[Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v2.10.1:

  https://github.com/mdroth/qemu/commits/stable-2.10-staging

The release is planned for 2017-10-02:

  https://wiki.qemu.org/Planning/2.10

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release.

Testing/feedback is greatly appreciated.

Thanks!

----------------------------------------------------------------
Alex Williamson (1):
      vhost: Release memory references on cleanup

Farhan Ali (1):
      s390-ccw: Fix alignment for CCW1

Greg Kurz (1):
      virtfs: error out gracefully when mandatory suboptions are missing

Hannes Reinecke (1):
      scsi-bus: correct responses for INQUIRY and REQUEST SENSE

Marc-André Lureau (2):
      libvhost-user: support resuming vq->last_avail_idx based on used_idx
      vhost-user-bridge: fix resume regression (since 2.9)

Pavel Butsykin (1):
      qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing

Peter Maydell (1):
      mps2-an511: Fix wiring of UART overflow interrupt lines

Pranith Kumar (1):
      arm_gicv3_kvm: Fix compile warning

Richard Henderson (1):
      target/arm: Fix aa64 ldp register writeback

Samuel Thibault (1):
      slirp: fix clearing ifq_so from pending packets

Thomas Huth (1):
      hw/arm/allwinner-a10: Mark the allwinner-a10 device with user_creatable = false

 block/qcow2.c                         | 16 +++++++-------
 contrib/libvhost-user/libvhost-user.c | 13 ++++++++++++
 contrib/libvhost-user/libvhost-user.h |  7 +++++++
 hw/arm/allwinner-a10.c                |  2 ++
 hw/arm/mps2.c                         |  4 ++--
 hw/intc/arm_gicv3_kvm.c               |  2 +-
 hw/scsi/scsi-bus.c                    | 29 ++++++++++++++++++++++----
 hw/virtio/vhost.c                     |  4 ++++
 pc-bios/s390-ccw/cio.h                |  2 +-
 scripts/device-crash-test             |  1 -
 slirp/socket.c                        | 39 +++++++++++++++++++++--------------
 target/arm/translate-a64.c            | 29 +++++++++++++++-----------
 tests/vhost-user-bridge.c             |  7 +++++++
 vl.c                                  | 16 ++++++++------
 14 files changed, 120 insertions(+), 51 deletions(-)

[Qemu-devel] [PATCH 01/12] slirp: fix clearing ifq_so from pending packets

[Michael Roth]

From: Samuel Thibault <samuel.thibault@ens-lyon.org>

The if_fastq and if_batchq contain not only packets, but queues of packets
for the same socket. When sofree frees a socket, it thus has to clear ifq_so
from all the packets from the queues, not only the first.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 1201d308519f1e915866d7583d5136d03cc1d384)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 slirp/socket.c | 39 +++++++++++++++++++++++----------------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/slirp/socket.c b/slirp/socket.c
index ecec0295a9..cb7b5b608d 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -60,29 +60,36 @@ socreate(Slirp *slirp)
 }
 
 /*
+ * Remove references to so from the given message queue.
+ */
+static void
+soqfree(struct socket *so, struct quehead *qh)
+{
+    struct mbuf *ifq;
+
+    for (ifq = (struct mbuf *) qh->qh_link;
+             (struct quehead *) ifq != qh;
+             ifq = ifq->ifq_next) {
+        if (ifq->ifq_so == so) {
+            struct mbuf *ifm;
+            ifq->ifq_so = NULL;
+            for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) {
+                ifm->ifq_so = NULL;
+            }
+        }
+    }
+}
+
+/*
  * remque and free a socket, clobber cache
  */
 void
 sofree(struct socket *so)
 {
   Slirp *slirp = so->slirp;
-  struct mbuf *ifm;
 
-  for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
-       (struct quehead *) ifm != &slirp->if_fastq;
-       ifm = ifm->ifq_next) {
-    if (ifm->ifq_so == so) {
-      ifm->ifq_so = NULL;
-    }
-  }
-
-  for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
-       (struct quehead *) ifm != &slirp->if_batchq;
-       ifm = ifm->ifq_next) {
-    if (ifm->ifq_so == so) {
-      ifm->ifq_so = NULL;
-    }
-  }
+  soqfree(so, &slirp->if_fastq);
+  soqfree(so, &slirp->if_batchq);
 
   if (so->so_emu==EMU_RSH && so->extra) {
 	sofree(so->extra);
-- 
2.11.0

[Qemu-devel] [PATCH 02/12] s390-ccw: Fix alignment for CCW1

[Michael Roth]

From: Farhan Ali <alifm@linux.vnet.ibm.com>

The commit 198c0d1f9df8c4 s390x/css: check ccw address validity
exposes an alignment issue in ccw bios.

According to PoP the CCW must be doubleword aligned. Let's fix
this in the bios.

Cc: qemu-stable@nongnu.org
Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Reviewed-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: Eric Farman <farman@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Message-Id: <3ed8b810b6592daee6a775037ce21f850e40647d.1503667215.git.alifm@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
(cherry picked from commit 3a1e4561ad63b303b092387ae006bd41468ece63)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 pc-bios/s390-ccw/cio.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pc-bios/s390-ccw/cio.h b/pc-bios/s390-ccw/cio.h
index f5b4549ea3..55eaeee4b6 100644
--- a/pc-bios/s390-ccw/cio.h
+++ b/pc-bios/s390-ccw/cio.h
@@ -133,7 +133,7 @@ struct ccw1 {
     __u8 flags;
     __u16 count;
     __u32 cda;
-} __attribute__ ((packed));
+} __attribute__ ((packed, aligned(8)));
 
 #define CCW_FLAG_DC              0x80
 #define CCW_FLAG_CC              0x40
-- 
2.11.0

[Qemu-devel] [PATCH 03/12] target/arm: Fix aa64 ldp register writeback

[Michael Roth]

From: Richard Henderson <richard.henderson@linaro.org>

For "ldp x0, x1, [x0]", if the second load is on a second page and
the second page is unmapped, the exception would be raised with x0
already modified.  This means the instruction couldn't be restarted.

