[Qemu-devel] [PATCH stable-0.15 00/36] Preparing 0.15.2

[Qemu-devel] [PATCH stable-0.15 00/36] Preparing 0.15.2

[Andreas Färber]

Hello Anthony and Justin,

As announced last year, SUSE is shipping a patched qemu-kvm 0.15.1 with our
recently released SLES 11 SP2. We are therefore very interested in cutting
0.15.2 releases for QEMU and later on qemu-kvm.

This series contains only bugfix cherry-picks from qemu.git master,
conflict resolutions or bug numbers are annotated.

I started with recent CVEs and bugs that I had worked on and then worked
through a list of candidates supplied by Bruce, who has been maintaining our
downstream patch queue, with me inserting two prerequisite patches to avoid
manual conflict resolution.

In addition to this series there's one candidate patch that might not be a
cherry-pick as well as two cherry-picks against KVM-only pci-assign that
we'll submit separately.

Please let me know how we are supposed to handle applying this batch
to qemu-stable-0.15.git. Thanks!

Regards,
Andreas

Cc: Anthony Liguori <anthony@codemonkey.ws>
Cc: Justin M. Forbes <jmforbes@linuxtx.org>

Cc: Bruce Rogers <brogers@suse.com>
Cc: Bo Yang <boyang@suse.com>
Cc: Alexander Graf <agraf@suse.de>
Cc: Charles Arnold <carnold@suse.com>

Cc: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>

Alex Williamson (1):
  Error check find_ram_offset

Anthony Liguori (3):
  e1000: bounds packet size against buffer size
  pc: add pc-0.15
  pc: fix event_idx compatibility for virtio devices

Anthony PERARD (1):
  cpu-common: Have a ram_addr_t of uint64 with Xen.

Avi Kivity (2):
  kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()
  qemu_vmalloc: align properly for transparent hugepages and KVM

Bharata B Rao (1):
  Fix X86 CPU topology in KVM mode

Bjørn Mork (1):
  e1000: use MII status register for link up/down

Charles Arnold (1):
  block: Fix vpc initialization of the Dynamic Disk Header

Eric Sunshine (1):
  Teach block/vdi about "discarded" (no longer allocated) blocks

Gerd Hoffmann (4):
  migration: flush migration data to disk.
  ac97: don't override the pci subsystem id
  vns/tls: don't use depricated gnutls functions
  qxl: stride fixup

Jan Kiszka (1):
  qdev: Reset hot-plugged devices

Jes Sorensen (1):
  Add missing trace call to oslib-posix.c:qemu_vmalloc()

Kevin Wolf (7):
  block: Fix bdrv_open use after free
  ide: Fix off-by-one error in array index check
  vvfat: Fix potential buffer overflow
  vmdk: Improve error handling
  qcow: Fix bdrv_write_compressed error handling
  vmdk: Fix possible segfaults
  pc: Fix floppy drives with if=none

Marc-André Lureau (2):
  hda: do not mix output and input streams, RHBZ #740493
  hda: do not mix output and input stream states, RHBZ #740493

Markus Armbruster (3):
  ccid: Fix buffer overrun in handling of VSC_ATR message
  acl: Fix use after free in qemu_acl_reset()
  console: Fix rendering of VGA underline

Nick Thomas (1):
  block/curl: Implement a flush function on the fd handlers

Pavel Borzenkov (1):
  vmdk: vmdk_read_cid returns garbage if p_name is NULL

Peter Maydell (2):
  compatfd.c: Don't pass NULL pointer to SYS_signalfd
  hw/lan9118.c: Add missing 'break' to fix buffer overrun

Stefan Hajnoczi (2):
  block: set bs->read_only before .bdrv_open()
  block: reinitialize across bdrv_close()/bdrv_open()

dann frazier (1):
  e1000: Don't set the Capabilities List bit

 acl.c                   |    4 +-
 block.c                 |   12 ++++---
 block/curl.c            |   26 +++++++++++++--
 block/qcow.c            |   30 +++++++++++------
 block/vdi.c             |   23 ++++++++-----
 block/vmdk.c            |   30 +++++++++++++-----
 block/vpc.c             |    6 +++-
 block/vvfat.c           |    2 +-
 compatfd.c              |   12 ++++++-
 console.c               |    6 ++--
 cpu-common.h            |    8 +++++
 exec.c                  |   18 ++++++++---
 hw/ac97.c               |   16 ++++++---
 hw/ccid-card-passthru.c |    1 +
 hw/e1000.c              |   12 +++++--
 hw/e1000_hw.h           |   17 ++++++++++
 hw/fdc.c                |   12 +++++++
 hw/fdc.h                |    9 ++++-
 hw/hda-audio.c          |   26 +++++++++++----
 hw/ide/core.c           |    2 +-
 hw/intel-hda.c          |   18 ++++++-----
 hw/intel-hda.h          |    2 +-
 hw/lan9118.c            |    1 +
 hw/pc.c                 |   26 ++++++++-------
 hw/pc.h                 |    3 +-
 hw/pc_piix.c            |   79 ++++++++++++++++++++++++++++++++++++++++++++---
 hw/qdev.c               |    3 ++
 hw/qxl-render.c         |   23 +++++++------
 hw/qxl.h                |    3 +-
 kvm-all.c               |   10 ++++++
 migration-fd.c          |   23 +++++++++++++-
 oslib-posix.c           |   17 +++++++++-
 target-i386/helper.c    |    1 +
 ui/vnc-tls.c            |   68 +++++++++++++++++++++++++++++-----------
 xen-all.c               |    2 +-
 35 files changed, 420 insertions(+), 131 deletions(-)

-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 01/36] ccid: Fix buffer overrun in handling of VSC_ATR message

[Andreas Färber]

From: Markus Armbruster <armbru@redhat.com>

ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Fixes BNC#731086.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/ccid-card-passthru.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index 28eb9d1..0505663 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
             error_report("ATR size exceeds spec, ignoring");
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
                                         VSC_GENERAL_ERROR);
+            break;
         }
         memcpy(card->atr, data, scr_msg_header->length);
         card->atr_length = scr_msg_header->length;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 02/36] qdev: Reset hot-plugged devices

[Andreas Färber]

From: Jan Kiszka <jan.kiszka@siemens.com>

Device models rely on the core invoking their reset handlers after init.
We do this in the cold-plug case, but so far we miss this step after
hot-plug.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba)

[AF: Fixes BNC#722958 / LTC#75394.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/qdev.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/hw/qdev.c b/hw/qdev.c
index a0fcd06..b4ea8e1 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -289,6 +289,9 @@ int qdev_init(DeviceState *dev)
                                        dev->alias_required_for_version);
     }
     dev->state = DEV_STATE_INITIALIZED;
+    if (dev->hotplugged && dev->info->reset) {
+        dev->info->reset(dev);
+    }
     return 0;
 }
 
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 03/36] e1000: use MII status register for link up/down

[Andreas Färber]

From: Bjørn Mork <bjorn@mork.no>

Some guests will use the standard MII status register
to verify link state.  They will not notice link changes
unless this register is updated.

Verified with Linux 3.0 and Windows XP guests.

Without this patch, ethtool will report speed and duplex as
unknown when the link is down, but still report the link as
up.  This is because the Linux e1000 driver checks the
mac_reg[STATUS] register link state before it checks speed
and duplex, but uses the phy_reg[PHY_STATUS] register for
the actual link state check.  Fix by updating both registers
on link state changes.

Linux guest before:

 (qemu) set_link e1000.0 off

 kvm-sid:~# ethtool eth0
 Settings for eth0:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: Unknown!
        Duplex: Unknown! (255)
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: Unknown
        Supports Wake-on: umbg
        Wake-on: d
        Current message level: 0x00000007 (7)
                               drv probe link
        Link detected: yes

 (qemu) set_link e1000.0 on

Linux guest after:

 (qemu) set_link e1000.0 off
 [   63.384221] e1000: eth0 NIC Link is Down

 kvm-sid:~# ethtool eth0
 Settings for eth0:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: Unknown!
        Duplex: Unknown! (255)
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: Unknown
        Supports Wake-on: umbg
        Wake-on: d
        Current message level: 0x00000007 (7)
                               drv probe link
        Link detected: no

 (qemu) set_link e1000.0 on
 [   84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125)

Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/e1000.c    |    7 +++++--
 hw/e1000_hw.h |   17 +++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index 96d84f9..e4d9ab5 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -624,10 +624,13 @@ e1000_set_link_status(VLANClientState *nc)
     E1000State *s = DO_UPCAST(NICState, nc, nc)->opaque;
     uint32_t old_status = s->mac_reg[STATUS];
 
-    if (nc->link_down)
+    if (nc->link_down) {
         s->mac_reg[STATUS] &= ~E1000_STATUS_LU;
-    else
+        s->phy_reg[PHY_STATUS] &= ~MII_SR_LINK_STATUS;
+    } else {
         s->mac_reg[STATUS] |= E1000_STATUS_LU;
+        s->phy_reg[PHY_STATUS] |= MII_SR_LINK_STATUS;
+    }
 
     if (s->mac_reg[STATUS] != old_status)
         set_ics(s, 0, E1000_ICR_LSC);
diff --git a/hw/e1000_hw.h b/hw/e1000_hw.h
index 9bd8a4b..2e341ac 100644
--- a/hw/e1000_hw.h
+++ b/hw/e1000_hw.h
@@ -349,6 +349,23 @@
 #define M88E1000_PHY_VCO_REG_BIT8  0x100 /* Bits 8 & 11 are adjusted for */
 #define M88E1000_PHY_VCO_REG_BIT11 0x800    /* improved BER performance */
 
