smp_cpus, when smp_cpus is set by the user, or
> set to 1, when nothing is set.
> 
> Signed-off-by: Andrew Jones <drjones@redhat.com>
> Message-Id: <1465580427-13596-2-git-send-email-drjones@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
this patch broke master with following CLI
  -machine q35,accel=tcg -smp 2,cores=3,sockets=2,maxcpus=6



> ---
>  vl.c | 34 +++++++++++++++-------------------
>  1 file changed, 15 insertions(+), 19 deletions(-)
> 
> diff --git a/vl.c b/vl.c
> index 99c3030..e69ebfd 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -154,7 +154,7 @@ CharDriverState *sclp_hds[MAX_SCLP_CONSOLES];
>  int win2k_install_hack = 0;
>  int singlestep = 0;
>  int smp_cpus = 1;
> -int max_cpus = 0;
> +int max_cpus = 1;
>  int smp_cores = 1;
>  int smp_threads = 1;
>  int acpi_enabled = 1;
> @@ -1223,7 +1223,6 @@ static QemuOptsList qemu_smp_opts = {
>  static void smp_parse(QemuOpts *opts)
>  {
>      if (opts) {
> -
>          unsigned cpus    = qemu_opt_get_number(opts, "cpus", 0);
>          unsigned sockets = qemu_opt_get_number(opts, "sockets", 0);
>          unsigned cores   = qemu_opt_get_number(opts, "cores", 0);
> @@ -1251,6 +1250,17 @@ static void smp_parse(QemuOpts *opts)
>          }
>  
>          max_cpus = qemu_opt_get_number(opts, "maxcpus", cpus);
> +
> +        if (max_cpus > MAX_CPUMASK_BITS) {
> +            error_report("unsupported number of maxcpus");
> +            exit(1);
> +        }
> +
> +        if (max_cpus < cpus) {
> +            error_report("maxcpus must be equal to or greater than
> smp");
> +            exit(1);
> +        }
> +
>          if (sockets * cores * threads > max_cpus) {
>              error_report("cpu topology: "
>                           "sockets (%u) * cores (%u) * threads (%u) >
> " @@ -1260,25 +1270,11 @@ static void smp_parse(QemuOpts *opts)
>          }
>  
>          smp_cpus = cpus;
> -        smp_cores = cores > 0 ? cores : 1;
> -        smp_threads = threads > 0 ? threads : 1;
> -
> -    }
> -
> -    if (max_cpus == 0) {
> -        max_cpus = smp_cpus;
> -    }
> -
> -    if (max_cpus > MAX_CPUMASK_BITS) {
> -        error_report("unsupported number of maxcpus");
> -        exit(1);
> -    }
> -    if (max_cpus < smp_cpus) {
> -        error_report("maxcpus must be equal to or greater than smp");
> -        exit(1);
> +        smp_cores = cores;
> +        smp_threads = threads;
>      }
>  
> -    if (smp_cpus > 1 || smp_cores > 1 || smp_threads > 1) {
> +    if (smp_cpus > 1) {
>          Error *blocker = NULL;
>          error_setg(&blocker, QERR_REPLAY_NOT_SUPPORTED, "smp");
>          replay_add_blocker(blocker);

Re: [Qemu-devel] [PULL 30/30] vl: smp_parse: cleanups

[Andrew Jones]

On Tue, Jun 21, 2016 at 05:40:13PM +0200, Igor Mammedov wrote:
> On Thu, 16 Jun 2016 16:16:25 +0200
> Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> > From: Andrew Jones <drjones@redhat.com>
> > 
> > No functional changes; only some code movement and removal of
> > dead code (impossible conditions). Also, max_cpus can be
> > initialized to 1, like smp_cpus, because it's either set by the
> > user or set to smp_cpus, when smp_cpus is set by the user, or
> > set to 1, when nothing is set.
> > 
> > Signed-off-by: Andrew Jones <drjones@redhat.com>
> > Message-Id: <1465580427-13596-2-git-send-email-drjones@redhat.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> this patch broke master with following CLI
>   -machine q35,accel=tcg -smp 2,cores=3,sockets=2,maxcpus=6

I see why. The "real" problem is the whole using 'cpus' instead of
'maxcpus' again, but, since that ship sailed, I guess I should be
careful with calculations like

 threads = cpus / (cores * sockets)

which can result in zero.

I'll send a patch right now.

Thanks,
drew

> 
> 
> 
> > ---
> >  vl.c | 34 +++++++++++++++-------------------
> >  1 file changed, 15 insertions(+), 19 deletions(-)
> > 
> > diff --git a/vl.c b/vl.c
> > index 99c3030..e69ebfd 100644
> > --- a/vl.c
> > +++ b/vl.c
> > @@ -154,7 +154,7 @@ CharDriverState *sclp_hds[MAX_SCLP_CONSOLES];
> >  int win2k_install_hack = 0;
> >  int singlestep = 0;
> >  int smp_cpus = 1;
> > -int max_cpus = 0;
> > +int max_cpus = 1;
> >  int smp_cores = 1;
> >  int smp_threads = 1;
> >  int acpi_enabled = 1;
> > @@ -1223,7 +1223,6 @@ static QemuOptsList qemu_smp_opts = {
> >  static void smp_parse(QemuOpts *opts)
> >  {
> >      if (opts) {
> > -
> >          unsigned cpus    = qemu_opt_get_number(opts, "cpus", 0);
> >          unsigned sockets = qemu_opt_get_number(opts, "sockets", 0);
> >          unsigned cores   = qemu_opt_get_number(opts, "cores", 0);
> > @@ -1251,6 +1250,17 @@ static void smp_parse(QemuOpts *opts)
> >          }
> >  
> >          max_cpus = qemu_opt_get_number(opts, "maxcpus", cpus);
> > +
> > +        if (max_cpus > MAX_CPUMASK_BITS) {
> > +            error_report("unsupported number of maxcpus");
> > +            exit(1);
> > +        }
> > +
> > +        if (max_cpus < cpus) {
> > +            error_report("maxcpus must be equal to or greater than
> > smp");
> > +            exit(1);
> > +        }
> > +
> >          if (sockets * cores * threads > max_cpus) {
> >              error_report("cpu topology: "
> >                           "sockets (%u) * cores (%u) * threads (%u) >
> > " @@ -1260,25 +1270,11 @@ static void smp_parse(QemuOpts *opts)
> >          }
> >  
> >          smp_cpus = cpus;
> > -        smp_cores = cores > 0 ? cores : 1;
> > -        smp_threads = threads > 0 ? threads : 1;
> > -
> > -    }
> > -
> > -    if (max_cpus == 0) {
> > -        max_cpus = smp_cpus;
> > -    }
> > -
> > -    if (max_cpus > MAX_CPUMASK_BITS) {
> > -        error_report("unsupported number of maxcpus");
> > -        exit(1);
> > -    }
> > -    if (max_cpus < smp_cpus) {
> > -        error_report("maxcpus must be equal to or greater than smp");
> > -        exit(1);
> > +        smp_cores = cores;
> > +        smp_threads = threads;
> >      }
> >  
> > -    if (smp_cpus > 1 || smp_cores > 1 || smp_threads > 1) {
> > +    if (smp_cpus > 1) {
> >          Error *blocker = NULL;
> >          error_setg(&blocker, QERR_REPLAY_NOT_SUPPORTED, "smp");
> >          replay_add_blocker(blocker);
> 
>