Cc: qemu-arm@nongnu.org
Cc: qemu-stable@nongnu.org
Reported-by: Andrew <andrew@fubar.geek.nz>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20170825224833.4463-1-richard.henderson@linaro.org
Fixes: https://bugs.launchpad.net/qemu/+bug/1713066
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
[PMM: tweaked comment format]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

(cherry picked from commit 3e4d91b94ce400326fae0850578d9e9f30a71adb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target/arm/translate-a64.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 2200e25be0..cb44632d16 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -2217,29 +2217,34 @@ static void disas_ldst_pair(DisasContext *s, uint32_t insn)
         } else {
             do_fp_st(s, rt, tcg_addr, size);
         }
-    } else {
-        TCGv_i64 tcg_rt = cpu_reg(s, rt);
-        if (is_load) {
-            do_gpr_ld(s, tcg_rt, tcg_addr, size, is_signed, false,
-                      false, 0, false, false);
-        } else {
-            do_gpr_st(s, tcg_rt, tcg_addr, size,
-                      false, 0, false, false);
-        }
-    }
-    tcg_gen_addi_i64(tcg_addr, tcg_addr, 1 << size);
-    if (is_vector) {
+        tcg_gen_addi_i64(tcg_addr, tcg_addr, 1 << size);
         if (is_load) {
             do_fp_ld(s, rt2, tcg_addr, size);
         } else {
             do_fp_st(s, rt2, tcg_addr, size);
         }
     } else {
+        TCGv_i64 tcg_rt = cpu_reg(s, rt);
         TCGv_i64 tcg_rt2 = cpu_reg(s, rt2);
+
         if (is_load) {
+            TCGv_i64 tmp = tcg_temp_new_i64();
+
+            /* Do not modify tcg_rt before recognizing any exception
+             * from the second load.
+             */
+            do_gpr_ld(s, tmp, tcg_addr, size, is_signed, false,
+                      false, 0, false, false);
+            tcg_gen_addi_i64(tcg_addr, tcg_addr, 1 << size);
             do_gpr_ld(s, tcg_rt2, tcg_addr, size, is_signed, false,
                       false, 0, false, false);
+
+            tcg_gen_mov_i64(tcg_rt, tmp);
+            tcg_temp_free_i64(tmp);
         } else {
+            do_gpr_st(s, tcg_rt, tcg_addr, size,
+                      false, 0, false, false);
+            tcg_gen_addi_i64(tcg_addr, tcg_addr, 1 << size);
             do_gpr_st(s, tcg_rt2, tcg_addr, size,
                       false, 0, false, false);
         }
-- 
2.11.0

[Qemu-devel] [PATCH 04/12] virtfs: error out gracefully when mandatory suboptions are missing

[Michael Roth]

From: Greg Kurz <groug@kaod.org>

We internally convert -virtfs to -fsdev/-device. If the user doesn't
provide the path or security_model suboptions, and the fsdev backend
requires them, we hit an assertion when populating the internal -fsdev
option:

util/qemu-option.c:547: opt_set: Assertion `opt->str' failed.
Aborted (core dumped)

Let's test the suboption presence on the command line before trying
to set it in the internal -fsdev option, and let the backend code
error out gracefully (ie, like it already does when the user passes
-fsdev on the command line).

Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 32b6943699948f7adc35ada233fbd25daffad5e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 vl.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/vl.c b/vl.c
index 8e247cc2a2..d63269332f 100644
--- a/vl.c
+++ b/vl.c
@@ -3557,7 +3557,7 @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_virtfs: {
                 QemuOpts *fsdev;
                 QemuOpts *device;
-                const char *writeout, *sock_fd, *socket;
+                const char *writeout, *sock_fd, *socket, *path, *security_model;
 
                 olist = qemu_find_opts("virtfs");
                 if (!olist) {
@@ -3596,11 +3596,15 @@ int main(int argc, char **argv, char **envp)
                 }
                 qemu_opt_set(fsdev, "fsdriver",
                              qemu_opt_get(opts, "fsdriver"), &error_abort);
-                qemu_opt_set(fsdev, "path", qemu_opt_get(opts, "path"),
-                             &error_abort);
-                qemu_opt_set(fsdev, "security_model",
-                             qemu_opt_get(opts, "security_model"),
-                             &error_abort);
+                path = qemu_opt_get(opts, "path");
+                if (path) {
+                    qemu_opt_set(fsdev, "path", path, &error_abort);
+                }
+                security_model = qemu_opt_get(opts, "security_model");
+                if (security_model) {
+                    qemu_opt_set(fsdev, "security_model", security_model,
+                                 &error_abort);
+                }
                 socket = qemu_opt_get(opts, "socket");
                 if (socket) {
                     qemu_opt_set(fsdev, "socket", socket, &error_abort);
-- 
2.11.0

[Qemu-devel] [PATCH 05/12] arm_gicv3_kvm: Fix compile warning

[Michael Roth]

From: Pranith Kumar <bobby.prani@gmail.com>

Fix the following warning:

/home/pranith/qemu/hw/intc/arm_gicv3_kvm.c:296:17: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses]
            if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
                ^             ~
/home/pranith/qemu/hw/intc/arm_gicv3_kvm.c:296:17: note: add parentheses after the '!' to evaluate the bitwise operator first
            if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
                ^
/home/pranith/qemu/hw/intc/arm_gicv3_kvm.c:296:17: note: add parentheses around left hand side expression to silence this warning
            if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
                ^

This logic error meant we were not setting the PTZ
bit when we should -- luckily as the comment suggests
this wouldn't have had any effects beyond making GIC
initialization take a little longer.

Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
Message-id: 20170829173226.7625-1-bobby.prani@gmail.com
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 7229ec5825df6b933f150b54a8a2bedd2de1864c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/intc/arm_gicv3_kvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index 6051c77705..481fe5405a 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -293,7 +293,7 @@ static void kvm_arm_gicv3_put(GICv3State *s)
             kvm_gicr_access(s, GICR_PROPBASER + 4, ncpu, &regh, true);
 
             reg64 = c->gicr_pendbaser;
-            if (!c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS) {
+            if (!(c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS)) {
                 /* Setting PTZ is advised if LPIs are disabled, to reduce
                  * GIC initialization time.
                  */
-- 
2.11.0

[Qemu-devel] [PATCH 06/12] hw/arm/allwinner-a10: Mark the allwinner-a10 device with user_creatable = false

[Michael Roth]

From: Thomas Huth <thuth@redhat.com>

QEMU currently exits unexpectedly when the user accidentially
tries to do something like this:

$ aarch64-softmmu/qemu-system-aarch64 -S -M integratorcp -nographic
QEMU 2.9.93 monitor - type 'help' for more information
(qemu) device_add allwinner-a10
Unsupported NIC model: smc91c111

Exiting just due to a "device_add" should not happen. Looking closer
at the the realize and instance_init function of this device also
reveals that it is using serial_hds and nd_table directly there, so
this device is clearly not creatable by the user and should be marked
accordingly.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-id: 1503416789-32080-1-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit dc89a180caf143a5d596d3f2f776d13be83a687d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/arm/allwinner-a10.c    | 2 ++
 scripts/device-crash-test | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
index f62a9a3541..43a3f01f45 100644
--- a/hw/arm/allwinner-a10.c
+++ b/hw/arm/allwinner-a10.c
@@ -118,6 +118,8 @@ static void aw_a10_class_init(ObjectClass *oc, void *data)
     DeviceClass *dc = DEVICE_CLASS(oc);
 
     dc->realize = aw_a10_realize;
+    /* Reason: Uses serial_hds in realize and nd_table in instance_init */
+    dc->user_creatable = false;
 }
 
 static const TypeInfo aw_a10_type_info = {
diff --git a/scripts/device-crash-test b/scripts/device-crash-test
index e77b693eb2..81d65b9617 100755
--- a/scripts/device-crash-test
+++ b/scripts/device-crash-test
@@ -187,7 +187,6 @@ ERROR_WHITELIST = [
     {'log':r"Device [\w.,-]+ can not be dynamically instantiated"},
     {'log':r"Platform Bus: Can not fit MMIO region of size "},
     # other more specific errors we will ignore:
-    {'device':'allwinner-a10', 'log':"Unsupported NIC model:"},
     {'device':'.*-spapr-cpu-core', 'log':r"CPU core type should be"},
     {'log':r"MSI(-X)? is not supported by interrupt controller"},
     {'log':r"pxb-pcie? devices cannot reside on a PCIe? bus"},
-- 
2.11.0

[Qemu-devel] [PATCH 07/12] qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing

[Michael Roth]

From: Pavel Butsykin <pbutsykin@virtuozzo.com>

After calling qcow2_inactivate(), all qcow2 caches must be flushed, but this
may not happen, because the last call qcow2_store_persistent_dirty_bitmaps()
can lead to marking l2/refcont cache as dirty.

Let's move qcow2_store_persistent_dirty_bitmaps() before the caсhe flushing
to fix it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 83a8c775a8bf134eb18a719322939b74a818d750)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index 40ba26c111..a756bf9541 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2053,6 +2053,14 @@ static int qcow2_inactivate(BlockDriverState *bs)
     int ret, result = 0;
     Error *local_err = NULL;
 
+    qcow2_store_persistent_dirty_bitmaps(bs, &local_err);
+    if (local_err != NULL) {
+        result = -EINVAL;
+        error_report_err(local_err);
+        error_report("Persistent bitmaps are lost for node '%s'",
+                     bdrv_get_device_or_node_name(bs));
+    }
+
     ret = qcow2_cache_flush(bs, s->l2_table_cache);
     if (ret) {
         result = ret;
@@ -2067,14 +2075,6 @@ static int qcow2_inactivate(BlockDriverState *bs)
                      strerror(-ret));
     }
 
-    qcow2_store_persistent_dirty_bitmaps(bs, &local_err);
-    if (local_err != NULL) {
-        result = -EINVAL;
-        error_report_err(local_err);
-        error_report("Persistent bitmaps are lost for node '%s'",
-                     bdrv_get_device_or_node_name(bs));
-    }
-
     if (result == 0) {
         qcow2_mark_clean(bs);
     }
-- 
2.11.0

[Qemu-devel] [PATCH 08/12] vhost: Release memory references on cleanup

[Michael Roth]

From: Alex Williamson <alex.williamson@redhat.com>

vhost registers a MemoryListener where it adds and removes references
to MemoryRegions as the MemoryRegionSections pass through.  The
region_add callback is invoked for each existing section when the
MemoryListener is registered, but unregistering the MemoryListener
performs no reciprocal region_del callback.  It's therefore the
owner of the MemoryListener's responsibility to cleanup any persistent
changes, such as these memory references, after unregistering.