+/* PHY Status Register */
+#define MII_SR_EXTENDED_CAPS     0x0001	/* Extended register capabilities */
+#define MII_SR_JABBER_DETECT     0x0002	/* Jabber Detected */
+#define MII_SR_LINK_STATUS       0x0004	/* Link Status 1 = link */
+#define MII_SR_AUTONEG_CAPS      0x0008	/* Auto Neg Capable */
+#define MII_SR_REMOTE_FAULT      0x0010	/* Remote Fault Detect */
+#define MII_SR_AUTONEG_COMPLETE  0x0020	/* Auto Neg Complete */
+#define MII_SR_PREAMBLE_SUPPRESS 0x0040	/* Preamble may be suppressed */
+#define MII_SR_EXTENDED_STATUS   0x0100	/* Ext. status info in Reg 0x0F */
+#define MII_SR_100T2_HD_CAPS     0x0200	/* 100T2 Half Duplex Capable */
+#define MII_SR_100T2_FD_CAPS     0x0400	/* 100T2 Full Duplex Capable */
+#define MII_SR_10T_HD_CAPS       0x0800	/* 10T   Half Duplex Capable */
+#define MII_SR_10T_FD_CAPS       0x1000	/* 10T   Full Duplex Capable */
+#define MII_SR_100X_HD_CAPS      0x2000	/* 100X  Half Duplex Capable */
+#define MII_SR_100X_FD_CAPS      0x4000	/* 100X  Full Duplex Capable */
+#define MII_SR_100T4_CAPS        0x8000	/* 100T4 Capable */
+
 /* Interrupt Cause Read */
 #define E1000_ICR_TXDW          0x00000001 /* Transmit desc written back */
 #define E1000_ICR_TXQE          0x00000002 /* Transmit Queue empty */
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 04/36] e1000: Don't set the Capabilities List bit

[Andreas Färber]

From: dann frazier <dann.frazier@canonical.com>

[Originally sent to qemu-kvm list, but I was redirected here]

The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of
this bit doesn't appear to change any behavior on Linux/Windows versions we've
tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk.

I happen to have a physical 82540EM controller, and it also sets the
Capabilities Bit, but it actually has items on the capabilities list to go
with it :)

Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40)

Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/e1000.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index e4d9ab5..7971457 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -1167,8 +1167,6 @@ static int pci_e1000_init(PCIDevice *pci_dev)
 
     pci_conf = d->dev.config;
 
-    /* TODO: we have no capabilities, so why is this bit set? */
-    pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST);
     /* TODO: RST# value should be 0, PCI spec 6.2.4 */
     pci_conf[PCI_CACHE_LINE_SIZE] = 0x10;
 
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 05/36] e1000: bounds packet size against buffer size

[Andreas Färber]

From: Anthony Liguori <aliguori@us.ibm.com>

Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/e1000.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index 7971457..c91790b 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 06/36] compatfd.c: Don't pass NULL pointer to SYS_signalfd

[Andreas Färber]

From: Peter Maydell <peter.maydell@linaro.org>

Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available():
this isn't valid and Valgrind complains about it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 compatfd.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/compatfd.c b/compatfd.c
index 31654c6..02306a4 100644
--- a/compatfd.c
+++ b/compatfd.c
@@ -119,9 +119,17 @@ int qemu_signalfd(const sigset_t *mask)
 bool qemu_signalfd_available(void)
 {
 #ifdef CONFIG_SIGNALFD
+    sigset_t mask;
+    int fd;
+    bool ok;
+    sigemptyset(&mask);
     errno = 0;
-    syscall(SYS_signalfd, -1, NULL, _NSIG / 8);
-    return errno != ENOSYS;
+    fd = syscall(SYS_signalfd, -1, &mask, _NSIG / 8);
+    ok = (errno != ENOSYS);
+    if (fd >= 0) {
+        close(fd);
+    }
+    return ok;
 #else
     return false;
 #endif
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 07/36] kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()

[Andreas Färber]

From: Avi Kivity <avi@redhat.com>

mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may
themselves indirectly call kvm_flush_coalesced_mmio_buffer().
Prevent reentering the function by checking a flag that indicates
we're processing coalesced mmio requests.

Signed-off-by: Avi Kivity <avi@redhat.com>
(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 kvm-all.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/kvm-all.c b/kvm-all.c
index cbc2532..26621d0 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -64,6 +64,7 @@ struct KVMState
     int vmfd;
     int coalesced_mmio;
     struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
+    bool coalesced_flush_in_progress;
     int broken_set_mem_region;
     int migration_log;
     int vcpu_events;
@@ -876,6 +877,13 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
 void kvm_flush_coalesced_mmio_buffer(void)
 {
     KVMState *s = kvm_state;
+
+    if (s->coalesced_flush_in_progress) {
+        return;
+    }
+
+    s->coalesced_flush_in_progress = true;
+
     if (s->coalesced_mmio_ring) {
         struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring;
         while (ring->first != ring->last) {
@@ -888,6 +896,8 @@ void kvm_flush_coalesced_mmio_buffer(void)
             ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX;
         }
     }
+
+    s->coalesced_flush_in_progress = false;
 }
 
 static void do_kvm_cpu_synchronize_state(void *_env)
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 08/36] vmdk: vmdk_read_cid returns garbage if p_name is NULL

[Andreas Färber]

From: Pavel Borzenkov <pavel.borzenkov@gmail.com>

Spotted by Clang Analyzer

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/vmdk.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index 37478d2..b5caa40 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -177,7 +177,7 @@ static void vmdk_free_extents(BlockDriverState *bs)
 static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
 {
     char desc[DESC_SIZE];
-    uint32_t cid;
+    uint32_t cid = 0xffffffff;
     const char *p_name, *cid_str;
     size_t cid_str_size;
     BDRVVmdkState *s = bs->opaque;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 09/36] block: Fix bdrv_open use after free

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

tmp_filename was used outside the block it was defined in, i.e. after it went
out of scope. Move its declaration to the top level.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block.c b/block.c
index 9549b9e..4ebb18b 100644
--- a/block.c
+++ b/block.c
@@ -526,6 +526,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
               BlockDriver *drv)
 {
     int ret;
+    char tmp_filename[PATH_MAX];
 
     if (flags & BDRV_O_SNAPSHOT) {
         BlockDriverState *bs1;
@@ -533,7 +534,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
         int is_protocol = 0;
         BlockDriver *bdrv_qcow2;
         QEMUOptionParameter *options;
-        char tmp_filename[PATH_MAX];
         char backing_filename[PATH_MAX];
 
         /* if snapshot, we create a temporary backing file and open it
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 10/36] ide: Fix off-by-one error in array index check

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/ide/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index d145b19..9bc446e 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1933,7 +1933,7 @@ static int ide_drive_pio_post_load(void *opaque, int version_id)
 {
     IDEState *s = opaque;
 
-    if (s->end_transfer_fn_idx > ARRAY_SIZE(transfer_end_table)) {
+    if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
         return -EINVAL;
     }
     s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 11/36] acl: Fix use after free in qemu_acl_reset()

[Andreas Färber]

From: Markus Armbruster <armbru@redhat.com>

Reproducer:

    $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...]
    QEMU 0.15.50 monitor - type 'help' for more information
    (qemu) acl_add vnc.username fred allow
    acl: added rule at position 1
    (qemu) acl_reset vnc.username
    Segmentation fault (core dumped)

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 acl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/acl.c b/acl.c
index 82c2704..cae059f 100644
--- a/acl.c
+++ b/acl.c
@@ -95,13 +95,13 @@ int qemu_acl_party_is_allowed(qemu_acl *acl,
 
 void qemu_acl_reset(qemu_acl *acl)
 {
-    qemu_acl_entry *entry;
+    qemu_acl_entry *entry, *next_entry;
 
     /* Put back to deny by default, so there is no window
      * of "open access" while the user re-initializes the
      * access control list */
     acl->defaultDeny = 1;
-    QTAILQ_FOREACH(entry, &acl->entries, next) {
+    QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) {
         QTAILQ_REMOVE(&acl->entries, entry, next);
         free(entry->match);
         free(entry);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 12/36] migration: flush migration data to disk.

[Andreas Färber]

From: Gerd Hoffmann <kraxel@redhat.com>

This patch increases robustness when migrating to a file with
two little changes:

 (1) Before closing the migration file handle checks if it happens to be
     a regular file and if so it issues a fsync.  This way the data is
     flushed to disk before qemu sends the migration completed event.
 (2) It adds error checking.  In case either fsync or close syscall
     fails pass up the error (and fail migration).

[ v2: return -errno instead of -1 ]

Cc: Juan Quintela <quintela@redhat.com>
Cc: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 migration-fd.c |   23 ++++++++++++++++++++++-
 1 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/migration-fd.c b/migration-fd.c
index 66d51c1..f986bdf 100644
--- a/migration-fd.c
+++ b/migration-fd.c
@@ -42,10 +42,31 @@ static int fd_write(FdMigrationState *s, const void * buf, size_t size)
 
 static int fd_close(FdMigrationState *s)
 {
+    struct stat st;
+    int ret;
+
     DPRINTF("fd_close\n");
     if (s->fd != -1) {
-        close(s->fd);
+        ret = fstat(s->fd, &st);
+        if (ret == 0 && S_ISREG(st.st_mode)) {
+            /*
+             * If the file handle is a regular file make sure the
+             * data is flushed to disk before signaling success.
+             */
+            ret = fsync(s->fd);
+            if (ret != 0) {
+                ret = -errno;
+                perror("migration-fd: fsync");
+                return ret;
+            }
+        }
+        ret = close(s->fd);
         s->fd = -1;
+        if (ret != 0) {
+            ret = -errno;
+            perror("migration-fd: close");
+            return ret;
+        }
     }
     return 0;
 }
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 13/36] Fix X86 CPU topology in KVM mode

[Andreas Färber]

From: Bharata B Rao <bharata.rao@gmail.com>

apic id returned to guest kernel in ebx for cpuid(function=1) depends on
CPUX86State->cpuid_apic_id which gets populated after the cpuid information
is cached in the host kernel. This results in broken CPU topology in guest.

Fix this by setting cpuid_apic_id before cpuid information is passed to
the host kernel. This is done by moving the setting of cpuid_apic_id
to cpu_x86_init() where it will work for both KVM as well as TCG modes.

Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Bharata B Rao <bharata.rao@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/pc.c              |    1 -
 target-i386/helper.c |    1 +
 2 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/pc.c b/hw/pc.c
index a3e8539..14ce684 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -931,7 +931,6 @@ static CPUState *pc_new_cpu(const char *cpu_model)
         exit(1);
     }
     if ((env->cpuid_features & CPUID_APIC) || smp_cpus > 1) {
-        env->cpuid_apic_id = env->cpu_index;
         env->apic_state = apic_init(env, env->cpuid_apic_id);
     }
     qemu_register_reset(pc_cpu_reset, env);
diff --git a/target-i386/helper.c b/target-i386/helper.c
index e9be104..829c1da 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -1258,6 +1258,7 @@ CPUX86State *cpu_x86_init(const char *cpu_model)
         cpu_x86_close(env);
         return NULL;
     }
+    env->cpuid_apic_id = env->cpu_index;
     mce_init(env);
 
     qemu_init_vcpu(env);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 14/36] hw/lan9118.c: Add missing 'break' to fix buffer overrun

[Andreas Färber]

From: Peter Maydell <peter.maydell@linaro.org>

Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/lan9118.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/hw/lan9118.c b/hw/lan9118.c
index 73a8661..494b11d 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -863,6 +863,7 @@ static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
         } else {
             DPRINTF("EEPROM Write All (ignored)\n");
         }
+        break;
     case 5: /* ERASE */
         if (s->eeprom_writable) {
             s->eeprom[addr] = 0xff;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 15/36] ac97: don't override the pci subsystem id

[Andreas Färber]

From: Gerd Hoffmann <kraxel@redhat.com>

This patch removes the code lines which set the subsystem id for the
emulated ac97 card to 8086:0000.  Due to the device id being zero the
subsystem id isn't vaild anyway.  With the patch applied the sound card
gets the default qemu subsystem id (1af4:1100) instead.

[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]

Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/ac97.c    |   16 +++++++++++-----
 hw/pc_piix.c |   16 ++++++++++++++++
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/hw/ac97.c b/hw/ac97.c
index 0b59896..a039481 100644
--- a/hw/ac97.c
+++ b/hw/ac97.c
@@ -149,6 +149,7 @@ typedef struct AC97BusMasterRegs {
 typedef struct AC97LinkState {
     PCIDevice dev;
     QEMUSoundCard card;
+    uint32_t use_broken_id;
     uint32_t glob_cnt;
     uint32_t glob_sta;
     uint32_t cas;
@@ -1301,11 +1302,12 @@ static int ac97_initfn (PCIDevice *dev)
     c[PCI_BASE_ADDRESS_0 + 6] = 0x00;
     c[PCI_BASE_ADDRESS_0 + 7] = 0x00;
 
-    c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86;      /* svid subsystem vendor id rwo */
-    c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
-
-    c[PCI_SUBSYSTEM_ID] = 0x00;      /* sid subsystem id rwo */
-    c[PCI_SUBSYSTEM_ID + 1] = 0x00;
+    if (s->use_broken_id) {
+        c[PCI_SUBSYSTEM_VENDOR_ID] = 0x86;
+        c[PCI_SUBSYSTEM_VENDOR_ID + 1] = 0x80;
+        c[PCI_SUBSYSTEM_ID] = 0x00;
+        c[PCI_SUBSYSTEM_ID + 1] = 0x00;
+    }
 
     c[PCI_INTERRUPT_LINE] = 0x00;      /* intr_ln interrupt line rw */
     /* TODO: RST# value should be 0. */
@@ -1336,6 +1338,10 @@ static PCIDeviceInfo ac97_info = {
     .device_id    = PCI_DEVICE_ID_INTEL_82801AA_5,
     .revision     = 0x01,
     .class_id     = PCI_CLASS_MULTIMEDIA_AUDIO,
+    .qdev.props   = (Property[]) {
+        DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
 };
 
 static void ac97_register (void)
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index c5c16b4..31552fd 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -300,6 +300,10 @@ static QEMUMachine pc_machine_v0_13 = {
             .driver   = "virtio-net-pci",
             .property = "event_idx",
             .value    = "off",
+        },{
+            .driver   = "AC97",
+            .property = "use_broken_id",
+            .value    = stringify(1),
         },
         { /* end of list */ }
     },
@@ -343,6 +347,10 @@ static QEMUMachine pc_machine_v0_12 = {
             .driver   = "virtio-net-pci",
             .property = "event_idx",
             .value    = "off",
+        },{
+            .driver   = "AC97",
+            .property = "use_broken_id",
+            .value    = stringify(1),
         },
         { /* end of list */ }
     }
@@ -394,6 +402,10 @@ static QEMUMachine pc_machine_v0_11 = {
             .driver   = "virtio-net-pci",
             .property = "event_idx",
             .value    = "off",
+        },{
+            .driver   = "AC97",
+            .property = "use_broken_id",
+            .value    = stringify(1),
         },
         { /* end of list */ }
     }
@@ -457,6 +469,10 @@ static QEMUMachine pc_machine_v0_10 = {
             .driver   = "virtio-net-pci",
             .property = "event_idx",
             .value    = "off",
+        },{
+            .driver   = "AC97",
+            .property = "use_broken_id",
+            .value    = stringify(1),
         },
         { /* end of list */ }
     },
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 16/36] vvfat: Fix potential buffer overflow

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

path2[PATH_MAX] can be used for the null termination, so make the array big
enough to allow this.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/vvfat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/vvfat.c b/block/vvfat.c
index fe568fe..98b58f0 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -1741,7 +1741,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
 
     long_file_name lfn;
     int path_len = strlen(path);
-    char path2[PATH_MAX];
+    char path2[PATH_MAX + 1];
 
     assert(path_len < PATH_MAX); /* len was tested before! */
     pstrcpy(path2, sizeof(path2), path);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 17/36] vns/tls: don't use depricated gnutls functions

[Andreas Färber]

From: Gerd Hoffmann <kraxel@redhat.com>

Avoid using deprecated gnutls functions with recent gnutls versions.
Fixes build failure on Fedora 16.  Keep the old way for compatibility
with old installations such as RHEL-5 (gnutls 1.4.x).

Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@gmail.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 ui/vnc-tls.c |   68 +++++++++++++++++++++++++++++++++++++++++----------------
 1 files changed, 49 insertions(+), 19 deletions(-)

diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
index 31f1467..f5ed306 100644
--- a/ui/vnc-tls.c
+++ b/ui/vnc-tls.c
@@ -283,13 +283,57 @@ int vnc_tls_validate_certificate(struct VncState *vs)
     return 0;
 }
 
+#if defined(GNUTLS_VERSION_NUMBER) && \
+    GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
+
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
+    int rc;
+
+    rc = gnutls_priority_set_direct(s, priority, NULL);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+
+#else
+
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
+    static const int protocols[] = {
+        GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+    };
+    static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
+    static const int kx_x509[] = {
+        GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+        GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
+    };
+    int rc;
+
+    rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+
+    rc = gnutls_certificate_type_set_priority(s, cert_types);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+
+    rc = gnutls_protocol_set_priority(s, protocols);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+
+#endif
 
 int vnc_tls_client_setup(struct VncState *vs,
                          int needX509Creds) {
-    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
-    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
-    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
 
     VNC_DEBUG("Do TLS setup\n");
     if (vnc_tls_initialize() < 0) {
@@ -310,21 +354,7 @@ int vnc_tls_client_setup(struct VncState *vs,
             return -1;
         }
 
-        if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
-            gnutls_deinit(vs->tls.session);
-            vs->tls.session = NULL;
-            vnc_client_error(vs);
-            return -1;
-        }
-
-        if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
-            gnutls_deinit(vs->tls.session);
-            vs->tls.session = NULL;
-            vnc_client_error(vs);
-            return -1;
-        }
-
-        if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
+        if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
             gnutls_deinit(vs->tls.session);
             vs->tls.session = NULL;
             vnc_client_error(vs);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 18/36] block/curl: Implement a flush function on the fd handlers

[Andreas Färber]

From: Nick Thomas <nick@bytemark.co.uk>

Signed-off-by: Nick Thomas <nick@bytemark.co.uk>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/curl.c |   26 ++++++++++++++++++++++----
 1 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/block/curl.c b/block/curl.c
index 407f095..6cf6a70 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -76,6 +76,7 @@ typedef struct BDRVCURLState {
 
 static void curl_clean_state(CURLState *s);
 static void curl_multi_do(void *arg);
+static int curl_aio_flush(void *opaque);
 
 static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
                         void *s, void *sp)
@@ -83,14 +84,16 @@ static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
     DPRINTF("CURL (AIO): Sock action %d on fd %d\n", action, fd);
     switch (action) {
         case CURL_POLL_IN:
-            qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, NULL, NULL, s);
+            qemu_aio_set_fd_handler(fd, curl_multi_do, NULL, curl_aio_flush,
+                                    NULL, s);
             break;
         case CURL_POLL_OUT:
-            qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, NULL, NULL, s);
+            qemu_aio_set_fd_handler(fd, NULL, curl_multi_do, curl_aio_flush,
+                                    NULL, s);
             break;
         case CURL_POLL_INOUT:
-            qemu_aio_set_fd_handler(fd, curl_multi_do,
-                                    curl_multi_do, NULL, NULL, s);
+            qemu_aio_set_fd_handler(fd, curl_multi_do, curl_multi_do,
+                                    curl_aio_flush, NULL, s);
             break;
         case CURL_POLL_REMOVE:
             qemu_aio_set_fd_handler(fd, NULL, NULL, NULL, NULL, NULL);
@@ -394,6 +397,21 @@ out_noclean:
     return -EINVAL;
 }
 
+static int curl_aio_flush(void *opaque)
+{
+    BDRVCURLState *s = opaque;
+    int i, j;
+
+    for (i=0; i < CURL_NUM_STATES; i++) {
+        for(j=0; j < CURL_NUM_ACB; j++) {
+            if (s->states[i].acb[j]) {
+                return 1;
+            }
+        }
+    }
+    return 0;
+}
+
 static void curl_aio_cancel(BlockDriverAIOCB *blockacb)
 {
     // Do we have to implement canceling? Seems to work without...
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 19/36] hda: do not mix output and input streams, RHBZ #740493

[Andreas Färber]

From: Marc-André Lureau <marcandre.lureau@gmail.com>

Windows 7 may use the same stream number for input and output.
That will result in lot of garbage on playback.