The consequence of this bug is that if we have both a vhost device
and a vfio device, the vhost device will reference any mmap'd MMIO of
the vfio device via this MemoryListener.  If the vhost device is then
removed, those references remain outstanding.  If we then attempt to
remove the vfio device, it never gets finalized and the only way to
release the kernel file descriptors is to terminate the QEMU process.

Fixes: dfde4e6e1a86 ("memory: add ref/unref calls")
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org # v1.6.0+
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit ee4c112846a0f2ac4fe5601918b0a2642ac8e2ed)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/vhost.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 6eddb099b0..b737ca915b 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -1356,6 +1356,10 @@ void vhost_dev_cleanup(struct vhost_dev *hdev)
     if (hdev->mem) {
         /* those are only safe after successful init */
         memory_listener_unregister(&hdev->memory_listener);
+        for (i = 0; i < hdev->n_mem_sections; ++i) {
+            MemoryRegionSection *section = &hdev->mem_sections[i];
+            memory_region_unref(section->mr);
+        }
         QLIST_REMOVE(hdev, entry);
     }
     if (hdev->migration_blocker) {
-- 
2.11.0

[Qemu-devel] [PATCH 09/12] mps2-an511: Fix wiring of UART overflow interrupt lines

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

Fix an error that meant we were wiring every UART's overflow
interrupts into the same inputs 0 and 1 of the OR gate,
rather than giving each its own input.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1505232834-20890-1-git-send-email-peter.maydell@linaro.org
(cherry picked from commit ce3bc112cdb1d462e2d52eaa17a7314e7f3af504)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/arm/mps2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/arm/mps2.c b/hw/arm/mps2.c
index abb0ab6d71..769cff872c 100644
--- a/hw/arm/mps2.c
+++ b/hw/arm/mps2.c
@@ -287,8 +287,8 @@ static void mps2_common_init(MachineState *machine)
             cmsdk_apb_uart_create(uartbase[i],
                                   qdev_get_gpio_in(txrx_orgate_dev, 0),
                                   qdev_get_gpio_in(txrx_orgate_dev, 1),
-                                  qdev_get_gpio_in(orgate_dev, 0),
-                                  qdev_get_gpio_in(orgate_dev, 1),
+                                  qdev_get_gpio_in(orgate_dev, i * 2),
+                                  qdev_get_gpio_in(orgate_dev, i * 2 + 1),
                                   NULL,
                                   uartchr, SYSCLK_FRQ);
         }
-- 
2.11.0

[Qemu-devel] [PATCH 10/12] scsi-bus: correct responses for INQUIRY and REQUEST SENSE

[Michael Roth]

From: Hannes Reinecke <hare@suse.de>

According to SPC-3 INQUIRY and REQUEST SENSE should return GOOD
even on unsupported LUNS.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Message-Id: <1503049022-14749-1-git-send-email-hare@suse.de>
Reported-by: Laszlo Ersek <lersek@redhat.com>
Fixes: ded6ddc5a7b95217557fa360913d1213e12d4a6d
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
(cherry picked from commit b07fbce6349c7b84642e7ed56c7a1ac3c1caca61)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-bus.c | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index e364410a23..ade31c11f5 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -516,8 +516,10 @@ static size_t scsi_sense_len(SCSIRequest *req)
 static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
 {
     SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
+    int fixed_sense = (req->cmd.buf[1] & 1) == 0;
 
-    if (req->lun != 0) {
+    if (req->lun != 0 &&
+        buf[0] != INQUIRY && buf[0] != REQUEST_SENSE) {
         scsi_req_build_sense(req, SENSE_CODE(LUN_NOT_SUPPORTED));
         scsi_req_complete(req, CHECK_CONDITION);
         return 0;
@@ -535,9 +537,28 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
         break;
     case REQUEST_SENSE:
         scsi_target_alloc_buf(&r->req, scsi_sense_len(req));
-        r->len = scsi_device_get_sense(r->req.dev, r->buf,
-                                       MIN(req->cmd.xfer, r->buf_len),
-                                       (req->cmd.buf[1] & 1) == 0);
+        if (req->lun != 0) {
+            const struct SCSISense sense = SENSE_CODE(LUN_NOT_SUPPORTED);
+
+            if (fixed_sense) {
+                r->buf[0] = 0x70;
+                r->buf[2] = sense.key;
+                r->buf[10] = 10;
+                r->buf[12] = sense.asc;
+                r->buf[13] = sense.ascq;
+                r->len = MIN(req->cmd.xfer, SCSI_SENSE_LEN);
+            } else {
+                r->buf[0] = 0x72;
+                r->buf[1] = sense.key;
+                r->buf[2] = sense.asc;
+                r->buf[3] = sense.ascq;
+                r->len = 8;
+            }
+        } else {
+            r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                           MIN(req->cmd.xfer, r->buf_len),
+                                           fixed_sense);
+        }
         if (r->req.dev->sense_is_ua) {
             scsi_device_unit_attention_reported(req->dev);
             r->req.dev->sense_len = 0;
-- 
2.11.0

[Qemu-devel] [PATCH 11/12] libvhost-user: support resuming vq->last_avail_idx based on used_idx

[Michael Roth]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

This is the same workaround as commit 523b018dde3b765, which was lost
with libvhost-user transition in commit e10e798c85c2331.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 35480cbfcb73143af66c8de4b444d686a46c2e88)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 contrib/libvhost-user/libvhost-user.c | 13 +++++++++++++
 contrib/libvhost-user/libvhost-user.h |  7 +++++++
 2 files changed, 20 insertions(+)

diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c
index 35fa0c5e56..d27d6303db 100644
--- a/contrib/libvhost-user/libvhost-user.c
+++ b/contrib/libvhost-user/libvhost-user.c
@@ -521,6 +521,19 @@ vu_set_vring_addr_exec(VuDev *dev, VhostUserMsg *vmsg)
 
     vq->used_idx = vq->vring.used->idx;
 
+    if (vq->last_avail_idx != vq->used_idx) {
+        bool resume = dev->iface->queue_is_processed_in_order &&
+            dev->iface->queue_is_processed_in_order(dev, index);
+
+        DPRINT("Last avail index != used index: %u != %u%s\n",
+               vq->last_avail_idx, vq->used_idx,
+               resume ? ", resuming" : "");
+
+        if (resume) {
+            vq->shadow_avail_idx = vq->last_avail_idx = vq->used_idx;
+        }
+    }
+
     return false;
 }
 
diff --git a/contrib/libvhost-user/libvhost-user.h b/contrib/libvhost-user/libvhost-user.h
index 53ef222c0b..4021f1124e 100644
--- a/contrib/libvhost-user/libvhost-user.h
+++ b/contrib/libvhost-user/libvhost-user.h
@@ -132,6 +132,7 @@ typedef void (*vu_set_features_cb) (VuDev *dev, uint64_t features);
 typedef int (*vu_process_msg_cb) (VuDev *dev, VhostUserMsg *vmsg,
                                   int *do_reply);
 typedef void (*vu_queue_set_started_cb) (VuDev *dev, int qidx, bool started);
+typedef bool (*vu_queue_is_processed_in_order_cb) (VuDev *dev, int qidx);
 
 typedef struct VuDevIface {
     /* called by VHOST_USER_GET_FEATURES to get the features bitmask */
@@ -148,6 +149,12 @@ typedef struct VuDevIface {
     vu_process_msg_cb process_msg;
     /* tells when queues can be processed */
     vu_queue_set_started_cb queue_set_started;
+    /*
+     * If the queue is processed in order, in which case it will be
+     * resumed to vring.used->idx. This can help to support resuming
+     * on unmanaged exit/crash.
+     */
+    vu_queue_is_processed_in_order_cb queue_is_processed_in_order;
 } VuDevIface;
 
 typedef void (*vu_queue_handler_cb) (VuDev *dev, int qidx);
-- 
2.11.0

[Qemu-devel] [PATCH 12/12] vhost-user-bridge: fix resume regression (since 2.9)

[Michael Roth]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Commit e10e798c85c2331 switched to libvhost-user which lacked support
for resuming the avail_idx based on used_idx.

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1485867

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 672339f7eff5e9226f302037290e84e783d2b5cd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/vhost-user-bridge.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tests/vhost-user-bridge.c b/tests/vhost-user-bridge.c
index 1e5b5ca3da..f922cc75ae 100644
--- a/tests/vhost-user-bridge.c
+++ b/tests/vhost-user-bridge.c
@@ -466,11 +466,18 @@ vubr_panic(VuDev *dev, const char *msg)
     vubr->quit = 1;
 }
 
+static bool
+vubr_queue_is_processed_in_order(VuDev *dev, int qidx)
+{
+    return true;
+}
+
 static const VuDevIface vuiface = {
     .get_features = vubr_get_features,
     .set_features = vubr_set_features,
     .process_msg = vubr_process_msg,
     .queue_set_started = vubr_queue_set_started,
+    .queue_is_processed_in_order = vubr_queue_is_processed_in_order,
 };
 
 static void
-- 
2.11.0

Re: [Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Thomas Huth]

On 20.09.2017 02:45, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.10.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.10-staging
> 
> The release is planned for 2017-10-02:
> 
>   https://wiki.qemu.org/Planning/2.10
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.

Looks like there have been some patches that fix CVEs, I think they
should be included, too:

e65294157d4b69393b3f819c99f4f647452b48e3
"vga: fix display update region calculation (split screen)"

3d90c6254863693a6b13d918d2b8682e08bbc681
"vga: stop passing pointers to vga_draw_line* functions"

ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb
"multiboot: validate multiboot header address values"

?


Apart from that, I'd like to suggest the following commits, since
without these patches, QEMU can crash during runtime when the user
accidentally issues the wrong device_add/del commands:

84ebd3e8c7d4fe955b359b9aac84395907b0412e
"watchdog/wdt_diag288: Mark diag288 watchdog as non-hotpluggable"

0d4fa4996fc5ee56ea7d072e272b8e69948460a5
"s390x/ipl: The s390-ipl device is not hot-pluggable"

f58f25599b72c7479e6a1ff67c7f671823aa14da
"hw/arm/digic: Mark device with user_creatable = false"

469f3da42ef4af347fa7831e1cc0bd35d17f5b83
"hw/arm/aspeed_soc: Mark devices as user_creatable = false"

4c93950659487c7ad4f85571ee78524c1e3a94b3
"hw/ide/microdrive: Mark the dscm1xxxx device with user_creatable = false"

955f5c7ba127746345a3d43b4d7c885ca159ae6b
"ide: ahci: unparent children buses before freeing their memory"


And searching the history for "assert", I think these are also good
candidates:

32b6943699948f7adc35ada233fbd25daffad5e9
"virtfs: error out gracefully when mandatory suboptions are missing"

1540008629bbb6a9c0826582d94ecf7a559f784c
"console: fix dpy_gfx_replace_surface assert"