The hardcoded value of 4 needs to be in sync with GCAP streams
description and IN/OUT registers.

Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/intel-hda.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 5a2bc3a..7d02558 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -389,14 +389,15 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
 {
     HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
     IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
-    IntelHDAStream *st = NULL;
     target_phys_addr_t addr;
     uint32_t s, copy, left;
+    IntelHDAStream *st;
     bool irq = false;
 
-    for (s = 0; s < ARRAY_SIZE(d->st); s++) {
-        if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) {
-            st = d->st + s;
+    st = output ? d->st + 4 : d->st;
+    for (s = 0; s < 4; s++) {
+        if (stnr == ((st[s].ctl >> 20) & 0x0f)) {
+            st = st + s;
             break;
         }
     }
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 20/36] hda: do not mix output and input stream states, RHBZ #740493

[Andreas Färber]

From: Marc-André Lureau <marcandre.lureau@gmail.com>

Windows 7 may use the same stream number for input and output.
Current code will confuse streams.

Changes since v1:
- keep running_compat[] for migration version 1
- add running_real[] for migration version 2

Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/hda-audio.c |   26 +++++++++++++++++++-------
 hw/intel-hda.c |    9 +++++----
 hw/intel-hda.h |    2 +-
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/hw/hda-audio.c b/hw/hda-audio.c
index c699d6f..9b089e6 100644
--- a/hw/hda-audio.c
+++ b/hw/hda-audio.c
@@ -466,7 +466,8 @@ struct HDAAudioState {
     QEMUSoundCard card;
     const desc_codec *desc;
     HDAAudioStream st[4];
-    bool running[16];
+    bool running_compat[16];
+    bool running_real[2 * 16];
 
     /* properties */
     uint32_t debug;
@@ -663,7 +664,7 @@ static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data)
         st->channel = payload & 0x0f;
         dprint(a, 2, "%s: stream %d, channel %d\n",
                st->node->name, st->stream, st->channel);
-        hda_audio_set_running(st, a->running[st->stream]);
+        hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
         hda_codec_response(hda, true, 0);
         break;
     case AC_VERB_GET_CONV:
@@ -746,16 +747,20 @@ fail:
     hda_codec_response(hda, true, 0);
 }
 
-static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running)
+static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running, bool output)
 {
     HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
     int s;
 
-    a->running[stnr] = running;
+    a->running_compat[stnr] = running;
+    a->running_real[output * 16 + stnr] = running;
     for (s = 0; s < ARRAY_SIZE(a->st); s++) {
         if (a->st[s].node == NULL) {
             continue;
         }
+        if (a->st[s].output != output) {
+            continue;
+        }
         if (a->st[s].stream != stnr) {
             continue;
         }
@@ -837,6 +842,12 @@ static int hda_audio_post_load(void *opaque, int version)
     int i;
 
     dprint(a, 1, "%s\n", __FUNCTION__);
+    if (version == 1) {
+        /* assume running_compat[] is for output streams */
+        for (i = 0; i < ARRAY_SIZE(a->running_compat); i++)
+            a->running_real[16 + i] = a->running_compat[i];
+    }
+
     for (i = 0; i < ARRAY_SIZE(a->st); i++) {
         st = a->st + i;
         if (st->node == NULL)
@@ -844,7 +855,7 @@ static int hda_audio_post_load(void *opaque, int version)
         hda_codec_parse_fmt(st->format, &st->as);
         hda_audio_setup(st);
         hda_audio_set_amp(st);
-        hda_audio_set_running(st, a->running[st->stream]);
+        hda_audio_set_running(st, a->running_real[st->output * 16 + st->stream]);
     }
     return 0;
 }
@@ -868,13 +879,14 @@ static const VMStateDescription vmstate_hda_audio_stream = {
 
 static const VMStateDescription vmstate_hda_audio = {
     .name = "hda-audio",
-    .version_id = 1,
+    .version_id = 2,
     .post_load = hda_audio_post_load,
     .fields = (VMStateField []) {
         VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0,
                              vmstate_hda_audio_stream,
                              HDAAudioStream),
-        VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16),
+        VMSTATE_BOOL_ARRAY(running_compat, HDAAudioState, 16),
+        VMSTATE_BOOL_ARRAY_V(running_real, HDAAudioState, 2 * 16, 2),
         VMSTATE_END_OF_LIST()
     }
 };
diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 7d02558..904e4fc 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -485,7 +485,7 @@ static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st)
     st->bp    = 0;
 }
 
-static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running)
+static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running, bool output)
 {
     DeviceState *qdev;
     HDACodecDevice *cdev;
@@ -493,7 +493,7 @@ static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool runn
     QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) {
         cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
         if (cdev->info->stream) {
-            cdev->info->stream(cdev, stream, running);
+            cdev->info->stream(cdev, stream, running, output);
         }
     }
 }
@@ -567,6 +567,7 @@ static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t
 
 static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
 {
+    bool output = reg->stream >= 4;
     IntelHDAStream *st = d->st + reg->stream;
 
     if (st->ctl & 0x01) {
@@ -582,11 +583,11 @@ static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint3
             dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n",
                    reg->stream, stnr, st->cbl);
             intel_hda_parse_bdl(d, st);
-            intel_hda_notify_codecs(d, stnr, true);
+            intel_hda_notify_codecs(d, stnr, true, output);
         } else {
             /* stop */
             dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr);
-            intel_hda_notify_codecs(d, stnr, false);
+            intel_hda_notify_codecs(d, stnr, false, output);
         }
     }
     intel_hda_update_irq(d);
diff --git a/hw/intel-hda.h b/hw/intel-hda.h
index 4e44e38..65fd2a8 100644
--- a/hw/intel-hda.h
+++ b/hw/intel-hda.h
@@ -34,7 +34,7 @@ struct HDACodecDeviceInfo {
     int (*init)(HDACodecDevice *dev);
     int (*exit)(HDACodecDevice *dev);
     void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data);
-    void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running);
+    void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running, bool output);
 };
 
 void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus,
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 21/36] Teach block/vdi about "discarded" (no longer allocated) blocks

[Andreas Färber]

From: Eric Sunshine <sunshine@sunshineco.com>

An entry in the VDI block map will hold an offset to the actual block if
the block is allocated, or one of two specially-interpreted values if
not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE
(0xffffffff) represents a never-allocated block (semantically arbitrary
content).  VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded"
block (semantically zero-filled).  block/vdi knows only about
VDI_IMAGE_BLOCK_FREE.  Teach it about VDI_IMAGE_BLOCK_ZERO.

Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/vdi.c |   23 ++++++++++++++---------
 1 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/block/vdi.c b/block/vdi.c
index 261cf9b..1be0cdc 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -114,8 +114,13 @@ void uuid_unparse(const uuid_t uu, char *out);
  */
 #define VDI_TEXT "<<< QEMU VM Virtual Disk Image >>>\n"
 
-/* Unallocated blocks use this index (no need to convert endianness). */
-#define VDI_UNALLOCATED UINT32_MAX
+/* A never-allocated block; semantically arbitrary content. */
+#define VDI_UNALLOCATED 0xffffffffU
+
+/* A discarded (no longer allocated) block; semantically zero-filled. */
+#define VDI_DISCARDED   0xfffffffeU
+
+#define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED)
 