 Thomas


> 
> ----------------------------------------------------------------
> Alex Williamson (1):
>       vhost: Release memory references on cleanup
> 
> Farhan Ali (1):
>       s390-ccw: Fix alignment for CCW1
> 
> Greg Kurz (1):
>       virtfs: error out gracefully when mandatory suboptions are missing
> 
> Hannes Reinecke (1):
>       scsi-bus: correct responses for INQUIRY and REQUEST SENSE
> 
> Marc-André Lureau (2):
>       libvhost-user: support resuming vq->last_avail_idx based on used_idx
>       vhost-user-bridge: fix resume regression (since 2.9)
> 
> Pavel Butsykin (1):
>       qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing
> 
> Peter Maydell (1):
>       mps2-an511: Fix wiring of UART overflow interrupt lines
> 
> Pranith Kumar (1):
>       arm_gicv3_kvm: Fix compile warning
> 
> Richard Henderson (1):
>       target/arm: Fix aa64 ldp register writeback
> 
> Samuel Thibault (1):
>       slirp: fix clearing ifq_so from pending packets
> 
> Thomas Huth (1):
>       hw/arm/allwinner-a10: Mark the allwinner-a10 device with user_creatable = false
> 
>  block/qcow2.c                         | 16 +++++++-------
>  contrib/libvhost-user/libvhost-user.c | 13 ++++++++++++
>  contrib/libvhost-user/libvhost-user.h |  7 +++++++
>  hw/arm/allwinner-a10.c                |  2 ++
>  hw/arm/mps2.c                         |  4 ++--
>  hw/intc/arm_gicv3_kvm.c               |  2 +-
>  hw/scsi/scsi-bus.c                    | 29 ++++++++++++++++++++++----
>  hw/virtio/vhost.c                     |  4 ++++
>  pc-bios/s390-ccw/cio.h                |  2 +-
>  scripts/device-crash-test             |  1 -
>  slirp/socket.c                        | 39 +++++++++++++++++++++--------------
>  target/arm/translate-a64.c            | 29 +++++++++++++++-----------
>  tests/vhost-user-bridge.c             |  7 +++++++
>  vl.c                                  | 16 ++++++++------
>  14 files changed, 120 insertions(+), 51 deletions(-)
> 
> 
> 

Re: [Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Greg Kurz]

On Tue, 19 Sep 2017 19:45:09 -0500
Michael Roth <mdroth@linux.vnet.ibm.com> wrote:

> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.10.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.10-staging
> 
> The release is planned for 2017-10-02:
> 
>   https://wiki.qemu.org/Planning/2.10
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.
> 

Hi Michael,

I'd like to suggest these patches that fix regressions introduced in 2.10:

6069537f4336a59054afda91a6545d3648c64619
"9pfs: fix readdir() for 9p2000.u"

4d8bc7334b06ef01a21cad3d1eb8dc183037a06b
"9pfs: fix name_to_path assertion in v9fs_complete_rename()"

772a73692ecb52bace0cff6f95df62f59b8cabe0
"9pfs: check the size of transport buffer before marshaling"

Cheers,

--
Greg

> Testing/feedback is greatly appreciated.
> 
> Thanks!
> 
> ----------------------------------------------------------------
> Alex Williamson (1):
>       vhost: Release memory references on cleanup
> 
> Farhan Ali (1):
>       s390-ccw: Fix alignment for CCW1
> 
> Greg Kurz (1):
>       virtfs: error out gracefully when mandatory suboptions are missing
> 
> Hannes Reinecke (1):
>       scsi-bus: correct responses for INQUIRY and REQUEST SENSE
> 
> Marc-André Lureau (2):
>       libvhost-user: support resuming vq->last_avail_idx based on used_idx
>       vhost-user-bridge: fix resume regression (since 2.9)
> 
> Pavel Butsykin (1):
>       qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing
> 
> Peter Maydell (1):
>       mps2-an511: Fix wiring of UART overflow interrupt lines
> 
> Pranith Kumar (1):
>       arm_gicv3_kvm: Fix compile warning
> 
> Richard Henderson (1):
>       target/arm: Fix aa64 ldp register writeback
> 
> Samuel Thibault (1):
>       slirp: fix clearing ifq_so from pending packets
> 
> Thomas Huth (1):
>       hw/arm/allwinner-a10: Mark the allwinner-a10 device with user_creatable = false
> 
>  block/qcow2.c                         | 16 +++++++-------
>  contrib/libvhost-user/libvhost-user.c | 13 ++++++++++++
>  contrib/libvhost-user/libvhost-user.h |  7 +++++++
>  hw/arm/allwinner-a10.c                |  2 ++
>  hw/arm/mps2.c                         |  4 ++--
>  hw/intc/arm_gicv3_kvm.c               |  2 +-
>  hw/scsi/scsi-bus.c                    | 29 ++++++++++++++++++++++----
>  hw/virtio/vhost.c                     |  4 ++++
>  pc-bios/s390-ccw/cio.h                |  2 +-
>  scripts/device-crash-test             |  1 -
>  slirp/socket.c                        | 39 +++++++++++++++++++++--------------
>  target/arm/translate-a64.c            | 29 +++++++++++++++-----------
>  tests/vhost-user-bridge.c             |  7 +++++++
>  vl.c                                  | 16 ++++++++------
>  14 files changed, 120 insertions(+), 51 deletions(-)
> 
> 
> 



-- 
Gregory Kurz                                     kurzgreg@fr.ibm.com
                                                 gkurz@linux.vnet.ibm.com
Software Engineer @ IBM/LTC                      http://www.ibm.com
Tel 33-5-6218-1607

"Anarchy is about taking complete responsibility for yourself."
        Alan Moore.

Re: [Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Michael Roth]

Quoting Michael Roth (2017-09-19 19:45:09)
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.10.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.10-staging
> 
> The release is planned for 2017-10-02:
> 
>   https://wiki.qemu.org/Planning/2.10

Thank you for the suggestions. The following additional patches are now queued:

  s390x/ais: for 2.10 stable: disable ais facility (Christian Borntraeger)
  9pfs: check the size of transport buffer before marshaling (Jan Dakinevich)
  9pfs: fix name_to_path assertion in v9fs_complete_rename() (Jan Dakinevich)
  9pfs: fix readdir() for 9p2000.u (Jan Dakinevich)
  console: fix dpy_gfx_replace_surface assert (Gerd Hoffmann)
  ide: ahci: unparent children buses before freeing their memory (Igor Mammedov)
  hw/ide/microdrive: Mark the dscm1xxxx device with user_creatable = false (Thomas Huth)
  hw/arm/aspeed_soc: Mark devices as user_creatable = false (Thomas Huth)
  hw/arm/digic: Mark device with user_creatable = false (Thomas Huth)
  s390x/ipl: The s390-ipl device is not hot-pluggable (Thomas Huth)
  watchdog/wdt_diag288: Mark diag288 watchdog as non-hotpluggable (Thomas Huth)
  multiboot: validate multiboot header address values (Prasad J Pandit)
  vga: stop passing pointers to vga_draw_line* functions (Gerd Hoffmann)
  vga: fix display update region calculation (split screen) (Gerd Hoffmann)

The following patches are tagged for inclusion, but still awaiting pull
requests:

  block/qcow2-bitmap: fix use of uninitialized pointer
  migration: disable auto-converge during bulk block migration
  accel/tcg/cputlb: avoid recursive BQL (fixes #1706296)
  virtio/vhost: reset dev->log after syncing
  block/throttle-groups.c: allocate RestartData on the heap
  throttle-groups: update tg->any_timer_armed[] on detach

> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.
> 
> Testing/feedback is greatly appreciated.
> 
> Thanks!
> 
> ----------------------------------------------------------------
> Alex Williamson (1):
>       vhost: Release memory references on cleanup
> 
> Farhan Ali (1):
>       s390-ccw: Fix alignment for CCW1
> 
> Greg Kurz (1):
>       virtfs: error out gracefully when mandatory suboptions are missing
> 
> Hannes Reinecke (1):
>       scsi-bus: correct responses for INQUIRY and REQUEST SENSE
> 
> Marc-André Lureau (2):
>       libvhost-user: support resuming vq->last_avail_idx based on used_idx
>       vhost-user-bridge: fix resume regression (since 2.9)
> 
> Pavel Butsykin (1):
>       qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache flushing
> 
> Peter Maydell (1):
>       mps2-an511: Fix wiring of UART overflow interrupt lines
> 
> Pranith Kumar (1):
>       arm_gicv3_kvm: Fix compile warning
> 
> Richard Henderson (1):
>       target/arm: Fix aa64 ldp register writeback
> 
> Samuel Thibault (1):
>       slirp: fix clearing ifq_so from pending packets
> 
> Thomas Huth (1):
>       hw/arm/allwinner-a10: Mark the allwinner-a10 device with user_creatable = false
> 
>  block/qcow2.c                         | 16 +++++++-------
>  contrib/libvhost-user/libvhost-user.c | 13 ++++++++++++
>  contrib/libvhost-user/libvhost-user.h |  7 +++++++
>  hw/arm/allwinner-a10.c                |  2 ++
>  hw/arm/mps2.c                         |  4 ++--
>  hw/intc/arm_gicv3_kvm.c               |  2 +-
>  hw/scsi/scsi-bus.c                    | 29 ++++++++++++++++++++++----
>  hw/virtio/vhost.c                     |  4 ++++
>  pc-bios/s390-ccw/cio.h                |  2 +-
>  scripts/device-crash-test             |  1 -
>  slirp/socket.c                        | 39 +++++++++++++++++++++--------------
>  target/arm/translate-a64.c            | 29 +++++++++++++++-----------
>  tests/vhost-user-bridge.c             |  7 +++++++
>  vl.c                                  | 16 ++++++++------
>  14 files changed, 120 insertions(+), 51 deletions(-)
> 
> 
> 

Re: [Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Anthony PERARD]

On Tue, Sep 19, 2017 at 07:45:09PM -0500, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.10.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.10-staging
> 
> The release is planned for 2017-10-02:
> 
>   https://wiki.qemu.org/Planning/2.10
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.

Hi,

I'd like to add this patch:

a3fd781f653db4dc76635715207c9029208634bd
"xen-disk: use g_new0 to fix build"


And maybe these three patches to fix a regression compared to 2.8:

f5855994fee2f8815dc86b8453e4a63e290aea05
"hw/acpi: Limit hotplug to root bus on legacy mode"

ab938ae43f8a3a71a3525566edf586081b7a7452
"hw/acpi: Move acpi_set_pci_info to pcihp"

2bed1ba77fae50bc8b5e68ede2d80b652b30c3b8
"Revert "ACPI: don't call acpi_pcihp_device_plug_cb on xen""


There is also two more patches that are not commited yet, so I don't
known if they can be candidate for the stable release:

"xen: add a global indicator for grant copy being available"
"xen: dont try setting max grants multiple times"


Thanks,

-- 
Anthony PERARD

Re: [Qemu-devel] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 642 bytes --]

On 09/19/2017 07:45 PM, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.10.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.10-staging
> 
> The release is planned for 2017-10-02:
> 
>   https://wiki.qemu.org/Planning/2.10
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.
> 

I just cc'd qemu-stable for 3c2d5183f9f, nbd-client: avoid read_reply_co
entry if send failed

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]

Re: [Qemu-devel] [Qemu-stable] [PATCH 00/12] Patch Round-up for stable 2.10.1, freeze on 2017-09-27

[Bruce Rogers]

>>> On 9/25/2017 at 2:55 PM, <mdroth@linux.vnet.ibm.com> wrote:
> Quoting Michael Roth (2017-09-19 19:45:09)
>> Hi everyone,
>> 
>> The following new patches are queued for QEMU stable v2.10.1:
>> 
>>   https://github.com/mdroth/qemu/commits/stable-2.10-staging 
>> 
>> The release is planned for 2017-10-02:
>> 
>>   https://wiki.qemu.org/Planning/2.10 
> 
> Thank you for the suggestions. The following additional patches are now 
> queued:
> 
>   s390x/ais: for 2.10 stable: disable ais facility (Christian Borntraeger)
>   9pfs: check the size of transport buffer before marshaling (Jan 
> Dakinevich)
>   9pfs: fix name_to_path assertion in v9fs_complete_rename() (Jan 
> Dakinevich)
>   9pfs: fix readdir() for 9p2000.u (Jan Dakinevich)
>   console: fix dpy_gfx_replace_surface assert (Gerd Hoffmann)
>   ide: ahci: unparent children buses before freeing their memory (Igor 
> Mammedov)
>   hw/ide/microdrive: Mark the dscm1xxxx device with user_creatable = false 
> (Thomas Huth)
>   hw/arm/aspeed_soc: Mark devices as user_creatable = false (Thomas Huth)
>   hw/arm/digic: Mark device with user_creatable = false (Thomas Huth)
>   s390x/ipl: The s390-ipl device is not hot-pluggable (Thomas Huth)
>   watchdog/wdt_diag288: Mark diag288 watchdog as non-hotpluggable (Thomas 
> Huth)
>   multiboot: validate multiboot header address values (Prasad J Pandit)
>   vga: stop passing pointers to vga_draw_line* functions (Gerd Hoffmann)
>   vga: fix display update region calculation (split screen) (Gerd Hoffmann)
> 
> The following patches are tagged for inclusion, but still awaiting pull
> requests:
> 
>   block/qcow2-bitmap: fix use of uninitialized pointer
>   migration: disable auto-converge during bulk block migration
>   accel/tcg/cputlb: avoid recursive BQL (fixes #1706296)
>   virtio/vhost: reset dev->log after syncing
>   block/throttle-groups.c: allocate RestartData on the heap
>   throttle-groups: update tg->any_timer_armed[] on detach
> 
>> 
>> Please respond here or CC qemu-stable@nongnu.org on any patches you
>> think should be included in the release.
>> 
>> Testing/feedback is greatly appreciated.
>> 
>> Thanks!
>> 
>> ----------------------------------------------------------------
>> Alex Williamson (1):
>>       vhost: Release memory references on cleanup
>> 
>> Farhan Ali (1):
>>       s390-ccw: Fix alignment for CCW1
>> 
>> Greg Kurz (1):
>>       virtfs: error out gracefully when mandatory suboptions are missing
>> 
>> Hannes Reinecke (1):
>>       scsi-bus: correct responses for INQUIRY and REQUEST SENSE
>> 
>> Marc-André Lureau (2):
>>       libvhost-user: support resuming vq->last_avail_idx based on used_idx
>>       vhost-user-bridge: fix resume regression (since 2.9)
>> 
>> Pavel Butsykin (1):
>>       qcow2: move qcow2_store_persistent_dirty_bitmaps() before cache 
> flushing
>> 
>> Peter Maydell (1):
>>       mps2-an511: Fix wiring of UART overflow interrupt lines
>> 
>> Pranith Kumar (1):
>>       arm_gicv3_kvm: Fix compile warning
>> 
>> Richard Henderson (1):
>>       target/arm: Fix aa64 ldp register writeback
>> 
>> Samuel Thibault (1):
>>       slirp: fix clearing ifq_so from pending packets
>> 
>> Thomas Huth (1):
>>       hw/arm/allwinner-a10: Mark the allwinner-a10 device with 
> user_creatable = false
>> 
>>  block/qcow2.c                         | 16 +++++++-------
>>  contrib/libvhost-user/libvhost-user.c | 13 ++++++++++++
>>  contrib/libvhost-user/libvhost-user.h |  7 +++++++
>>  hw/arm/allwinner-a10.c                |  2 ++
>>  hw/arm/mps2.c                         |  4 ++--
>>  hw/intc/arm_gicv3_kvm.c               |  2 +-
>>  hw/scsi/scsi-bus.c                    | 29 ++++++++++++++++++++++----
>>  hw/virtio/vhost.c                     |  4 ++++
>>  pc-bios/s390-ccw/cio.h                |  2 +-
>>  scripts/device-crash-test             |  1 -
>>  slirp/socket.c                        | 39 
> +++++++++++++++++++++--------------
>>  targ
et/arm/translate-a64.c            | 29 +++++++++++++++-----------
>>  tests/vhost-user-bridge.c             |  7 +++++++
>>  vl.c                                  | 16 ++++++++------
>>  14 files changed, 120 insertions(+), 51 deletions(-)
>> 
>> 
>> 

Sounds like this one is also targeted for 2.10.1:
s390x/cpumodel: remove ais from z14 default model-> also for 2.10.1
Bruce