 #if !defined(CONFIG_UUID)
 void uuid_generate(uuid_t out)
@@ -307,10 +312,10 @@ static int vdi_check(BlockDriverState *bs, BdrvCheckResult *res)
     /* Check block map and value of blocks_allocated. */
     for (block = 0; block < s->header.blocks_in_image; block++) {
         uint32_t bmap_entry = le32_to_cpu(s->bmap[block]);
-        if (bmap_entry != VDI_UNALLOCATED) {
+        if (VDI_IS_ALLOCATED(bmap_entry)) {
             if (bmap_entry < s->header.blocks_in_image) {
                 blocks_allocated++;
-                if (bmap[bmap_entry] == VDI_UNALLOCATED) {
+                if (!VDI_IS_ALLOCATED(bmap[bmap_entry])) {
                     bmap[bmap_entry] = bmap_entry;
                 } else {
                     fprintf(stderr, "ERROR: block index %" PRIu32
@@ -472,7 +477,7 @@ static int vdi_is_allocated(BlockDriverState *bs, int64_t sector_num,
         n_sectors = nb_sectors;
     }
     *pnum = n_sectors;
-    return bmap_entry != VDI_UNALLOCATED;
+    return VDI_IS_ALLOCATED(bmap_entry);
 }
 
 static void vdi_aio_cancel(BlockDriverAIOCB *blockacb)
@@ -603,7 +608,7 @@ static void vdi_aio_read_cb(void *opaque, int ret)
     /* prepare next AIO request */
     acb->n_sectors = n_sectors;
     bmap_entry = le32_to_cpu(s->bmap[block_index]);
-    if (bmap_entry == VDI_UNALLOCATED) {
+    if (!VDI_IS_ALLOCATED(bmap_entry)) {
         /* Block not allocated, return zeros, no need to wait. */
         memset(acb->buf, 0, n_sectors * SECTOR_SIZE);
         ret = vdi_schedule_bh(vdi_aio_rw_bh, acb);
@@ -685,7 +690,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
         if (acb->header_modified) {
             VdiHeader *header = acb->block_buffer;
             logout("now writing modified header\n");
-            assert(acb->bmap_first != VDI_UNALLOCATED);
+            assert(VDI_IS_ALLOCATED(acb->bmap_first));
             *header = s->header;
             vdi_header_to_le(header);
             acb->header_modified = 0;
@@ -699,7 +704,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
                 goto done;
             }
             return;
-        } else if (acb->bmap_first != VDI_UNALLOCATED) {
+        } else if (VDI_IS_ALLOCATED(acb->bmap_first)) {
             /* One or more new blocks were allocated. */
             uint64_t offset;
             uint32_t bmap_first;
@@ -749,7 +754,7 @@ static void vdi_aio_write_cb(void *opaque, int ret)
     /* prepare next AIO request */
     acb->n_sectors = n_sectors;
     bmap_entry = le32_to_cpu(s->bmap[block_index]);
-    if (bmap_entry == VDI_UNALLOCATED) {
+    if (!VDI_IS_ALLOCATED(bmap_entry)) {
         /* Allocate new block and write to it. */
         uint64_t offset;
         uint8_t *block;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 22/36] vmdk: Improve error handling

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

Return the right error values in some more places.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/vmdk.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index b5caa40..8284747 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -181,8 +181,10 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
     const char *p_name, *cid_str;
     size_t cid_str_size;
     BDRVVmdkState *s = bs->opaque;
+    int ret;
 
-    if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
+    ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
+    if (ret < 0) {
         return 0;
     }
 
@@ -208,10 +210,12 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
     char desc[DESC_SIZE], tmp_desc[DESC_SIZE];
     char *p_name, *tmp_str;
     BDRVVmdkState *s = bs->opaque;
+    int ret;
 
     memset(desc, 0, sizeof(desc));
-    if (bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE) != DESC_SIZE) {
-        return -EIO;
+    ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
+    if (ret < 0) {
+        return ret;
     }
 
     tmp_str = strstr(desc, "parentCID");
@@ -223,9 +227,11 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
         pstrcat(desc, sizeof(desc), tmp_desc);
     }
 
-    if (bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE) < 0) {
-        return -EIO;
+    ret = bdrv_pwrite_sync(bs->file, s->desc_offset, desc, DESC_SIZE);
+    if (ret < 0) {
+        return ret;
     }
+
     return 0;
 }
 
@@ -906,7 +912,10 @@ static int vmdk_write(BlockDriverState *bs, int64_t sector_num,
         /* update CID on the first write every time the virtual disk is
          * opened */
         if (!s->cid_updated) {
-            vmdk_write_cid(bs, time(NULL));
+            ret = vmdk_write_cid(bs, time(NULL));
+            if (ret < 0) {
+                return ret;
+            }
             s->cid_updated = true;
         }
     }
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 23/36] block: set bs->read_only before .bdrv_open()

[Andreas Färber]

From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Several block drivers set bs->read_only in .bdrv_open() but
block.c:bdrv_open_common() clobbers its value.  Additionally, QED uses
bdrv_is_read_only() in .bdrv_open() to decide whether to perform
consistency checks.

The correct ordering is to initialize bs->read_only from the open flags
before calling .bdrv_open().  This way block drivers can override it if
necessary and can use bdrv_is_read_only() in .bdrv_open().

Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/block.c b/block.c
index 4ebb18b..8d77746 100644
--- a/block.c
+++ b/block.c
@@ -455,6 +455,8 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
         open_flags |= BDRV_O_RDWR;
     }
 
+    bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
+
     /* Open the image, either directly or using a protocol */
     if (drv->bdrv_file_open) {
         ret = drv->bdrv_file_open(bs, filename, open_flags);
@@ -469,8 +471,6 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
         goto free_and_fail;
     }
 
-    bs->keep_read_only = bs->read_only = !(open_flags & BDRV_O_RDWR);
-
     ret = refresh_total_sectors(bs, bs->total_sectors);
     if (ret < 0) {
         goto free_and_fail;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 24/36] console: Fix rendering of VGA underline

[Andreas Färber]

From: Markus Armbruster <armbru@redhat.com>

vga_putcharxy()'s underline code sets font_data to 0xffff instead of
0xff.  vga_putcharxy() then reads dmask16[0xffff >> 4] and
dmask4[0xffff >> 6].  In practice, these out-of-bounds subscripts
"only" put a few crap bits into the display surface.

For 32 bit pixels, there's no array access.  font_data's extra bits go
straight into the display surface.

Broken when commit 6d6f7c28 implemented underline.

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 console.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/console.c b/console.c
index 242086c..07c82b8 100644
--- a/console.c
+++ b/console.c
@@ -461,7 +461,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
             font_data = *font_ptr++;
             if (t_attrib->uline
                 && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
-                font_data = 0xFFFF;
+                font_data = 0xFF;
             }
             ((uint32_t *)d)[0] = (dmask16[(font_data >> 4)] & xorcol) ^ bgcol;
             ((uint32_t *)d)[1] = (dmask16[(font_data >> 0) & 0xf] & xorcol) ^ bgcol;
@@ -474,7 +474,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
             font_data = *font_ptr++;
             if (t_attrib->uline
                 && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
-                font_data = 0xFFFF;
+                font_data = 0xFF;
             }
             ((uint32_t *)d)[0] = (dmask4[(font_data >> 6)] & xorcol) ^ bgcol;
             ((uint32_t *)d)[1] = (dmask4[(font_data >> 4) & 3] & xorcol) ^ bgcol;
@@ -487,7 +487,7 @@ static void vga_putcharxy(DisplayState *ds, int x, int y, int ch,
         for(i = 0; i < FONT_HEIGHT; i++) {
             font_data = *font_ptr++;
             if (t_attrib->uline && ((i == FONT_HEIGHT - 2) || (i == FONT_HEIGHT - 3))) {
-                font_data = 0xFFFF;
+                font_data = 0xFF;
             }
             ((uint32_t *)d)[0] = (-((font_data >> 7)) & xorcol) ^ bgcol;
             ((uint32_t *)d)[1] = (-((font_data >> 6) & 1) & xorcol) ^ bgcol;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 25/36] block: Fix vpc initialization of the Dynamic Disk Header

[Andreas Färber]

From: Charles Arnold <carnold@suse.com>

The Data Offset field in the Dynamic Disk Header is an 8 byte field.
Although the specification (2006-10-11) gives an example of initializing
only the first 4 bytes, images generated by Microsoft on Windows initialize
all 8 bytes.

Failure to initialize all 8 bytes results in errors from utilities
like Citrix's vhd-util which checks specifically for the proper Data
Offset field initialization.

Signed-off-by: Charles Arnold <carnold@suse.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/vpc.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/block/vpc.c b/block/vpc.c
index 56865da..ac33e15 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -587,7 +587,11 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
 
     memcpy(dyndisk_header->magic, "cxsparse", 8);
 
-    dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFF);
+    /*
+     * Note: The spec is actually wrong here for data_offset, it says
+     * 0xFFFFFFFF, but MS tools expect all 64 bits to be set.
+     */
+    dyndisk_header->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL);
     dyndisk_header->table_offset = be64_to_cpu(3 * 512);
     dyndisk_header->version = be32_to_cpu(0x00010000);
     dyndisk_header->block_size = be32_to_cpu(block_size);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 26/36] qcow: Fix bdrv_write_compressed error handling

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/qcow.c |   30 +++++++++++++++++++-----------
 1 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/block/qcow.c b/block/qcow.c
index 227b104..115b820 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -926,8 +926,6 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
         return -EINVAL;
 
     out_buf = qemu_malloc(s->cluster_size + (s->cluster_size / 1000) + 128);
-    if (!out_buf)
-        return -1;
 
     /* best compression, small window, no zlib header */
     memset(&strm, 0, sizeof(strm));
@@ -935,8 +933,8 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
                        Z_DEFLATED, -12,
                        9, Z_DEFAULT_STRATEGY);
     if (ret != 0) {
-        qemu_free(out_buf);
-        return -1;
+        ret = -EINVAL;
+        goto fail;
     }
 
     strm.avail_in = s->cluster_size;
@@ -946,9 +944,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
 
     ret = deflate(&strm, Z_FINISH);
     if (ret != Z_STREAM_END && ret != Z_OK) {
-        qemu_free(out_buf);
         deflateEnd(&strm);
-        return -1;
+        ret = -EINVAL;
+        goto fail;
     }
     out_len = strm.next_out - out_buf;
 
@@ -956,19 +954,29 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
 
     if (ret != Z_STREAM_END || out_len >= s->cluster_size) {
         /* could not compress: write normal cluster */
-        bdrv_write(bs, sector_num, buf, s->cluster_sectors);
+        ret = bdrv_write(bs, sector_num, buf, s->cluster_sectors);
+        if (ret < 0) {
+            goto fail;
+        }
     } else {
         cluster_offset = get_cluster_offset(bs, sector_num << 9, 2,
                                             out_len, 0, 0);
+        if (cluster_offset == 0) {
+            ret = -EIO;
+            goto fail;
+        }
+
         cluster_offset &= s->cluster_offset_mask;
-        if (bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len) != out_len) {
-            qemu_free(out_buf);
-            return -1;
+        ret = bdrv_pwrite(bs->file, cluster_offset, out_buf, out_len);
+        if (ret < 0) {
+            goto fail;
         }
     }
 
+    ret = 0;
+fail:
     qemu_free(out_buf);
-    return 0;
+    return ret;
 }
 
 static int qcow_flush(BlockDriverState *bs)
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 27/36] block: reinitialize across bdrv_close()/bdrv_open()

[Andreas Färber]

From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Several BlockDriverState fields are not being reinitialized across
bdrv_close()/bdrv_open().  Make sure they are reset to their default
values.

Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/block.c b/block.c
index 8d77746..1d6d26b 100644
--- a/block.c
+++ b/block.c
@@ -426,11 +426,14 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
     bs->total_sectors = 0;
     bs->encrypted = 0;
     bs->valid_key = 0;
+    bs->sg = 0;
     bs->open_flags = flags;
+    bs->growable = 0;
     /* buffer_alignment defaulted to 512, drivers can change this value */
     bs->buffer_alignment = 512;
 
     pstrcpy(bs->filename, sizeof(bs->filename), filename);
+    bs->backing_file[0] = '\0';
 
     if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv)) {
         return -ENOTSUP;
@@ -439,8 +442,7 @@ static int bdrv_open_common(BlockDriverState *bs, const char *filename,
     bs->drv = drv;
     bs->opaque = qemu_mallocz(drv->instance_size);
 
-    if (flags & BDRV_O_CACHE_WB)
-        bs->enable_write_cache = 1;
+    bs->enable_write_cache = !!(flags & BDRV_O_CACHE_WB);
 
     /*
      * Clear flags that are internal to the block layer before opening the
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 28/36] qxl: stride fixup

[Andreas Färber]

From: Gerd Hoffmann <kraxel@redhat.com>

spice uses negative stride value to signal the bitmap is upside down.
The qxl renderer (used for scl, vnc and screenshots) wants a positive
value because it is easier to work with.  The positive value is then
stored in the very same variable, which has the drawback that the
upside-down test works only once.  Fix by using two variables.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/qxl-render.c |   23 ++++++++++++-----------
 hw/qxl.h        |    3 ++-
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/hw/qxl-render.c b/hw/qxl-render.c
index 1316066..104d79b 100644
--- a/hw/qxl-render.c
+++ b/hw/qxl-render.c
@@ -28,16 +28,16 @@ static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect)
     int len, i;
 
     src += (qxl->guest_primary.surface.height - rect->top - 1) *
-        qxl->guest_primary.stride;
-    dst += rect->top  * qxl->guest_primary.stride;
+        qxl->guest_primary.abs_stride;
+    dst += rect->top  * qxl->guest_primary.abs_stride;
     src += rect->left * qxl->guest_primary.bytes_pp;
     dst += rect->left * qxl->guest_primary.bytes_pp;
     len  = (rect->right - rect->left) * qxl->guest_primary.bytes_pp;
 
     for (i = rect->top; i < rect->bottom; i++) {
         memcpy(dst, src, len);
-        dst += qxl->guest_primary.stride;
-        src -= qxl->guest_primary.stride;
+        dst += qxl->guest_primary.abs_stride;
+        src -= qxl->guest_primary.abs_stride;
     }
 }
 
@@ -45,7 +45,8 @@ void qxl_render_resize(PCIQXLDevice *qxl)
 {
     QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
 
-    qxl->guest_primary.stride = sc->stride;
+    qxl->guest_primary.qxl_stride = sc->stride;
+    qxl->guest_primary.abs_stride = abs(sc->stride);
     qxl->guest_primary.resized++;
     switch (sc->format) {
     case SPICE_SURFACE_FMT_16_555:
@@ -87,11 +88,11 @@ void qxl_render_update(PCIQXLDevice *qxl)
         qemu_free_displaysurface(vga->ds);
 
         qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset);
-        if (qxl->guest_primary.stride < 0) {
+        if (qxl->guest_primary.qxl_stride < 0) {
             /* spice surface is upside down -> need extra buffer to flip */
-            qxl->guest_primary.stride = -qxl->guest_primary.stride;
-            qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width *
-                                                     qxl->guest_primary.stride);
+            qxl->guest_primary.flipped =
+                qemu_malloc(qxl->guest_primary.surface.width *
+                            qxl->guest_primary.abs_stride);
             ptr = qxl->guest_primary.flipped;
         } else {
             ptr = qxl->guest_primary.data;
@@ -100,7 +101,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
                __FUNCTION__,
                qxl->guest_primary.surface.width,
                qxl->guest_primary.surface.height,
-               qxl->guest_primary.stride,
+               qxl->guest_primary.qxl_stride,
                qxl->guest_primary.bytes_pp,
                qxl->guest_primary.bits_pp,
                qxl->guest_primary.flipped ? "yes" : "no");
@@ -108,7 +109,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
             qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
                                             qxl->guest_primary.surface.height,
                                             qxl->guest_primary.bits_pp,
-                                            qxl->guest_primary.stride,
+                                            qxl->guest_primary.abs_stride,
                                             ptr);
         dpy_resize(vga->ds);
     }
diff --git a/hw/qxl.h b/hw/qxl.h
index f6c450d..c05998a 100644
--- a/hw/qxl.h
+++ b/hw/qxl.h
@@ -42,7 +42,8 @@ typedef struct PCIQXLDevice {
         QXLSurfaceCreate surface;
         uint32_t       commands;
         uint32_t       resized;
-        int32_t        stride;
+        int32_t        qxl_stride;
+        uint32_t       abs_stride;
         uint32_t       bits_pp;
         uint32_t       bytes_pp;
         uint8_t        *data, *flipped;
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 29/36] vmdk: Fix possible segfaults

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

Data we read from the disk isn't necessarily null terminated and may not
contain the string we're looking for. The code needs to be a bit more careful
here.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 block/vmdk.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index 8284747..f4fce08 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -196,6 +196,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
         cid_str_size = sizeof("CID");
     }
 
+    desc[DESC_SIZE - 1] = '\0';
     p_name = strstr(desc, cid_str);
     if (p_name != NULL) {
         p_name += cid_str_size;
@@ -212,13 +213,17 @@ static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
     BDRVVmdkState *s = bs->opaque;
     int ret;
 
-    memset(desc, 0, sizeof(desc));
     ret = bdrv_pread(bs->file, s->desc_offset, desc, DESC_SIZE);
     if (ret < 0) {
         return ret;
     }
 
+    desc[DESC_SIZE - 1] = '\0';
     tmp_str = strstr(desc, "parentCID");
+    if (tmp_str == NULL) {
+        return -EINVAL;
+    }
+
     pstrcpy(tmp_desc, sizeof(tmp_desc), tmp_str);
     p_name = strstr(desc, "CID");
     if (p_name != NULL) {
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 30/36] pc: Fix floppy drives with if=none

[Andreas Färber]

From: Kevin Wolf <kwolf@redhat.com>

Commit 63ffb564 broke floppy devices specified on the command line like
-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it
relies on drive_get() which works only with -fda/-drive if=floppy.

This patch resembles what we're already doing for IDE, i.e. remember the floppy
device that was created and use that to extract the BlockDriverStates where
needed.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b)

[BR: bnc#733777]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/fdc.c     |   12 ++++++++++++
 hw/fdc.h     |    9 +++++++--
 hw/pc.c      |   25 ++++++++++++++-----------
 hw/pc.h      |    3 ++-
 hw/pc_piix.c |    5 +++--
 5 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/hw/fdc.c b/hw/fdc.c
index 9fdbc75..cf675ce 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -1911,6 +1911,18 @@ static int sun4m_fdc_init1(SysBusDevice *dev)
     return fdctrl_init_common(fdctrl);
 }
 
+void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev)
+{
+    FDCtrlISABus *isa = DO_UPCAST(FDCtrlISABus, busdev, dev);
+    FDCtrl *fdctrl = &isa->state;
+    int i;
+
+    for (i = 0; i < MAX_FD; i++) {
+        bs[i] = fdctrl->drives[i].bs;
+    }
+}
+
+
 static const VMStateDescription vmstate_isa_fdc ={
     .name = "fdc",
     .version_id = 2,
diff --git a/hw/fdc.h b/hw/fdc.h
index 09f73c6..506feb6 100644
--- a/hw/fdc.h
+++ b/hw/fdc.h
@@ -7,14 +7,15 @@
 /* fdc.c */
 #define MAX_FD 2
 
-static inline void fdctrl_init_isa(DriveInfo **fds)
+static inline ISADevice *fdctrl_init_isa(DriveInfo **fds)
 {
     ISADevice *dev;
 
     dev = isa_try_create("isa-fdc");
     if (!dev) {
-        return;
+        return NULL;
     }
+
     if (fds[0]) {
         qdev_prop_set_drive_nofail(&dev->qdev, "driveA", fds[0]->bdrv);
     }
@@ -22,10 +23,14 @@ static inline void fdctrl_init_isa(DriveInfo **fds)
         qdev_prop_set_drive_nofail(&dev->qdev, "driveB", fds[1]->bdrv);
     }
     qdev_init_nofail(&dev->qdev);
+
+    return dev;
 }
 
 void fdctrl_init_sysbus(qemu_irq irq, int dma_chann,
                         target_phys_addr_t mmio_base, DriveInfo **fds);
 void sun4m_fdctrl_init(qemu_irq irq, target_phys_addr_t io_base,
                        DriveInfo **fds, qemu_irq *fdc_tc);
+void fdc_get_bs(BlockDriverState *bs[], ISADevice *dev);
+
 #endif
diff --git a/hw/pc.c b/hw/pc.c
index 14ce684..1d2b61e 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -333,12 +333,12 @@ static void pc_cmos_init_late(void *opaque)
 
 void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
                   const char *boot_device,
-                  BusState *idebus0, BusState *idebus1,
+                  ISADevice *floppy, BusState *idebus0, BusState *idebus1,
                   ISADevice *s)
 {
     int val, nb, nb_heads, max_track, last_sect, i;
     FDriveType fd_type[2];
-    DriveInfo *fd[2];
+    BlockDriverState *fd[MAX_FD];
     static pc_cmos_init_late_arg arg;
 
     /* various important CMOS locations needed by PC/Bochs bios */
@@ -380,14 +380,16 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
     }
 
     /* floppy type */
-    for (i = 0; i < 2; i++) {
-        fd[i] = drive_get(IF_FLOPPY, 0, i);
-        if (fd[i] && bdrv_is_inserted(fd[i]->bdrv)) {
-            bdrv_get_floppy_geometry_hint(fd[i]->bdrv, &nb_heads, &max_track,
-                                          &last_sect, FDRIVE_DRV_NONE,
-                                          &fd_type[i]);
-        } else {
-            fd_type[i] = FDRIVE_DRV_NONE;
+    if (floppy) {
+        fdc_get_bs(fd, floppy);
+        for (i = 0; i < 2; i++) {
+            if (fd[i] && bdrv_is_inserted(fd[i])) {
+                bdrv_get_floppy_geometry_hint(fd[i], &nb_heads, &max_track,
+                                              &last_sect, FDRIVE_DRV_NONE,
+                                              &fd_type[i]);
+            } else {
+                fd_type[i] = FDRIVE_DRV_NONE;
+            }
         }
     }
     val = (cmos_get_fd_drive_type(fd_type[0]) << 4) |
@@ -1091,6 +1093,7 @@ static void cpu_request_exit(void *opaque, int irq, int level)
 
 void pc_basic_device_init(qemu_irq *isa_irq,
                           ISADevice **rtc_state,
+                          ISADevice **floppy,
                           bool no_vmport)
 {
     int i;
@@ -1155,7 +1158,7 @@ void pc_basic_device_init(qemu_irq *isa_irq,
     for(i = 0; i < MAX_FD; i++) {
         fd[i] = drive_get(IF_FLOPPY, 0, i);
     }
-    fdctrl_init_isa(fd);
+    *floppy = fdctrl_init_isa(fd);
 }
 
 void pc_pci_device_init(PCIBus *pci_bus)
diff --git a/hw/pc.h b/hw/pc.h
index 6d5730b..24b7fe2 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -138,11 +138,12 @@ qemu_irq *pc_allocate_cpu_irq(void);
 void pc_vga_init(PCIBus *pci_bus);
 void pc_basic_device_init(qemu_irq *isa_irq,
                           ISADevice **rtc_state,
+                          ISADevice **floppy,
                           bool no_vmport);
 void pc_init_ne2k_isa(NICInfo *nd);
 void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
                   const char *boot_device,
-                  BusState *ide0, BusState *ide1,
+                  ISADevice *floppy, BusState *ide0, BusState *ide1,
                   ISADevice *s);
 void pc_pci_device_init(PCIBus *pci_bus);
 
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 31552fd..b8e0841 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -89,6 +89,7 @@ static void pc_init1(ram_addr_t ram_size,
     DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
     BusState *idebus[MAX_IDE_BUS];
     ISADevice *rtc_state;
+    ISADevice *floppy;
 
     pc_cpus_init(cpu_model);
 
@@ -141,7 +142,7 @@ static void pc_init1(ram_addr_t ram_size,
     }
 
     /* init basic PC hardware */
-    pc_basic_device_init(isa_irq, &rtc_state, xen_enabled());
+    pc_basic_device_init(isa_irq, &rtc_state, &floppy, xen_enabled());
 
     for(i = 0; i < nb_nics; i++) {
         NICInfo *nd = &nd_table[i];
@@ -170,7 +171,7 @@ static void pc_init1(ram_addr_t ram_size,
     audio_init(isa_irq, pci_enabled ? pci_bus : NULL);
 
     pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device,
-                 idebus[0], idebus[1], rtc_state);
+                 floppy, idebus[0], idebus[1], rtc_state);
 
     if (pci_enabled && usb_enabled) {
         usb_uhci_piix3_init(pci_bus, piix3_devfn + 2);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 31/36] cpu-common: Have a ram_addr_t of uint64 with Xen.

[Andreas Färber]

From: Anthony PERARD <anthony.perard@citrix.com>

In Xen case, memory can be bigger than the host memory. that mean a
32bits host (and QEMU) should be able to handle a RAM address of 64bits.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8)

Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 cpu-common.h |    8 ++++++++
 exec.c       |    9 +++++----
 xen-all.c    |    2 +-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/cpu-common.h b/cpu-common.h
index 44b04b3..0700101 100644
--- a/cpu-common.h
+++ b/cpu-common.h
@@ -27,7 +27,15 @@ enum device_endian {
 };
 
 /* address in the RAM (different from a physical address) */
+#if defined(CONFIG_XEN_BACKEND) && TARGET_PHYS_ADDR_BITS == 64
+typedef uint64_t ram_addr_t;
+#  define RAM_ADDR_MAX UINT64_MAX
+#  define RAM_ADDR_FMT "%" PRIx64
+#else
 typedef unsigned long ram_addr_t;
+#  define RAM_ADDR_MAX ULONG_MAX
+#  define RAM_ADDR_FMT "%lx"
+#endif
 
 /* memory API */
 
diff --git a/exec.c b/exec.c
index 2160ded..6fb589b 100644
--- a/exec.c
+++ b/exec.c
@@ -2863,13 +2863,13 @@ static void *file_ram_alloc(RAMBlock *block,
 static ram_addr_t find_ram_offset(ram_addr_t size)
 {
     RAMBlock *block, *next_block;
-    ram_addr_t offset = 0, mingap = ULONG_MAX;
+    ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
 
     if (QLIST_EMPTY(&ram_list.blocks))
         return 0;
 
     QLIST_FOREACH(block, &ram_list.blocks, next) {
-        ram_addr_t end, next = ULONG_MAX;
+        ram_addr_t end, next = RAM_ADDR_MAX;
 
         end = block->offset + block->length;
 
@@ -3081,7 +3081,8 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
 #endif
                 }
                 if (area != vaddr) {
-                    fprintf(stderr, "Could not remap addr: %lx@%lx\n",
+                    fprintf(stderr, "Could not remap addr: "
+                            RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n",
                             length, addr);
                     exit(1);
                 }
@@ -4052,7 +4053,7 @@ void *cpu_physical_memory_map(target_phys_addr_t addr,
     target_phys_addr_t page;
     unsigned long pd;
     PhysPageDesc *p;
-    ram_addr_t raddr = ULONG_MAX;
+    ram_addr_t raddr = RAM_ADDR_MAX;
     ram_addr_t rlen;
     void *ret;
 
diff --git a/xen-all.c b/xen-all.c
index 167bed6..8f2556a 100644
--- a/xen-all.c
+++ b/xen-all.c
@@ -184,7 +184,7 @@ void xen_ram_alloc(ram_addr_t ram_addr, ram_addr_t size)
     }
 
     if (xc_domain_populate_physmap_exact(xen_xc, xen_domid, nr_pfn, 0, 0, pfn_list)) {
-        hw_error("xen: failed to populate ram at %lx", ram_addr);
+        hw_error("xen: failed to populate ram at " RAM_ADDR_FMT, ram_addr);
     }
 
     qemu_free(pfn_list);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 32/36] Error check find_ram_offset

[Andreas Färber]

From: Alex Williamson <alex.williamson@redhat.com>

Spotted via code review, we initialize offset to 0 to avoid a
compiler warning, but in the unlikely case that offset is
never set to something else, we should abort instead of return
a value that will almost certainly cause problems.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 exec.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/exec.c b/exec.c
index 6fb589b..537a49f 100644
--- a/exec.c
+++ b/exec.c
@@ -2863,7 +2863,7 @@ static void *file_ram_alloc(RAMBlock *block,
 static ram_addr_t find_ram_offset(ram_addr_t size)
 {
     RAMBlock *block, *next_block;
-    ram_addr_t offset = 0, mingap = RAM_ADDR_MAX;
+    ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX;
 
     if (QLIST_EMPTY(&ram_list.blocks))
         return 0;
@@ -2879,10 +2879,17 @@ static ram_addr_t find_ram_offset(ram_addr_t size)
             }
         }
         if (next - end >= size && next - end < mingap) {
-            offset =  end;
+            offset = end;
             mingap = next - end;
         }
     }
+
+    if (offset == RAM_ADDR_MAX) {
+        fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n",
+                (uint64_t)size);
+        abort();
+    }
+
     return offset;
 }
 
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 33/36] pc: add pc-0.15

[Andreas Färber]

From: Anthony Liguori <aliguori@us.ibm.com>

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93)

[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/pc_piix.c |   26 +++++++++++++++++++++++---
 1 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index b8e0841..20bac9d 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -258,8 +258,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size,
 }
 #endif
 
-static QEMUMachine pc_machine = {
-    .name = "pc-0.14",
+static QEMUMachine pc_machine_v0_15 = {
+    .name = "pc-0.15",
     .alias = "pc",
     .desc = "Standard PC",
     .init = pc_init_pci,
@@ -267,6 +267,25 @@ static QEMUMachine pc_machine = {
     .is_default = 1,
 };
 
+static QEMUMachine pc_machine_v0_14 = {
+    .name = "pc-0.14",
+    .desc = "Standard PC",
+    .init = pc_init_pci,
+    .max_cpus = 255,
+    .compat_props = (GlobalProperty[]) {
+        {
+            .driver   = "qxl",
+            .property = "revision",
+            .value    = stringify(2),
+        },{
+            .driver   = "qxl-vga",
+            .property = "revision",
+            .value    = stringify(2),
+        },
+        { /* end of list */ }
+    },
+};
+
 static QEMUMachine pc_machine_v0_13 = {
     .name = "pc-0.13",
     .desc = "Standard PC",
@@ -498,7 +517,8 @@ static QEMUMachine xenfv_machine = {
 
 static void pc_machine_init(void)
 {
-    qemu_register_machine(&pc_machine);
+    qemu_register_machine(&pc_machine_v0_15);
+    qemu_register_machine(&pc_machine_v0_14);
     qemu_register_machine(&pc_machine_v0_13);
     qemu_register_machine(&pc_machine_v0_12);
     qemu_register_machine(&pc_machine_v0_11);
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 34/36] pc: fix event_idx compatibility for virtio devices

[Andreas Färber]

From: Anthony Liguori <aliguori@us.ibm.com>

event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
(including virtio-balloon-pci).

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69)

[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 hw/pc_piix.c |   32 ++++++++++++++++++++++++++++++++
 1 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 20bac9d..b179465 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -281,6 +281,22 @@ static QEMUMachine pc_machine_v0_14 = {
             .driver   = "qxl-vga",
             .property = "revision",
             .value    = stringify(2),
+        },{
+            .driver   = "virtio-blk-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
+            .driver   = "virtio-serial-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
+            .driver   = "virtio-net-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
+            .driver   = "virtio-balloon-pci",
+            .property = "event_idx",
+            .value    = "off",
         },
         { /* end of list */ }
     },
@@ -321,6 +337,10 @@ static QEMUMachine pc_machine_v0_13 = {
             .property = "event_idx",
             .value    = "off",
         },{
+            .driver   = "virtio-balloon-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
             .driver   = "AC97",
             .property = "use_broken_id",
             .value    = stringify(1),
@@ -368,6 +388,10 @@ static QEMUMachine pc_machine_v0_12 = {
             .property = "event_idx",
             .value    = "off",
         },{
+            .driver   = "virtio-balloon-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
             .driver   = "AC97",
             .property = "use_broken_id",
             .value    = stringify(1),
@@ -423,6 +447,10 @@ static QEMUMachine pc_machine_v0_11 = {
             .property = "event_idx",
             .value    = "off",
         },{
+            .driver   = "virtio-balloon-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
             .driver   = "AC97",
             .property = "use_broken_id",
             .value    = stringify(1),
@@ -490,6 +518,10 @@ static QEMUMachine pc_machine_v0_10 = {
             .property = "event_idx",
             .value    = "off",
         },{
+            .driver   = "virtio-balloon-pci",
+            .property = "event_idx",
+            .value    = "off",
+        },{
             .driver   = "AC97",
             .property = "use_broken_id",
             .value    = stringify(1),
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 35/36] Add missing trace call to oslib-posix.c:qemu_vmalloc()

[Andreas Färber]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Acked-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180)

Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 oslib-posix.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/oslib-posix.c b/oslib-posix.c
index 3a18e86..196099c 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -79,7 +79,10 @@ void *qemu_memalign(size_t alignment, size_t size)
 /* alloc shared memory pages */
 void *qemu_vmalloc(size_t size)
 {
-    return qemu_memalign(getpagesize(), size);
+    void *ptr;
+    ptr = qemu_memalign(getpagesize(), size);
+    trace_qemu_vmalloc(size, ptr);
+    return ptr;
 }
 
 void qemu_vfree(void *ptr)
-- 
1.7.7

[Qemu-devel] [PATCH stable-0.15 36/36] qemu_vmalloc: align properly for transparent hugepages and KVM

[Andreas Färber]

From: Avi Kivity <avi@redhat.com>

To make good use of transparent hugepages, KVM requires that guest-physical
and host-virtual addresses share the low 21 bits (as opposed to just the low
12 bits normally required).

Adjust qemu_vmalloc() to honor that requirement.  Ignore it for small regions
to avoid fragmentation.

Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 oslib-posix.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/oslib-posix.c b/oslib-posix.c
index 196099c..a304fb0 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -35,6 +35,13 @@
 extern int daemon(int, int);
 #endif
 
+#if defined(__linux__) && defined(__x86_64__)
+   /* Use 2MB alignment so transparent hugepages can be used by KVM */
+#  define QEMU_VMALLOC_ALIGN (512 * 4096)
+#else
+#  define QEMU_VMALLOC_ALIGN getpagesize()
+#endif
+
 #include "config-host.h"
 #include "sysemu.h"
 #include "trace.h"
@@ -80,7 +87,12 @@ void *qemu_memalign(size_t alignment, size_t size)
 void *qemu_vmalloc(size_t size)
 {
     void *ptr;
-    ptr = qemu_memalign(getpagesize(), size);
+    size_t align = QEMU_VMALLOC_ALIGN;
+
+    if (size < align) {
+        align = getpagesize();
+    }
+    ptr = qemu_memalign(align, size);
     trace_qemu_vmalloc(size, ptr);
     return ptr;
 }
-- 
1.7.7

Re: [Qemu-devel] [PATCH stable-0.15 00/36] Preparing 0.15.2

[Stefan Weil]

Am 28.03.2012 14:52, schrieb Andreas Färber:
> Hello Anthony and Justin,
>
> As announced last year, SUSE is shipping a patched qemu-kvm 0.15.1 
> with our
> recently released SLES 11 SP2. We are therefore very interested in cutting
> 0.15.2 releases for QEMU and later on qemu-kvm.
>
> This series contains only bugfix cherry-picks from qemu.git master,
> conflict resolutions or bug numbers are annotated.
[snip]

Here are some more fixes which might be added to stable-0.15.
I noticed that you already added a patch for block/vdi.c - the
fix below is even more important for people using the VDI format.

Other fixes which are still missing exist for MIPS Malta and VNC
(this list is far from being complete).

Regards,
Stefan W.

The following changes since commit 82b2b32a323bbb5824b4fbe63a3bca50f827e28e:

   Version 0.15.1 (2011-10-11 09:46:03 -0500)

are available in the git repository at:

   git://qemu.weilnetz.de/qemu.git stable-0.15

for you to fetch changes up to a4d13ad89692700c71487d7dcbb6837e663465e0:

   block/vdi: Zero unused parts when allocating a new block (fix 
#919242) (2012-03-28 18:57:33 +0200)

----------------------------------------------------------------
Peter Maydell (1):
       hw/lan9118.c: Add missing 'break' to fix buffer overrun

Stefan Hajnoczi (1):
       bt-host: add missing break statement

Stefan Weil (2):
       ds1338: Add missing break statement
       block/vdi: Zero unused parts when allocating a new block (fix 
#919242)

  block/vdi.c  |   31 +++++++++++++++++++++++++++++--
  bt-host.c    |    1 +
  hw/ds1338.c  |    1 +
  hw/lan9118.c |    1 +
  4 files changed, 32 insertions(+), 2 deletions(-)

Re: [Qemu-devel] [PATCH stable-0.15 00/36] Preparing 0.15.2

[Andreas Färber]

Am 28.03.2012 19:06, schrieb Stefan Weil:
> Am 28.03.2012 14:52, schrieb Andreas Färber:
>> As announced last year, SUSE is shipping a patched qemu-kvm 0.15.1
>> with our
>> recently released SLES 11 SP2. We are therefore very interested in
>> cutting
>> 0.15.2 releases for QEMU and later on qemu-kvm.
>>
>> This series contains only bugfix cherry-picks from qemu.git master,
>> conflict resolutions or bug numbers are annotated.
> [snip]

I've pushed my 0.15 queue now, seeing no objections.

> Here are some more fixes which might be added to stable-0.15.
> I noticed that you already added a patch for block/vdi.c - the
> fix below is even more important for people using the VDI format.

The lan9118 patch seemed to be in my queue already, it no longer
applied, the other three I've cherry-picked with -x from master to track
the original commit. Thanks!

> Other fixes which are still missing exist for MIPS Malta and VNC
> (this list is far from being complete).

MIPS is not among SUSE's supported KVM targets but if you or someone has
suggestions for commits to backport I'll certainly consider.

Regards,
Andreas

> The following changes since commit
> 82b2b32a323bbb5824b4fbe63a3bca50f827e28e:
> 
>   Version 0.15.1 (2011-10-11 09:46:03 -0500)
> 
> are available in the git repository at:
> 
>   git://qemu.weilnetz.de/qemu.git stable-0.15
> 
> for you to fetch changes up to a4d13ad89692700c71487d7dcbb6837e663465e0:
> 
>   block/vdi: Zero unused parts when allocating a new block (fix #919242)
> (2012-03-28 18:57:33 +0200)
> 
> ----------------------------------------------------------------
> Peter Maydell (1):
>       hw/lan9118.c: Add missing 'break' to fix buffer overrun
> 
> Stefan Hajnoczi (1):
>       bt-host: add missing break statement
> 
> Stefan Weil (2):
>       ds1338: Add missing break statement
>       block/vdi: Zero unused parts when allocating a new block (fix
> #919242)
> 
>  block/vdi.c  |   31 +++++++++++++++++++++++++++++--
>  bt-host.c    |    1 +
>  hw/ds1338.c  |    1 +
>  hw/lan9118.c |    1 +
>  4 files changed, 32 insertions(+), 2 deletions(-)

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg