[Qemu-devel] Patch Round-up for stable 1.6.2, freeze on 2013-12-06

[Qemu-devel] Patch Round-up for stable 1.6.2, freeze on 2013-12-06

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v1.6.2:

https://github.com/mdroth/qemu/commits/stable-1.6-staging

The release is planned for 2013-12-09:

http://wiki.qemu.org/Planning/1.6

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release. The cut-off date is
has been extended to 2013-12-06 due to the round-up email going
out late.

Testing/feedback is greatly appreciated.

Thanks!

Alex Williamson (1):
      vfio-pci: Fix multifunction=on

Alexey Kardashevskiy (1):
      memory: fix 128 arithmetic in info mtree

Amit Shah (3):
      char: move backends' io watch tag to CharDriverState
      char: use common function to disable callbacks on chardev close
      char: remove watch callback on chardev detach from frontend

Amos Kong (2):
      virtio-net: fix the memory leak in rxfilter_notify()
      rng-egd: offset the point when repeatedly read from the buffer

Bandan Das (1):
      pci: unregister vmstate_pcibus on unplug

Cole Robinson (1):
      Fix pc migration from qemu <= 1.5

Fam Zheng (1):
      vmdk: Fix vmdk_parse_extents

Hans de Goede (1):
      audio: honor QEMU_AUDIO_TIMER_PERIOD instead of waking up every *nano* second

Igor Mammedov (1):
      qdev-monitor: Fix crash when device_add is called with abstract driver

Jason Wang (1):
      virtio-net: only delete bh that existed

Markus Armbruster (2):
      tests: Fix schema parser test for in-tree build
      tests: Update .gitignore for test-int128 and test-bitops

Matthew Daley (1):
      xen_disk: mark ioreq as mapped before unmapping in error case

Max Filippov (1):
      exec: fix breakpoint_invalidate when pc may not be translated

Max Reitz (1):
      qcow2: count_contiguous_clusters and compression

Mike Frysinger (1):
      configure: detect endian via compile test

Paolo Bonzini (1):
      monitor: eliminate monitor_event_state_lock

Peter Lieven (1):
      qcow2: fix possible corruption when reading multiple clusters

Peter Maydell (1):
      configure: Explicitly set ARFLAGS so we can build with GNU Make 4.0

Richard Henderson (1):
      Adjust qapi-visit for python-2.4.3

Stefan Hajnoczi (1):
      qdev-monitor: Unref device when device_add fails

Stefan Weil (5):
      tci: Add implementation of rotl_i64, rotr_i64
      bitops: Add rotate functions (rol8, ror8, ...)
      misc: Use new rotate functions
      qemu-char: Fix potential out of bounds access to local arrays
      linux-user: Fix stat64 syscall for SPARC64

Vlad Yasevich (1):
      qom: Fix memory leak in object_property_set_link()

Wenchao Xia (2):
      qapi: fix memleak by adding implict struct functions in dealloc visitor
      tests: fix memleak in error path test for input visitor

 audio/audio.c                  |    3 +-
 backends/rng-egd.c             |    4 +-
 block/qcow2-cluster.c          |    7 +++-
 block/vmdk.c                   |    7 +++-
 configure                      |   45 +++++++++------------
 exec.c                         |    6 ++-
 hw/block/xen_disk.c            |    1 +
 hw/misc/vfio.c                 |    7 ++++
 hw/net/virtio-net.c            |   10 ++---
 hw/pci-host/piix.c             |    9 ++++-
 hw/pci-host/q35.c              |   10 ++++-
 hw/pci/pci.c                   |    8 ++++
 include/hw/i386/pc.h           |    8 ++++
 include/hw/pci-host/q35.h      |    1 +
 include/qemu/bitops.h          |   80 +++++++++++++++++++++++++++++++++++++
 include/sysemu/char.h          |    1 +
 linux-user/syscall.c           |    6 +--
 linux-user/syscall_defs.h      |   14 +++++++
 memory.c                       |    4 +-
 monitor.c                      |    6 ---
 qapi/qapi-dealloc-visitor.c    |   20 ++++++++++
 qdev-monitor.c                 |    8 ++++
 qemu-char.c                    |   86 +++++++++++++++-------------------------
 qom/object.c                   |    5 ++-
 scripts/qapi-visit.py          |   17 ++++++--
 target-arm/iwmmxt_helper.c     |    2 +-
 tcg/optimize.c                 |   12 ++----
 tcg/tci/tcg-target.c           |    1 -
 tci.c                          |   14 +++++--
 tests/.gitignore               |    3 ++
 tests/Makefile                 |    8 ++--
 tests/test-qmp-input-visitor.c |    1 +
 32 files changed, 287 insertions(+), 127 deletions(-)

[Qemu-devel] [PATCH 01/32] char: move backends' io watch tag to CharDriverState

[Michael Roth]

From: Amit Shah <amit.shah@redhat.com>

All the backends implement an io watcher tag for callbacks.  Move it to
CharDriverState from each backend's struct to make accessing the tag from
backend-neutral functions easier.

This will be used later to cancel a callback on chardev detach from a
frontend.

CC: <qemu-stable@nongnu.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
(cherry picked from commit 7ba9addc165b37b764baa08c02518b15b2361707)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/sysemu/char.h |    1 +
 qemu-char.c           |   77 +++++++++++++++++++++++++------------------------
 2 files changed, 40 insertions(+), 38 deletions(-)

diff --git a/include/sysemu/char.h b/include/sysemu/char.h
index 8053130..ad101d9 100644
--- a/include/sysemu/char.h
+++ b/include/sysemu/char.h
@@ -78,6 +78,7 @@ struct CharDriverState {
     int explicit_be_open;
     int avail_connections;
     int is_mux;
+    guint fd_in_tag;
     QemuOpts *opts;
     QTAILQ_ENTRY(CharDriverState) next;
 };
diff --git a/qemu-char.c b/qemu-char.c
index 1621fbd..1dc1646 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -798,7 +798,6 @@ static int io_channel_send(GIOChannel *fd, const void *buf, size_t len)
 typedef struct FDCharDriver {
     CharDriverState *chr;
     GIOChannel *fd_in, *fd_out;
-    guint fd_in_tag;
     int max_size;
     QTAILQ_ENTRY(FDCharDriver) node;
 } FDCharDriver;
@@ -830,9 +829,9 @@ static gboolean fd_chr_read(GIOChannel *chan, GIOCondition cond, void *opaque)
     status = g_io_channel_read_chars(chan, (gchar *)buf,
                                      len, &bytes_read, NULL);
     if (status == G_IO_STATUS_EOF) {
-        if (s->fd_in_tag) {
-            io_remove_watch_poll(s->fd_in_tag);
-            s->fd_in_tag = 0;
+        if (chr->fd_in_tag) {
+            io_remove_watch_poll(chr->fd_in_tag);
+            chr->fd_in_tag = 0;
         }
         qemu_chr_be_event(chr, CHR_EVENT_CLOSED);
         return FALSE;
@@ -863,13 +862,14 @@ static void fd_chr_update_read_handler(CharDriverState *chr)
 {
     FDCharDriver *s = chr->opaque;
 
-    if (s->fd_in_tag) {
-        io_remove_watch_poll(s->fd_in_tag);
-        s->fd_in_tag = 0;
+    if (chr->fd_in_tag) {
+        io_remove_watch_poll(chr->fd_in_tag);
+        chr->fd_in_tag = 0;
     }
 
     if (s->fd_in) {
-        s->fd_in_tag = io_add_watch_poll(s->fd_in, fd_chr_read_poll, fd_chr_read, chr);
+        chr->fd_in_tag = io_add_watch_poll(s->fd_in, fd_chr_read_poll,
+                                           fd_chr_read, chr);
     }
 }
 
@@ -877,9 +877,9 @@ static void fd_chr_close(struct CharDriverState *chr)
 {
     FDCharDriver *s = chr->opaque;
 
-    if (s->fd_in_tag) {
-        io_remove_watch_poll(s->fd_in_tag);
-        s->fd_in_tag = 0;
+    if (chr->fd_in_tag) {
+        io_remove_watch_poll(chr->fd_in_tag);
+        chr->fd_in_tag = 0;
     }
 
     if (s->fd_in) {
@@ -1012,7 +1012,6 @@ static CharDriverState *qemu_chr_open_stdio(ChardevStdio *opts)
 
 typedef struct {
     GIOChannel *fd;
-    guint fd_tag;
     int connected;
     int read_bytes;
     guint timer_tag;
@@ -1123,9 +1122,9 @@ static void pty_chr_state(CharDriverState *chr, int connected)
     PtyCharDriver *s = chr->opaque;
 
     if (!connected) {
-        if (s->fd_tag) {
-            io_remove_watch_poll(s->fd_tag);
-            s->fd_tag = 0;
+        if (chr->fd_in_tag) {
+            io_remove_watch_poll(chr->fd_in_tag);
+            chr->fd_in_tag = 0;
         }
         s->connected = 0;
         /* (re-)connect poll interval for idle guests: once per second.
@@ -1140,7 +1139,8 @@ static void pty_chr_state(CharDriverState *chr, int connected)
         if (!s->connected) {
             s->connected = 1;
             qemu_chr_be_generic_open(chr);
-            s->fd_tag = io_add_watch_poll(s->fd, pty_chr_read_poll, pty_chr_read, chr);
+            chr->fd_in_tag = io_add_watch_poll(s->fd, pty_chr_read_poll,
+                                               pty_chr_read, chr);
         }
     }
 }
@@ -1151,9 +1151,9 @@ static void pty_chr_close(struct CharDriverState *chr)
     PtyCharDriver *s = chr->opaque;
     int fd;
 
-    if (s->fd_tag) {
-        io_remove_watch_poll(s->fd_tag);
-        s->fd_tag = 0;
+    if (chr->fd_in_tag) {
+        io_remove_watch_poll(chr->fd_in_tag);
+        chr->fd_in_tag = 0;
     }
     fd = g_io_channel_unix_get_fd(s->fd);
     g_io_channel_unref(s->fd);
@@ -2161,7 +2161,6 @@ static CharDriverState *qemu_chr_open_stdio(ChardevStdio *opts)
 typedef struct {
     int fd;
     GIOChannel *chan;
-    guint tag;
     uint8_t buf[READ_BUF_LEN];
     int bufcnt;
     int bufptr;
@@ -2217,9 +2216,9 @@ static gboolean udp_chr_read(GIOChannel *chan, GIOCondition cond, void *opaque)
     s->bufcnt = bytes_read;
     s->bufptr = s->bufcnt;
     if (status != G_IO_STATUS_NORMAL) {
-        if (s->tag) {
-            io_remove_watch_poll(s->tag);
-            s->tag = 0;
+        if (chr->fd_in_tag) {
+            io_remove_watch_poll(chr->fd_in_tag);
+            chr->fd_in_tag = 0;
         }
         return FALSE;
     }
@@ -2238,22 +2237,23 @@ static void udp_chr_update_read_handler(CharDriverState *chr)
 {
     NetCharDriver *s = chr->opaque;
 
-    if (s->tag) {
-        io_remove_watch_poll(s->tag);
-        s->tag = 0;
+    if (chr->fd_in_tag) {
+        io_remove_watch_poll(chr->fd_in_tag);
+        chr->fd_in_tag = 0;
     }
 
     if (s->chan) {
-        s->tag = io_add_watch_poll(s->chan, udp_chr_read_poll, udp_chr_read, chr);
+        chr->fd_in_tag = io_add_watch_poll(s->chan, udp_chr_read_poll,
+                                           udp_chr_read, chr);
     }
 }
 
 static void udp_chr_close(CharDriverState *chr)
 {
     NetCharDriver *s = chr->opaque;
-    if (s->tag) {
-        io_remove_watch_poll(s->tag);
-        s->tag = 0;
+    if (chr->fd_in_tag) {
+        io_remove_watch_poll(chr->fd_in_tag);
+        chr->fd_in_tag = 0;
     }
     if (s->chan) {
         g_io_channel_unref(s->chan);
@@ -2304,7 +2304,7 @@ static CharDriverState *qemu_chr_open_udp(QemuOpts *opts)
 typedef struct {
 
     GIOChannel *chan, *listen_chan;
-    guint tag, listen_tag;
+    guint listen_tag;
     int fd, listen_fd;
     int connected;
     int max_size;
@@ -2489,9 +2489,9 @@ static gboolean tcp_chr_read(GIOChannel *chan, GIOCondition cond, void *opaque)
         if (s->listen_chan) {
             s->listen_tag = g_io_add_watch(s->listen_chan, G_IO_IN, tcp_chr_accept, chr);
         }
-        if (s->tag) {
-            io_remove_watch_poll(s->tag);
-            s->tag = 0;
+        if (chr->fd_in_tag) {
+            io_remove_watch_poll(chr->fd_in_tag);
+            chr->fd_in_tag = 0;
         }
         g_io_channel_unref(s->chan);
         s->chan = NULL;
@@ -2522,7 +2522,8 @@ static void tcp_chr_connect(void *opaque)
 
     s->connected = 1;
     if (s->chan) {
-        s->tag = io_add_watch_poll(s->chan, tcp_chr_read_poll, tcp_chr_read, chr);
+        chr->fd_in_tag = io_add_watch_poll(s->chan, tcp_chr_read_poll,
+                                           tcp_chr_read, chr);
     }
     qemu_chr_be_generic_open(chr);
 }
@@ -2605,9 +2606,9 @@ static void tcp_chr_close(CharDriverState *chr)
 {
     TCPCharDriver *s = chr->opaque;
     if (s->fd >= 0) {
-        if (s->tag) {
-            io_remove_watch_poll(s->tag);
-            s->tag = 0;
+        if (chr->fd_in_tag) {
+            io_remove_watch_poll(chr->fd_in_tag);
+            chr->fd_in_tag = 0;
         }
         if (s->chan) {
             g_io_channel_unref(s->chan);
-- 
1.7.9.5

[Qemu-devel] [PATCH 02/32] char: use common function to disable callbacks on chardev close

[Michael Roth]

From: Amit Shah <amit.shah@redhat.com>

This deduplicates code used a lot of times.

CC: <qemu-stable@nongnu.org>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
(cherry picked from commit 26da70c72524eb22c946ab19ec98a217b8252f7e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c |   62 ++++++++++++++++++-----------------------------------------
 1 file changed, 19 insertions(+), 43 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index 1dc1646..fa00517 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -725,6 +725,14 @@ static void io_remove_watch_poll(guint tag)
     g_source_destroy(&iwp->parent);
 }
 
+static void remove_fd_in_watch(CharDriverState *chr)
+{
+    if (chr->fd_in_tag) {
+        io_remove_watch_poll(chr->fd_in_tag);
+        chr->fd_in_tag = 0;
+    }
+}
+
 #ifndef _WIN32
 static GIOChannel *io_channel_from_fd(int fd)
 {
@@ -829,10 +837,7 @@ static gboolean fd_chr_read(GIOChannel *chan, GIOCondition cond, void *opaque)
     status = g_io_channel_read_chars(chan, (gchar *)buf,
                                      len, &bytes_read, NULL);
     if (status == G_IO_STATUS_EOF) {
-        if (chr->fd_in_tag) {
-            io_remove_watch_poll(chr->fd_in_tag);
-            chr->fd_in_tag = 0;
-        }
+        remove_fd_in_watch(chr);
         qemu_chr_be_event(chr, CHR_EVENT_CLOSED);
         return FALSE;
     }
@@ -862,11 +867,7 @@ static void fd_chr_update_read_handler(CharDriverState *chr)
 {
     FDCharDriver *s = chr->opaque;
 
-    if (chr->fd_in_tag) {
-        io_remove_watch_poll(chr->fd_in_tag);
-        chr->fd_in_tag = 0;
-    }
-
+    remove_fd_in_watch(chr);
     if (s->fd_in) {
         chr->fd_in_tag = io_add_watch_poll(s->fd_in, fd_chr_read_poll,
                                            fd_chr_read, chr);
@@ -877,11 +878,7 @@ static void fd_chr_close(struct CharDriverState *chr)
 {
     FDCharDriver *s = chr->opaque;
 
-    if (chr->fd_in_tag) {
-        io_remove_watch_poll(chr->fd_in_tag);
-        chr->fd_in_tag = 0;
-    }
-
+    remove_fd_in_watch(chr);
     if (s->fd_in) {
         g_io_channel_unref(s->fd_in);
     }
@@ -1122,10 +1119,7 @@ static void pty_chr_state(CharDriverState *chr, int connected)
     PtyCharDriver *s = chr->opaque;
 
     if (!connected) {
-        if (chr->fd_in_tag) {
-            io_remove_watch_poll(chr->fd_in_tag);
-            chr->fd_in_tag = 0;
-        }
+        remove_fd_in_watch(chr);
         s->connected = 0;
         /* (re-)connect poll interval for idle guests: once per second.
          * We check more frequently in case the guests sends data to
@@ -1151,10 +1145,7 @@ static void pty_chr_close(struct CharDriverState *chr)
     PtyCharDriver *s = chr->opaque;
     int fd;
 
-    if (chr->fd_in_tag) {
-        io_remove_watch_poll(chr->fd_in_tag);
-        chr->fd_in_tag = 0;
-    }
+    remove_fd_in_watch(chr);
     fd = g_io_channel_unix_get_fd(s->fd);
     g_io_channel_unref(s->fd);
     close(fd);
@@ -2216,10 +2207,7 @@ static gboolean udp_chr_read(GIOChannel *chan, GIOCondition cond, void *opaque)
     s->bufcnt = bytes_read;
     s->bufptr = s->bufcnt;
     if (status != G_IO_STATUS_NORMAL) {
-        if (chr->fd_in_tag) {
-            io_remove_watch_poll(chr->fd_in_tag);
-            chr->fd_in_tag = 0;
-        }
+        remove_fd_in_watch(chr);
         return FALSE;
     }
 
@@ -2237,11 +2225,7 @@ static void udp_chr_update_read_handler(CharDriverState *chr)
 {
     NetCharDriver *s = chr->opaque;
 
-    if (chr->fd_in_tag) {
-        io_remove_watch_poll(chr->fd_in_tag);
-        chr->fd_in_tag = 0;
-    }
-
+    remove_fd_in_watch(chr);
     if (s->chan) {
         chr->fd_in_tag = io_add_watch_poll(s->chan, udp_chr_read_poll,
                                            udp_chr_read, chr);
@@ -2251,10 +2235,8 @@ static void udp_chr_update_read_handler(CharDriverState *chr)
 static void udp_chr_close(CharDriverState *chr)
 {
     NetCharDriver *s = chr->opaque;
-    if (chr->fd_in_tag) {
-        io_remove_watch_poll(chr->fd_in_tag);
-        chr->fd_in_tag = 0;
-    }
+
+    remove_fd_in_watch(chr);
     if (s->chan) {
         g_io_channel_unref(s->chan);
         closesocket(s->fd);
@@ -2489,10 +2471,7 @@ static gboolean tcp_chr_read(GIOChannel *chan, GIOCondition cond, void *opaque)
         if (s->listen_chan) {
             s->listen_tag = g_io_add_watch(s->listen_chan, G_IO_IN, tcp_chr_accept, chr);
         }
-        if (chr->fd_in_tag) {
-            io_remove_watch_poll(chr->fd_in_tag);
-            chr->fd_in_tag = 0;
-        }
+        remove_fd_in_watch(chr);
         g_io_channel_unref(s->chan);
         s->chan = NULL;
         closesocket(s->fd);
@@ -2606,10 +2585,7 @@ static void tcp_chr_close(CharDriverState *chr)
 {
     TCPCharDriver *s = chr->opaque;
     if (s->fd >= 0) {
-        if (chr->fd_in_tag) {
-            io_remove_watch_poll(chr->fd_in_tag);
-            chr->fd_in_tag = 0;
-        }
+        remove_fd_in_watch(chr);
         if (s->chan) {
             g_io_channel_unref(s->chan);
         }
-- 
1.7.9.5

[Qemu-devel] [PATCH 03/32] char: remove watch callback on chardev detach from frontend

[Michael Roth]

From: Amit Shah <amit.shah@redhat.com>

If a frontend device releases the chardev (via unplug), the chr handlers
are set to NULL via qdev's exit callbacks invoking
qemu_chr_add_handlers().  If the chardev had a pending operation, a
callback will be invoked, which will try to access data in the
just-released frontend, causing a segfault.

Ensure the callbacks are disabled when frontends release chardevs.

This was seen when a virtio-serial port was unplugged when heavy
guest->host IO was in progress (causing a callback to be registered).
In the window in which the throttling was active, unplugging ports
caused a qemu segfault.

https://bugzilla.redhat.com/show_bug.cgi?id=985205

CC: <qemu-stable@nongnu.org>
Reported-by: Sibiao Luo <sluo@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
(cherry picked from commit 386a5a1e0057e220f79c48fe3689e3dfb17f1b09)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/qemu-char.c b/qemu-char.c
index fa00517..fc1c23d 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -193,6 +193,8 @@ void qemu_chr_fe_printf(CharDriverState *s, const char *fmt, ...)
     va_end(ap);
 }
 
+static void remove_fd_in_watch(CharDriverState *chr);
+
 void qemu_chr_add_handlers(CharDriverState *s,
                            IOCanReadHandler *fd_can_read,
                            IOReadHandler *fd_read,
@@ -203,6 +205,7 @@ void qemu_chr_add_handlers(CharDriverState *s,
 
     if (!opaque && !fd_can_read && !fd_read && !fd_event) {
         fe_open = 0;
+        remove_fd_in_watch(s);
     } else {
         fe_open = 1;
     }
-- 
1.7.9.5

[Qemu-devel] [PATCH 04/32] tests: Fix schema parser test for in-tree build

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Commit 4f193e3 added the test, but screwed up in-tree builds
(SRCDIR=.): the tests's output overwrites the expected output, and is
thus compared to itself.

Cc: qemu-stable@nongnu.org
Reported-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit d8039e58b1ecfdc9af171502c83e3949f6dafb95)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/.gitignore |    1 +
 tests/Makefile   |    8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/tests/.gitignore b/tests/.gitignore
index fb05c2a..d9c2ef4 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -19,3 +19,4 @@ test-thread-pool
 test-x86-cpuid
 test-xbzrle
 *-test
+qapi-schema/*.test.*
diff --git a/tests/Makefile b/tests/Makefile
index d044908..ad98439 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -247,10 +247,10 @@ check-tests/test-qapi.py: tests/test-qapi.py
 
 .PHONY: $(patsubst %, check-%, $(check-qapi-schema-y))
 $(patsubst %, check-%, $(check-qapi-schema-y)): check-%.json: $(SRC_PATH)/%.json
-	$(call quiet-command, PYTHONPATH=$(SRC_PATH)/scripts $(PYTHON) $(SRC_PATH)/tests/qapi-schema/test-qapi.py <$^ >$*.out 2>$*.err; echo $$? >$*.exit, "  TEST  $*.out")
-	@diff -q $(SRC_PATH)/$*.out $*.out
-	@diff -q $(SRC_PATH)/$*.err $*.err
-	@diff -q $(SRC_PATH)/$*.exit $*.exit
+	$(call quiet-command, PYTHONPATH=$(SRC_PATH)/scripts $(PYTHON) $(SRC_PATH)/tests/qapi-schema/test-qapi.py <$^ >$*.test.out 2>$*.test.err; echo $$? >$*.test.exit, "  TEST  $*.out")
+	@diff -q $(SRC_PATH)/$*.out $*.test.out
+	@diff -q $(SRC_PATH)/$*.err $*.test.err
+	@diff -q $(SRC_PATH)/$*.exit $*.test.exit
 
 # Consolidated targets
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 05/32] tests: Update .gitignore for test-int128 and test-bitops

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Forgotten in commit 6046c62 and 3464700.

Cc: qemu-stable@nongnu.org
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 9dbb52e862458935c250bac9e71d5a87da4e33e9)

Conflicts:

	tests/.gitignore

*removed post-1.6 additions from diff

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/.gitignore |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/.gitignore b/tests/.gitignore
index d9c2ef4..9ac044d 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -5,8 +5,10 @@ check-qjson
 check-qlist
 check-qstring
 test-aio
+test-bitops
 test-cutils
 test-hbitmap
+test-int128
 test-iov
 test-mul64
 test-qapi-types.[ch]
-- 
1.7.9.5

[Qemu-devel] [PATCH 06/32] tci: Add implementation of rotl_i64, rotr_i64

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

It is used by qemu-ppc64 when running Debian's busybox-static.

Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Richard Henderson <rth@twiddle.net>
(cherry picked from commit d285bf784b6234e994ce73c05c82c9fb6429df00)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tcg/tci/tcg-target.c |    1 -
 tci.c                |   10 +++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/tcg/tci/tcg-target.c b/tcg/tci/tcg-target.c
index e118bc7..7f86a7f 100644
--- a/tcg/tci/tcg-target.c
+++ b/tcg/tci/tcg-target.c
@@ -677,7 +677,6 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args,
     case INDEX_op_shl_i64:
     case INDEX_op_shr_i64:
     case INDEX_op_sar_i64:
-        /* TODO: Implementation of rotl_i64, rotr_i64 missing in tci.c. */
     case INDEX_op_rotl_i64:     /* Optional (TCG_TARGET_HAS_rot_i64). */
     case INDEX_op_rotr_i64:     /* Optional (TCG_TARGET_HAS_rot_i64). */
         tcg_out_r(s, args[0]);
diff --git a/tci.c b/tci.c
index af58576..b09ad25 100644
--- a/tci.c
+++ b/tci.c
@@ -952,8 +952,16 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             break;
 #if TCG_TARGET_HAS_rot_i64
         case INDEX_op_rotl_i64:
+            t0 = *tb_ptr++;
+            t1 = tci_read_ri64(&tb_ptr);
+            t2 = tci_read_ri64(&tb_ptr);
+            tci_write_reg64(t0, (t1 << t2) | (t1 >> (64 - t2)));
+            break;
         case INDEX_op_rotr_i64:
-            TODO();
+            t0 = *tb_ptr++;
+            t1 = tci_read_ri64(&tb_ptr);
+            t2 = tci_read_ri64(&tb_ptr);
+            tci_write_reg64(t0, (t1 >> t2) | (t1 << (64 - t2)));
             break;
 #endif
 #if TCG_TARGET_HAS_deposit_i64
-- 
1.7.9.5

[Qemu-devel] [PATCH 07/32] bitops: Add rotate functions (rol8, ror8, ...)

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

These functions were copies from include/linux/bitopts.h.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Richard Henderson <rth@twiddle.net>
(cherry picked from commit 6aa25b4a7bb10c48c3054f268d5be98e42ea42c0)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/qemu/bitops.h |   80 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/include/qemu/bitops.h b/include/qemu/bitops.h
index 06e2e6f..304c90c 100644
--- a/include/qemu/bitops.h
+++ b/include/qemu/bitops.h
@@ -184,6 +184,86 @@ static inline unsigned long hweight_long(unsigned long w)
 }
 
 /**
+ * rol8 - rotate an 8-bit value left
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint8_t rol8(uint8_t word, unsigned int shift)
+{
+    return (word << shift) | (word >> (8 - shift));
+}
+
+/**
+ * ror8 - rotate an 8-bit value right
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint8_t ror8(uint8_t word, unsigned int shift)
+{
+    return (word >> shift) | (word << (8 - shift));
+}
+
+/**
+ * rol16 - rotate a 16-bit value left
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint16_t rol16(uint16_t word, unsigned int shift)
+{
+    return (word << shift) | (word >> (16 - shift));
+}
+
+/**
+ * ror16 - rotate a 16-bit value right
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint16_t ror16(uint16_t word, unsigned int shift)
+{
+    return (word >> shift) | (word << (16 - shift));
+}
+
+/**
+ * rol32 - rotate a 32-bit value left
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint32_t rol32(uint32_t word, unsigned int shift)
+{
+    return (word << shift) | (word >> (32 - shift));
+}
+
+/**
+ * ror32 - rotate a 32-bit value right
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint32_t ror32(uint32_t word, unsigned int shift)
+{
+    return (word >> shift) | (word << (32 - shift));
+}
+
+/**
+ * rol64 - rotate a 64-bit value left
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint64_t rol64(uint64_t word, unsigned int shift)
+{
+    return (word << shift) | (word >> (64 - shift));
+}
+
+/**
+ * ror64 - rotate a 64-bit value right
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+static inline uint64_t ror64(uint64_t word, unsigned int shift)
+{
+    return (word >> shift) | (word << (64 - shift));
+}
+
+/**
  * extract32:
  * @value: the value to extract the bit field from
  * @start: the lowest bit in the bit field (numbered from 0)
-- 
1.7.9.5

[Qemu-devel] [PATCH 08/32] misc: Use new rotate functions

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Signed-off-by: Stefan Weil <sw@weilnetz.de>
(cherry picked from commit 3df2b8fde949be86d8a78923c992fdd698d4ea4c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/iwmmxt_helper.c |    2 +-
 tcg/optimize.c             |   12 ++++--------
 tci.c                      |    8 ++++----
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/target-arm/iwmmxt_helper.c b/target-arm/iwmmxt_helper.c
index 7953b53..e6cfa62 100644
--- a/target-arm/iwmmxt_helper.c
+++ b/target-arm/iwmmxt_helper.c
@@ -577,7 +577,7 @@ uint64_t HELPER(iwmmxt_rorl)(CPUARMState *env, uint64_t x, uint32_t n)
 
 uint64_t HELPER(iwmmxt_rorq)(CPUARMState *env, uint64_t x, uint32_t n)
 {
-    x = (x >> n) | (x << (64 - n));
+    x = ror64(x, n);
     env->iwmmxt.cregs[ARM_IWMMXT_wCASF] = NZBIT64(x);
     return x;
 }
diff --git a/tcg/optimize.c b/tcg/optimize.c
index b35868a..adb5258 100644
--- a/tcg/optimize.c
+++ b/tcg/optimize.c
@@ -236,20 +236,16 @@ static TCGArg do_constant_folding_2(TCGOpcode op, TCGArg x, TCGArg y)
         return (int64_t)x >> (int64_t)y;
 
     case INDEX_op_rotr_i32:
-        x = ((uint32_t)x << (32 - y)) | ((uint32_t)x >> y);
-        return x;
+        return ror32(x, y);
 
     case INDEX_op_rotr_i64:
-        x = ((uint64_t)x << (64 - y)) | ((uint64_t)x >> y);
-        return x;
+        return ror64(x, y);
 
     case INDEX_op_rotl_i32:
-        x = ((uint32_t)x << y) | ((uint32_t)x >> (32 - y));
-        return x;
+        return rol32(x, y);
 
     case INDEX_op_rotl_i64:
-        x = ((uint64_t)x << y) | ((uint64_t)x >> (64 - y));
-        return x;
+        return rol64(x, y);
 
     CASE_OP_32_64(not):
         return ~x;
diff --git a/tci.c b/tci.c
index b09ad25..53c4b66 100644
--- a/tci.c
+++ b/tci.c
@@ -688,13 +688,13 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             t0 = *tb_ptr++;
             t1 = tci_read_ri32(&tb_ptr);
             t2 = tci_read_ri32(&tb_ptr);
-            tci_write_reg32(t0, (t1 << t2) | (t1 >> (32 - t2)));
+            tci_write_reg32(t0, rol32(t1, t2));
             break;
         case INDEX_op_rotr_i32:
             t0 = *tb_ptr++;
             t1 = tci_read_ri32(&tb_ptr);
             t2 = tci_read_ri32(&tb_ptr);
-            tci_write_reg32(t0, (t1 >> t2) | (t1 << (32 - t2)));
+            tci_write_reg32(t0, ror32(t1, t2));
             break;
 #endif
 #if TCG_TARGET_HAS_deposit_i32
@@ -955,13 +955,13 @@ tcg_target_ulong tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
             t0 = *tb_ptr++;
             t1 = tci_read_ri64(&tb_ptr);
             t2 = tci_read_ri64(&tb_ptr);
-            tci_write_reg64(t0, (t1 << t2) | (t1 >> (64 - t2)));
+            tci_write_reg64(t0, rol64(t1, t2));
             break;
         case INDEX_op_rotr_i64:
             t0 = *tb_ptr++;
             t1 = tci_read_ri64(&tb_ptr);
             t2 = tci_read_ri64(&tb_ptr);
-            tci_write_reg64(t0, (t1 >> t2) | (t1 << (64 - t2)));
+            tci_write_reg64(t0, ror64(t1, t2));
             break;
 #endif
 #if TCG_TARGET_HAS_deposit_i64
-- 
1.7.9.5

[Qemu-devel] [PATCH 09/32] qemu-char: Fix potential out of bounds access to local arrays

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Latest gcc-4.8 supports a new option -fsanitize=address which activates
an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
very early because two character arrays of size 8 are potentially written
with 9 bytes.

Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.

There is no obvious reason why width or height could need 8 characters,
so reduce it to 7 characters which together with the terminating '\0'
fit into the arrays.

Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Alex Bennée <alex@bennee.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 49aa4058ac6dd0081aaa45776f07c98df397ca5e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index fc1c23d..649c9f9 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2969,11 +2969,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename)
     if (strstart(filename, "vc", &p)) {
         qemu_opt_set(opts, "backend", "vc");
         if (*p == ':') {
-            if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
+            if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
                 /* pixels */
                 qemu_opt_set(opts, "width", width);
                 qemu_opt_set(opts, "height", height);
-            } else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
+            } else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
                 /* chars */
                 qemu_opt_set(opts, "cols", width);
                 qemu_opt_set(opts, "rows", height);
-- 
1.7.9.5

[Qemu-devel] [PATCH 10/32] xen_disk: mark ioreq as mapped before unmapping in error case

[Michael Roth]

From: Matthew Daley <mattjd@gmail.com>

Commit 4472beae modified the semantics of ioreq_{un,}map so that they are
idempotent if called when they're not needed (ie., twice in a row). However,
it neglected to handle the case where batch mapping is not being used (the
default), and one of the grants fails to map. In this case, ioreq_unmap will
be called to unwind and unmap any mappings already performed, but ioreq_unmap
simply returns due to the aforementioned change (the ioreq has not already
been marked as mapped).

The frontend user can therefore force xen_disk to leak grant mappings, a
per-domain limited resource.

Fix by marking the ioreq as mapped before calling ioreq_unmap in this
situation.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit a76f48e53382e6f039db6278443e3ce437653302)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/block/xen_disk.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 727f433..03e30d7 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -405,6 +405,7 @@ static int ioreq_map(struct ioreq *ioreq)
                 xen_be_printf(&ioreq->blkdev->xendev, 0,
                               "can't map grant ref %d (%s, %d maps)\n",
                               refs[i], strerror(errno), ioreq->blkdev->cnt_map);
+                ioreq->mapped = 1;
                 ioreq_unmap(ioreq);
                 return -1;
             }
-- 
1.7.9.5

[Qemu-devel] [PATCH 11/32] vmdk: Fix vmdk_parse_extents

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

An extra 'p++' after while loop when *p == '\n' will move p to unknown
data position, risking parsing junk data or memory access violation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 899f1ae219d5eaa96a53c996026cb0178d62a86d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vmdk.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/block/vmdk.c b/block/vmdk.c
index 258a24f..dcee07a 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -755,10 +755,13 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
         }
 next_line:
         /* move to next line */
-        while (*p && *p != '\n') {
+        while (*p) {
+            if (*p == '\n') {
+                p++;
+                break;
+            }
             p++;
         }
-        p++;
     }
     return 0;
 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 12/32] audio: honor QEMU_AUDIO_TIMER_PERIOD instead of waking up every *nano* second

[Michael Roth]

From: Hans de Goede <hdegoede@redhat.com>

Now that we no longer have MIN_REARM_TIMER_NS a bug in the audio subsys has
clearly shown it self by trying to make a timer fire every nano second.

Note we have a similar problem in 1.6, 1.5 and older but there
MIN_REARM_TIMER_NS limits the wakeups caused by audio being active to
4000 times / second. This still causes a host cpu load of 50 % for simply
playing audio, where as with this patch git master is at 13%, so we should
backport this to 1.5 and 1.6 too.

Note this will not apply to 1.5 and 1.6 as is.

Cc: qemu-stable@nongnu.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit b4350deed67b95651896ddb60cf9f765093a4848)

Conflicts:

	audio/audio.c

*fixed to reflect 1.6 timer function/clock names

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 audio/audio.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/audio/audio.c b/audio/audio.c
index 02bb886..bcd41a9 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1124,7 +1124,8 @@ static int audio_is_timer_needed (void)
 static void audio_reset_timer (AudioState *s)
 {
     if (audio_is_timer_needed ()) {
-        qemu_mod_timer (s->ts, qemu_get_clock_ns (vm_clock) + 1);
+        qemu_mod_timer (s->ts,
+            qemu_get_clock_ns(vm_clock) + conf.period.ticks);
     }
     else {
         qemu_del_timer (s->ts);
-- 
1.7.9.5

[Qemu-devel] [PATCH 13/32] monitor: eliminate monitor_event_state_lock

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

This lock does not protect anything that the BQL does not already
protect.  Furthermore, with -nodefaults and no monitor, the mutex
is not initialized but monitor_protocol_event_queue is called
anyway, which causes a crash under mingw (and only works by luck.
under Linux or other POSIX OSes).

Reported-by: Orx Goshen <orx.goshen@intel.com>
Cc: Daniel Berrange <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit c20b7fa4b2fedd979bcb0cc974bb5d08a10e3448)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 monitor.c |    6 ------
 1 file changed, 6 deletions(-)

diff --git a/monitor.c b/monitor.c
index 5dc0aa9..99bfcd9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -508,7 +508,6 @@ static const char *monitor_event_names[] = {
 QEMU_BUILD_BUG_ON(ARRAY_SIZE(monitor_event_names) != QEVENT_MAX)
 
 MonitorEventState monitor_event_state[QEVENT_MAX];
-QemuMutex monitor_event_state_lock;
 
 /*
  * Emits the event to every monitor instance
@@ -540,7 +539,6 @@ monitor_protocol_event_queue(MonitorEvent event,
     int64_t now = qemu_get_clock_ns(rt_clock);
     assert(event < QEVENT_MAX);
 
-    qemu_mutex_lock(&monitor_event_state_lock);
     evstate = &(monitor_event_state[event]);
     trace_monitor_protocol_event_queue(event,
                                        data,
@@ -573,7 +571,6 @@ monitor_protocol_event_queue(MonitorEvent event,
             evstate->last = now;
         }
     }
-    qemu_mutex_unlock(&monitor_event_state_lock);
 }
 
 
@@ -586,7 +583,6 @@ static void monitor_protocol_event_handler(void *opaque)
     MonitorEventState *evstate = opaque;
     int64_t now = qemu_get_clock_ns(rt_clock);
 
-    qemu_mutex_lock(&monitor_event_state_lock);
 
     trace_monitor_protocol_event_handler(evstate->event,
                                          evstate->data,
@@ -598,7 +594,6 @@ static void monitor_protocol_event_handler(void *opaque)
         evstate->data = NULL;
     }
     evstate->last = now;
-    qemu_mutex_unlock(&monitor_event_state_lock);
 }
 
 
@@ -635,7 +630,6 @@ monitor_protocol_event_throttle(MonitorEvent event,
  * and initialize state */
 static void monitor_protocol_event_init(void)
 {
-    qemu_mutex_init(&monitor_event_state_lock);
     /* Limit RTC & BALLOON events to 1 per second */
     monitor_protocol_event_throttle(QEVENT_RTC_CHANGE, 1000);
     monitor_protocol_event_throttle(QEVENT_BALLOON_CHANGE, 1000);
-- 
1.7.9.5

[Qemu-devel] [PATCH 14/32] memory: fix 128 arithmetic in info mtree

[Michael Roth]

From: Alexey Kardashevskiy <aik@ozlabs.ru>

mtree_print_mr() calls int128_get64() in 3 places but only 2 places
handle 2^64 correctly.

This fixes the third call of int128_get64().

Cc: qemu-stable@nongnu.org
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a66670c79c5c7d530d818430ffcdaa25cbf2c2ab)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 memory.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/memory.c b/memory.c
index 5a10fd0..7f1f266 100644
--- a/memory.c
+++ b/memory.c
@@ -1809,7 +1809,9 @@ static void mtree_print_mr(fprintf_function mon_printf, void *f,
                    mr->alias->name,
                    mr->alias_offset,
                    mr->alias_offset
-                   + (hwaddr)int128_get64(mr->size) - 1);
+                   + (int128_nz(mr->size) ?
+                      (hwaddr)int128_get64(int128_sub(mr->size,
+                                                      int128_one())) : 0));
     } else {
         mon_printf(f,
                    TARGET_FMT_plx "-" TARGET_FMT_plx " (prio %d, %c%c): %s\n",
-- 
1.7.9.5

[Qemu-devel] [PATCH 15/32] Adjust qapi-visit for python-2.4.3

[Michael Roth]

From: Richard Henderson <rth@twiddle.net>

We say we support python 2.4, but python 2.4.3 does not
support the "expr if test else expr" syntax used here.

This allows QEMU to compile on RHEL 5.3, the last release for ia64.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit 7b75d9d61bf9b7b43f6df2fb2fbfc38c4eb9d2e9)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/qapi-visit.py |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
index 597cca4..02e16bb 100644
--- a/scripts/qapi-visit.py
+++ b/scripts/qapi-visit.py
@@ -20,7 +20,10 @@ import errno
 def generate_visit_struct_fields(name, field_prefix, fn_prefix, members):
     substructs = []
     ret = ''
-    full_name = name if not fn_prefix else "%s_%s" % (name, fn_prefix)
+    if not fn_prefix:
+        full_name = name
+    else:
+        full_name = "%s_%s" % (name, fn_prefix)
 
     for argname, argentry, optional, structured in parse_args(members):
         if structured:
@@ -84,7 +87,10 @@ if (!error_is_set(errp)) {
 ''')
     push_indent()
 
-    full_name = name if not field_prefix else "%s_%s" % (field_prefix, name)
+    if not field_prefix:
+        full_name = name
+    else:
+        full_name = "%s_%s" % (field_prefix, name)
 
     if len(field_prefix):
         ret += mcgen('''
@@ -265,12 +271,17 @@ void visit_type_%(name)s(Visitor *m, %(name)s ** obj, const char *name, Error **
             name=name)
 
     pop_indent()
+
+    if not discriminator:
+        desc_type = "type"
+    else:
+        desc_type = discriminator
     ret += mcgen('''
         visit_type_%(name)sKind(m, &(*obj)->kind, "%(type)s", &err);
         if (!err) {
             switch ((*obj)->kind) {
 ''',
-                 name=name, type="type" if not discriminator else discriminator)
+                 name=name, type=desc_type)
 
     for key in members:
         if not discriminator:
-- 
1.7.9.5

[Qemu-devel] [PATCH 16/32] configure: detect endian via compile test

[Michael Roth]

From: Mike Frysinger <vapier@gentoo.org>

This avoids needing to execute a program and keeping an (incomplete)
list when cross-compiling.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Tested-by: James Hogan <james.hogan@imgtec.com> [mips]
Message-id: 1372649418-4987-1-git-send-email-vapier@gentoo.org
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
(cherry picked from commit 61cc919f73ea7ca134c0ac41b748981ad63a253b)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 configure |   40 ++++++++++++++--------------------------
 1 file changed, 14 insertions(+), 26 deletions(-)

diff --git a/configure b/configure
index 4cf672d..1399de2 100755
--- a/configure
+++ b/configure
@@ -1394,39 +1394,27 @@ feature_not_found() {
       "configure was not able to find it"
 }
 
-if test -z "$cross_prefix" ; then
-
 # ---
 # big/little endian test
 cat > $TMPC << EOF
-#include <inttypes.h>
-int main(void) {
-        volatile uint32_t i=0x01234567;
-        return (*((uint8_t*)(&i))) == 0x67;
+short big_endian[] = { 0x4269, 0x4765, 0x4e64, 0x4961, 0x4e00, 0, };
+short little_endian[] = { 0x694c, 0x7454, 0x654c, 0x6e45, 0x6944, 0x6e41, 0, };
+extern int foo(short *, short *);
+int main(int argc, char *argv[]) {
+    return foo(big_endian, little_endian);
 }
 EOF
 
-if compile_prog "" "" ; then
-$TMPE && bigendian="yes"
-else
-echo big/little test failed
-fi
-
-else
-
-# if cross compiling, cannot launch a program, so make a static guess
-case "$cpu" in
-  arm)
-    # ARM can be either way; ask the compiler which one we are
-    if check_define __ARMEB__; then
-      bigendian=yes
+if compile_object ; then
+    if grep -q BiGeNdIaN $TMPO ; then
+        bigendian="yes"
+    elif grep -q LiTtLeEnDiAn $TMPO ; then
+        bigendian="no"
+    else
+        echo big/little test failed
     fi
-  ;;
-  hppa|m68k|mips|mips64|ppc|ppc64|s390|s390x|sparc|sparc64)
-    bigendian=yes
-  ;;
-esac
-
+else
+    echo big/little test failed
 fi
 
 ##########################################
-- 
1.7.9.5

[Qemu-devel] [PATCH 17/32] qapi: fix memleak by adding implict struct functions in dealloc visitor

[Michael Roth]

From: Wenchao Xia <xiawenc@linux.vnet.ibm.com>

Otherwise member "base" is leaked in a qapi_free_STRUCTURE() call.

Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1383676551-18806-2-git-send-email-xiawenc@linux.vnet.ibm.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
(cherry picked from commit 3dce9cad5a6c0b0dbe0830973b270c9466c8ab4b)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qapi/qapi-dealloc-visitor.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/qapi/qapi-dealloc-visitor.c b/qapi/qapi-dealloc-visitor.c
index 1334de3..dc53545 100644
--- a/qapi/qapi-dealloc-visitor.c
+++ b/qapi/qapi-dealloc-visitor.c
@@ -76,6 +76,24 @@ static void qapi_dealloc_end_struct(Visitor *v, Error **errp)
     }
 }
 
+static void qapi_dealloc_start_implicit_struct(Visitor *v,
+                                               void **obj,
+                                               size_t size,
+                                               Error **errp)
+{
+    QapiDeallocVisitor *qov = to_qov(v);
+    qapi_dealloc_push(qov, obj);
+}
+
+static void qapi_dealloc_end_implicit_struct(Visitor *v, Error **errp)
+{
+    QapiDeallocVisitor *qov = to_qov(v);
+    void **obj = qapi_dealloc_pop(qov);
+    if (obj) {
+        g_free(*obj);
+    }
+}
+
 static void qapi_dealloc_start_list(Visitor *v, const char *name, Error **errp)
 {
     QapiDeallocVisitor *qov = to_qov(v);
@@ -162,6 +180,8 @@ QapiDeallocVisitor *qapi_dealloc_visitor_new(void)
 
     v->visitor.start_struct = qapi_dealloc_start_struct;
     v->visitor.end_struct = qapi_dealloc_end_struct;
+    v->visitor.start_implicit_struct = qapi_dealloc_start_implicit_struct;
+    v->visitor.end_implicit_struct = qapi_dealloc_end_implicit_struct;
     v->visitor.start_list = qapi_dealloc_start_list;
     v->visitor.next_list = qapi_dealloc_next_list;
     v->visitor.end_list = qapi_dealloc_end_list;
-- 
1.7.9.5

[Qemu-devel] [PATCH 18/32] tests: fix memleak in error path test for input visitor

[Michael Roth]

From: Wenchao Xia <xiawenc@linux.vnet.ibm.com>

Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1383676551-18806-3-git-send-email-xiawenc@linux.vnet.ibm.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
(cherry picked from commit 8aa15b6e527f234e491a6d354bed4d10da3a01a7)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/test-qmp-input-visitor.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/test-qmp-input-visitor.c b/tests/test-qmp-input-visitor.c
index 0beb8fb..1e1c6fa 100644
--- a/tests/test-qmp-input-visitor.c
+++ b/tests/test-qmp-input-visitor.c
@@ -604,6 +604,7 @@ static void test_visitor_in_errors(TestInputVisitorData *data,
     g_assert(error_is_set(&errp));
     g_assert(p->string == NULL);
 
+    error_free(errp);
     g_free(p->string);
     g_free(p);
 }
-- 
1.7.9.5

[Qemu-devel] [PATCH 19/32] configure: Explicitly set ARFLAGS so we can build with GNU Make 4.0

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

Our rules.mak adds '-rR' to MAKEFLAGS to indicate that we will be
explicitly specifying everything and not relying on any default
variables or rules. However we were accidentally relying on the
default ARFLAGS ("rv"). This went unnoticed because of a bug in
GNU Make 3.82 and earlier which meant that adding -rR to MAKEFLAGS
only affected submakes, not the currently running instance.
Explicitly set ARFLAGS in config-host.mak, in the same way we
handle CFLAGS and LDFLAGS; this will allow us to work with
Make 4.0.

Thanks to Paul Smith for analyzing this bug for us.

Cc: qemu-stable@nongnu.org
Reported-by: Ken Moffat <zarniwhoop@ntlworld.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 45d285abd7028ac72418c1a22f9298bb898fbfb8)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 configure |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/configure b/configure
index 1399de2..ff7933b 100755
--- a/configure
+++ b/configure
@@ -298,6 +298,9 @@ query_pkg_config() {
 pkg_config=query_pkg_config
 sdl_config="${SDL_CONFIG-${cross_prefix}sdl-config}"
 
+# If the user hasn't specified ARFLAGS, default to 'rv', just as make does.
+ARFLAGS="${ARFLAGS-rv}"
+
 # default flags for all hosts
 QEMU_CFLAGS="-fno-strict-aliasing $QEMU_CFLAGS"
 QEMU_CFLAGS="-Wall -Wundef -Wwrite-strings -Wmissing-prototypes $QEMU_CFLAGS"
@@ -3529,6 +3532,7 @@ echo "Source path       $source_path"
 echo "C compiler        $cc"
 echo "Host C compiler   $host_cc"
 echo "Objective-C compiler $objcc"
+echo "ARFLAGS           $ARFLAGS"
 echo "CFLAGS            $CFLAGS"
 echo "QEMU_CFLAGS       $QEMU_CFLAGS"
 echo "LDFLAGS           $LDFLAGS"
@@ -4117,6 +4121,7 @@ echo "CC_I386=$cc_i386" >> $config_host_mak
 echo "HOST_CC=$host_cc" >> $config_host_mak
 echo "OBJCC=$objcc" >> $config_host_mak
 echo "AR=$ar" >> $config_host_mak
+echo "ARFLAGS=$ARFLAGS" >> $config_host_mak
 echo "AS=$as" >> $config_host_mak
 echo "CPP=$cpp" >> $config_host_mak
 echo "OBJCOPY=$objcopy" >> $config_host_mak
-- 
1.7.9.5

[Qemu-devel] [PATCH 20/32] linux-user: Fix stat64 syscall for SPARC64

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Some targets use a stat64 structure for the stat64 syscall while others
use a stat structure. SPARC64 used the wrong kind.

Instead of extending the conditional compilation in syscall.c, now a
macro TARGET_HAS_STRUCT_STAT64 is defined whenever a target has a
target_stat64.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Erik de Castro Lopo <erikd@mega-nerd.com>
(cherry picked from commit 20d155bc902f41c5b354937e730ad85b43614ae9)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/syscall.c      |    6 +++---
 linux-user/syscall_defs.h |   14 ++++++++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index f986548..c510975 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4764,10 +4764,10 @@ static inline abi_long host_to_target_stat64(void *cpu_env,
     } else
 #endif
     {
-#if TARGET_ABI_BITS == 64 && !defined(TARGET_ALPHA)
-        struct target_stat *target_st;
-#else
+#if defined(TARGET_HAS_STRUCT_STAT64)
         struct target_stat64 *target_st;
+#else
+        struct target_stat *target_st;
 #endif
 
         if (!lock_user_struct(VERIFY_WRITE, target_st, target_addr, 0))
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 086fbff..dd0d5a9 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -1165,6 +1165,7 @@ struct target_stat {
 /* This matches struct stat64 in glibc2.1, hence the absolutely
  * insane amounts of padding around dev_t's.
  */
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
 	unsigned short	st_dev;
 	unsigned char	__pad0[10];
@@ -1200,6 +1201,7 @@ struct target_stat64 {
 } QEMU_PACKED;
 
 #ifdef TARGET_ARM
+#define TARGET_HAS_STRUCT_STAT64
 struct target_eabi_stat64 {
         unsigned long long st_dev;
         unsigned int    __pad1;
@@ -1249,6 +1251,7 @@ struct target_stat {
 	abi_ulong	__unused4[2];
 };
 
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
 	unsigned char	__pad0[6];
 	unsigned short	st_dev;
@@ -1304,6 +1307,7 @@ struct target_stat {
 	abi_ulong	__unused4[2];
 };
 
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
 	unsigned char	__pad0[6];
 	unsigned short	st_dev;
@@ -1371,6 +1375,8 @@ struct target_stat {
 #endif
 };
 
+#if !defined(TARGET_PPC64) || defined(TARGET_ABI32)
+#define TARGET_HAS_STRUCT_STAT64
 struct QEMU_PACKED target_stat64 {
 	unsigned long long st_dev;
         unsigned long long st_ino;
@@ -1393,6 +1399,7 @@ struct QEMU_PACKED target_stat64 {
         unsigned int   __unused4;
         unsigned int   __unused5;
 };
+#endif
 
 #elif defined(TARGET_MICROBLAZE)
 
@@ -1418,6 +1425,7 @@ struct target_stat {
 };
 
 /* FIXME: Microblaze no-mmu user-space has a difference stat64 layout...  */
+#define TARGET_HAS_STRUCT_STAT64
 struct QEMU_PACKED target_stat64 {
 	uint64_t st_dev;
 #define TARGET_STAT64_HAS_BROKEN_ST_INO 1
@@ -1473,6 +1481,7 @@ struct target_stat {
 /* This matches struct stat64 in glibc2.1, hence the absolutely
  * insane amounts of padding around dev_t's.
  */
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
 	unsigned long long	st_dev;
 	unsigned char	__pad1[2];
@@ -1581,6 +1590,7 @@ struct target_stat {
  * struct stat of the 64-bit kernel.
  */
 
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
 	unsigned int	st_dev;
 	unsigned int	st_pad0[3];	/* Reserved for st_dev expansion  */
@@ -1652,6 +1662,7 @@ struct target_stat {
  * struct stat of the 64-bit kernel.
  */
 
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
 	abi_ulong	st_dev;
 	abi_ulong	st_pad0[3];	/* Reserved for st_dev expansion  */
@@ -1708,6 +1719,7 @@ struct target_stat {
        unsigned int    st_gen;
 };
 
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
        abi_ulong    st_dev;
        abi_ulong    st_ino;
@@ -1757,6 +1769,7 @@ struct target_stat {
 /* This matches struct stat64 in glibc2.1, hence the absolutely
  * insane amounts of padding around dev_t's.
  */
+#define TARGET_HAS_STRUCT_STAT64
 struct QEMU_PACKED target_stat64 {
 	unsigned long long	st_dev;
 	unsigned char	__pad0[4];
@@ -1862,6 +1875,7 @@ struct target_stat {
     unsigned int __unused5;
 };
 
+#define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
     uint64_t st_dev;
     uint64_t st_ino;
-- 
1.7.9.5

[Qemu-devel] [PATCH 21/32] virtio-net: only delete bh that existed

[Michael Roth]

From: Jason Wang <jasowang@redhat.com>

We delete without check whether it existed during exit. This will lead NULL
pointer deference since it was created conditionally depends on guest driver
status and features. So add a check of existence before trying to delete it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1383728288-28469-1-git-send-email-jasowang@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
(cherry picked from commit fe2dafa02de4f80ab36f6e0f4ddfcd6418c03c49)

Conflicts:

	hw/net/virtio-net.c

*modified to reflect timer function names for 1.6

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index aa1880c..bb757b3 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1600,7 +1600,7 @@ static int virtio_net_device_exit(DeviceState *qdev)
         if (q->tx_timer) {
             qemu_del_timer(q->tx_timer);
             qemu_free_timer(q->tx_timer);
-        } else {
+        } else if (q->tx_bh) {
             qemu_bh_delete(q->tx_bh);
         }
     }
-- 
1.7.9.5

[Qemu-devel] [PATCH 22/32] exec: fix breakpoint_invalidate when pc may not be translated

[Michael Roth]

From: Max Filippov <jcmvbkbc@gmail.com>

This fixes qemu abort with the following message:

    include/qemu/int128.h:22: int128_get64: Assertion `!a.hi' failed.

which happens due to attempt to invalidate breakpoint by virtual address
for which get_phys_page_debug couldn't find mapping.

For more details see
http://lists.nongnu.org/archive/html/qemu-devel/2013-09/msg04582.html

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e8262a1b5b7cfbcbc80c46e4ce6ff7c517b7b2f6)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/exec.c b/exec.c
index f6674e5..667a718 100644
--- a/exec.c
+++ b/exec.c
@@ -425,8 +425,10 @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
 #else
 static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
 {
-    tb_invalidate_phys_addr(cpu_get_phys_page_debug(cpu, pc) |
-            (pc & ~TARGET_PAGE_MASK));
+    hwaddr phys = cpu_get_phys_page_debug(cpu, pc);
+    if (phys != -1) {
+        tb_invalidate_phys_addr(phys | (pc & ~TARGET_PAGE_MASK));
+    }
 }
 #endif
 #endif /* TARGET_HAS_ICE */
-- 
1.7.9.5

[Qemu-devel] [PATCH 23/32] Fix pc migration from qemu <= 1.5

[Michael Roth]

From: Cole Robinson <crobinso@redhat.com>

The following commit introduced a migration incompatibility:

commit 568f0690fd9aa4d39d84b04c1a5dbb53a915c3fe
Author: David Gibson <david@gibson.dropbear.id.au>
Date:   Thu Jun 6 18:48:49 2013 +1000

    pci: Replace pci_find_domain() with more general pci_root_bus_path()

The issue is that i440fx savevm idstr went from 0000:00:00.0/I440FX to
0000:00.0/I440FX. Unfortunately we are stuck with the breakage for
1.6 machine types.

Add a compat property to maintain the busted idstr for the 1.6 machine
types, but revert to the old style format for 1.7+, and <= 1.5.

Tested with migration from qemu 1.5, qemu 1.6, and qemu.git.

Cc: qemu-stable@nongnu.org
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 04c7d8b8dea724f1007f0f6e76047ff03b4cb24f)

Conflicts:

	include/hw/i386/pc.h

*removed 1.6 compat properties

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci-host/piix.c        |    9 ++++++++-
 hw/pci-host/q35.c         |   10 ++++++++--
 include/hw/i386/pc.h      |    8 ++++++++
 include/hw/pci-host/q35.h |    1 +
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
index 221d82b..967f949 100644
--- a/hw/pci-host/piix.c
+++ b/hw/pci-host/piix.c
@@ -48,6 +48,7 @@ typedef struct I440FXState {
     PCIHostState parent_obj;
     PcPciInfo pci_info;
     uint64_t pci_hole64_size;
+    uint32_t short_root_bus;
 } I440FXState;
 
 #define PIIX_NUM_PIC_IRQS       16      /* i8259 * 2 */
@@ -706,13 +707,19 @@ static const TypeInfo i440fx_info = {
 static const char *i440fx_pcihost_root_bus_path(PCIHostState *host_bridge,
                                                 PCIBus *rootbus)
 {
+    I440FXState *s = I440FX_PCI_HOST_BRIDGE(host_bridge);
+
     /* For backwards compat with old device paths */
-    return "0000";
+    if (s->short_root_bus) {
+        return "0000";
+    }
+    return "0000:00";
 }
 
 static Property i440fx_props[] = {
     DEFINE_PROP_SIZE(PCI_HOST_PROP_PCI_HOLE64_SIZE, I440FXState,
                      pci_hole64_size, DEFAULT_PCI_HOLE64_SIZE),
+    DEFINE_PROP_UINT32("short_root_bus", I440FXState, short_root_bus, 0),
     DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 4febd24..f762053 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -61,8 +61,13 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
 static const char *q35_host_root_bus_path(PCIHostState *host_bridge,
                                           PCIBus *rootbus)
 {
-    /* For backwards compat with old device paths */
-    return "0000";
+    Q35PCIHost *s = Q35_HOST_DEVICE(host_bridge);
+
+     /* For backwards compat with old device paths */
+    if (s->mch.short_root_bus) {
+        return "0000";
+    }
+    return "0000:00";
 }
 
 static void q35_host_get_pci_hole_start(Object *obj, Visitor *v,
@@ -108,6 +113,7 @@ static Property mch_props[] = {
                         MCH_HOST_BRIDGE_PCIEXBAR_DEFAULT),
     DEFINE_PROP_SIZE(PCI_HOST_PROP_PCI_HOLE64_SIZE, Q35PCIHost,
                      mch.pci_hole64_size, DEFAULT_PCI_HOLE64_SIZE),
+    DEFINE_PROP_UINT32("short_root_bus", Q35PCIHost, mch.short_root_bus, 0),
     DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 475ba9e..dc7e3f5 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -258,6 +258,14 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t);
             .driver = TYPE_X86_CPU,\
             .property = "pmu",\
             .value = "on",\
+        },{\
+            .driver   = "i440FX-pcihost",\
+            .property = "short_root_bus",\
+            .value    = stringify(0),\
+        },{\
+            .driver   = "q35-pcihost",\
+            .property = "short_root_bus",\
+            .value    = stringify(0),\
         }
 
 #define PC_COMPAT_1_4 \
diff --git a/include/hw/pci-host/q35.h b/include/hw/pci-host/q35.h
index 6eb7ab6..95a3cc2 100644
--- a/include/hw/pci-host/q35.h
+++ b/include/hw/pci-host/q35.h
@@ -61,6 +61,7 @@ typedef struct MCHPCIState {
     ram_addr_t above_4g_mem_size;
     uint64_t pci_hole64_size;
     PcGuestInfo *guest_info;
+    uint32_t short_root_bus;
 } MCHPCIState;
 
 typedef struct Q35PCIHost {
-- 
1.7.9.5

[Qemu-devel] [PATCH 24/32] qcow2: count_contiguous_clusters and compression

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

The function is not intended to be used on compressed clusters and will
not work correctly, if used anyway, since L2E_OFFSET_MASK is not the
right mask for determining the offset of compressed clusters. Therefore,
assert that the first cluster is not compressed and always include the
compression flag in the mask of significant flags, i.e., stop the search
as soon as a compressed cluster occurs.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 15684a474286cc2c6106c756ddd095a21d058970)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-cluster.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index cca76d4..fd3054b 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -266,12 +266,15 @@ static int count_contiguous_clusters(uint64_t nb_clusters, int cluster_size,
         uint64_t *l2_table, uint64_t start, uint64_t stop_flags)
 {
     int i;
-    uint64_t mask = stop_flags | L2E_OFFSET_MASK;
-    uint64_t offset = be64_to_cpu(l2_table[0]) & mask;
+    uint64_t mask = stop_flags | L2E_OFFSET_MASK | QCOW2_CLUSTER_COMPRESSED;
+    uint64_t first_entry = be64_to_cpu(l2_table[0]);
+    uint64_t offset = first_entry & mask;
 
     if (!offset)
         return 0;
 
+    assert(qcow2_get_cluster_type(first_entry) != QCOW2_CLUSTER_COMPRESSED);
+
     for (i = start; i < start + nb_clusters; i++) {
         uint64_t l2_entry = be64_to_cpu(l2_table[i]) & mask;
         if (offset + (uint64_t) i * cluster_size != l2_entry) {
-- 
1.7.9.5

[Qemu-devel] [PATCH 25/32] qcow2: fix possible corruption when reading multiple clusters

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

if multiple sectors spanning multiple clusters are read the
function count_contiguous_clusters should ensure that the
cluster type should not change between the clusters.

Especially the for-loop should break when we have one
or more normal clusters followed by a compressed cluster.

Unfortunately the wrong macro was used in the mask to
compare the flags.

This was discovered while debugging a data corruption
issue when converting a compressed qcow2 image to raw.
qemu-img reads 2MB chunks which span multiple clusters.

CC: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 78a52ad5acca7053b774fcc80290e7b7e224c80a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-cluster.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index fd3054b..b558eb0 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -266,7 +266,7 @@ static int count_contiguous_clusters(uint64_t nb_clusters, int cluster_size,
         uint64_t *l2_table, uint64_t start, uint64_t stop_flags)
 {
     int i;
-    uint64_t mask = stop_flags | L2E_OFFSET_MASK | QCOW2_CLUSTER_COMPRESSED;
+    uint64_t mask = stop_flags | L2E_OFFSET_MASK | QCOW_OFLAG_COMPRESSED;
     uint64_t first_entry = be64_to_cpu(l2_table[0]);
     uint64_t offset = first_entry & mask;
 
-- 
1.7.9.5

[Qemu-devel] [PATCH 26/32] vfio-pci: Fix multifunction=on

[Michael Roth]

From: Alex Williamson <alex.williamson@redhat.com>

When an assigned device is initialized it copies the device config
space into the emulated config space.  Unfortunately multifunction is
setup prior to the device initfn and gets clobbered.  We need to
restore it just like pci-assign does.

Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 8d07d6c46597a885eb38d99cc6fff399ce69cd21)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/misc/vfio.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 017e693..d9e78e1 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -3142,6 +3142,13 @@ static int vfio_initfn(PCIDevice *pdev)
     vdev->emulated_config_bits[PCI_HEADER_TYPE] =
                                               PCI_HEADER_TYPE_MULTI_FUNCTION;
 
+    /* Restore or clear multifunction, this is always controlled by QEMU */
+    if (vdev->pdev.cap_present & QEMU_PCI_CAP_MULTIFUNCTION) {
+        vdev->pdev.config[PCI_HEADER_TYPE] |= PCI_HEADER_TYPE_MULTI_FUNCTION;
+    } else {
+        vdev->pdev.config[PCI_HEADER_TYPE] &= ~PCI_HEADER_TYPE_MULTI_FUNCTION;
+    }
+
     /*
      * Clear host resource mapping info.  If we choose not to register a
      * BAR, such as might be the case with the option ROM, we can get
-- 
1.7.9.5

[Qemu-devel] [PATCH 27/32] virtio-net: fix the memory leak in rxfilter_notify()

[Michael Roth]

From: Amos Kong <akong@redhat.com>

object_get_canonical_path() returns a gchar*, it should be freed by the
caller.

Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Vlad Yasevich <vyasevic@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 96e35046e4a97df5b4e1e24e217eb1e1701c7c71)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index bb757b3..5320aab 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -200,16 +200,16 @@ static void rxfilter_notify(NetClientState *nc)
     VirtIONet *n = qemu_get_nic_opaque(nc);
 
     if (nc->rxfilter_notify_enabled) {
+        gchar *path = object_get_canonical_path(OBJECT(n->qdev));
         if (n->netclient_name) {
             event_data = qobject_from_jsonf("{ 'name': %s, 'path': %s }",
-                                    n->netclient_name,
-                                    object_get_canonical_path(OBJECT(n->qdev)));
+                                    n->netclient_name, path);
         } else {
-            event_data = qobject_from_jsonf("{ 'path': %s }",
-                                    object_get_canonical_path(OBJECT(n->qdev)));
+            event_data = qobject_from_jsonf("{ 'path': %s }", path);
         }
         monitor_protocol_event(QEVENT_NIC_RX_FILTER_CHANGED, event_data);
         qobject_decref(event_data);
+        g_free(path);
 
         /* disable event notification to avoid events flooding */
         nc->rxfilter_notify_enabled = 0;
-- 
1.7.9.5

[Qemu-devel] [PATCH 28/32] qom: Fix memory leak in object_property_set_link()

[Michael Roth]

From: Vlad Yasevich <vyasevic@redhat.com>

Save the result of the call to object_get_canonical_path()
so we can free it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Reviewed-by: Amos Kong <akong@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 2d3aa28cc2cf382aa04cd577e0be542175eea9bd)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qom/object.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/qom/object.c b/qom/object.c
index b2479d1..333f807 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -823,8 +823,9 @@ char *object_property_get_str(Object *obj, const char *name,
 void object_property_set_link(Object *obj, Object *value,
                               const char *name, Error **errp)
 {
-    object_property_set_str(obj, object_get_canonical_path(value),
-                            name, errp);
+    gchar *path = object_get_canonical_path(value);
+    object_property_set_str(obj, path, name, errp);
+    g_free(path);
 }
 
 Object *object_property_get_link(Object *obj, const char *name,
-- 
1.7.9.5

[Qemu-devel] [PATCH 29/32] qdev-monitor: Fix crash when device_add is called with abstract driver

[Michael Roth]

From: Igor Mammedov <imammedo@redhat.com>

User is able to crash running QEMU when following monitor
command is called:

 device_add intel-hda-generic

Crash is caused by assertion in object_initialize_with_type()
when type is abstract.

Checking if type is abstract before instance is created in
qdev_device_add() allows to prevent crash on incorrect user input.

Cc: qemu-stable@nongnu.org
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 2fa4e56d88aa0039062bbc7f9a88e9f90c77ed94)

Conflicts:

	qdev-monitor.c

*updated to reflect different 1.6 variable names

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qdev-monitor.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/qdev-monitor.c b/qdev-monitor.c
index 410cdcb..bb2e1b6 100644
--- a/qdev-monitor.c
+++ b/qdev-monitor.c
@@ -472,6 +472,12 @@ DeviceState *qdev_device_add(QemuOpts *opts)
         return NULL;
     }
 
+    if (object_class_is_abstract(obj)) {
+        qerror_report(QERR_INVALID_PARAMETER_VALUE, "driver",
+                      "non-abstract device type");
+        return NULL;
+    }
+
     k = DEVICE_CLASS(obj);
 
     /* find bus */
-- 
1.7.9.5

[Qemu-devel] [PATCH 30/32] qdev-monitor: Unref device when device_add fails

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

qdev_device_add() leaks the created device upon failure.  I suspect this
problem crept in because qdev_free() unparents the device but does not
drop a reference - confusing name.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit ee6abeb6ec08473713848ce9028110f1684853b7)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qdev-monitor.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/qdev-monitor.c b/qdev-monitor.c
index bb2e1b6..1b2c606 100644
--- a/qdev-monitor.c
+++ b/qdev-monitor.c
@@ -518,6 +518,7 @@ DeviceState *qdev_device_add(QemuOpts *opts)
     }
     if (qemu_opt_foreach(opts, set_property, qdev, 1) != 0) {
         qdev_free(qdev);
+        object_unref(OBJECT(qdev));
         return NULL;
     }
     if (qdev->id) {
@@ -531,6 +532,7 @@ DeviceState *qdev_device_add(QemuOpts *opts)
         g_free(name);
     }        
     if (qdev_init(qdev) < 0) {
+        object_unref(OBJECT(qdev));
         qerror_report(QERR_DEVICE_INIT_FAILED, driver);
         return NULL;
     }
-- 
1.7.9.5

[Qemu-devel] [PATCH 31/32] pci: unregister vmstate_pcibus on unplug

[Michael Roth]

From: Bandan Das <bsd@redhat.com>

PCIBus registers a vmstate during init. Unregister it upon
removal/unplug.

Signed-off-by: Bandan Das <bsd@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 5c397242d5d53c1adecce31817bb439383cf8228)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pci.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 4c004f5..dc5b788 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -47,6 +47,7 @@ static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent);
 static char *pcibus_get_dev_path(DeviceState *dev);
 static char *pcibus_get_fw_dev_path(DeviceState *dev);
 static int pcibus_reset(BusState *qbus);
+static void pci_bus_finalize(Object *obj);
 
 static Property pci_props[] = {
     DEFINE_PROP_PCI_DEVFN("addr", PCIDevice, devfn, -1),
@@ -73,6 +74,7 @@ static const TypeInfo pci_bus_info = {
     .name = TYPE_PCI_BUS,
     .parent = TYPE_BUS,
     .instance_size = sizeof(PCIBus),
+    .instance_finalize = pci_bus_finalize,
     .class_init = pci_bus_class_init,
 };
 
@@ -375,6 +377,12 @@ int pci_bus_num(PCIBus *s)
     return s->parent_dev->config[PCI_SECONDARY_BUS];
 }
 
+static void pci_bus_finalize(Object *obj)
+{
+    PCIBus *bus = PCI_BUS(obj);
+    vmstate_unregister(NULL, &vmstate_pcibus, bus);
+}
+
 static int get_pci_config_device(QEMUFile *f, void *pv, size_t size)
 {
     PCIDevice *s = container_of(pv, PCIDevice, config);
-- 
1.7.9.5

[Qemu-devel] [PATCH 32/32] rng-egd: offset the point when repeatedly read from the buffer

[Michael Roth]

From: Amos Kong <akong@redhat.com>

The buffer content might be read out more than once, currently
we just repeatedly read the first data block, buffer offset is
missing.

Cc: qemu-stable@nongnu.org
Signed-off-by: Amos Kong <akong@redhat.com>
Message-id: 1385023371-8198-3-git-send-email-akong@redhat.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
(cherry picked from commit 1eb1bd9eafa890f1f4d16ef5cb8b9239a86874d9)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 backends/rng-egd.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backends/rng-egd.c b/backends/rng-egd.c
index 9e5a536..2962795 100644
--- a/backends/rng-egd.c
+++ b/backends/rng-egd.c
@@ -91,12 +91,14 @@ static int rng_egd_chr_can_read(void *opaque)
 static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
 {
     RngEgd *s = RNG_EGD(opaque);
+    size_t buf_offset = 0;
 
     while (size > 0 && s->requests) {
         RngRequest *req = s->requests->data;
         int len = MIN(size, req->size - req->offset);
 
-        memcpy(req->data + req->offset, buf, len);
+        memcpy(req->data + req->offset, buf + buf_offset, len);
+        buf_offset += len;
         req->offset += len;
         size -= len;
 
-- 
1.7.9.5

Re: [Qemu-devel] Patch Round-up for stable 1.6.2, freeze on 2013-12-06

[Paolo Bonzini]

Il 04/12/2013 15:34, Michael Roth ha scritto:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.6.2:
> 
> https://github.com/mdroth/qemu/commits/stable-1.6-staging
> 
> The release is planned for 2013-12-09:
> 
> http://wiki.qemu.org/Planning/1.6
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release. The cut-off date is
> has been extended to 2013-12-06 due to the round-up email going
> out late.
> 
> Testing/feedback is greatly appreciated.
> 
> Thanks!
> 
> Alex Williamson (1):
>       vfio-pci: Fix multifunction=on
> 
> Alexey Kardashevskiy (1):
>       memory: fix 128 arithmetic in info mtree
> 
> Amit Shah (3):
>       char: move backends' io watch tag to CharDriverState
>       char: use common function to disable callbacks on chardev close
>       char: remove watch callback on chardev detach from frontend
> 
> Amos Kong (2):
>       virtio-net: fix the memory leak in rxfilter_notify()
>       rng-egd: offset the point when repeatedly read from the buffer
> 
> Bandan Das (1):
>       pci: unregister vmstate_pcibus on unplug
> 
> Cole Robinson (1):
>       Fix pc migration from qemu <= 1.5
> 
> Fam Zheng (1):
>       vmdk: Fix vmdk_parse_extents
> 
> Hans de Goede (1):
>       audio: honor QEMU_AUDIO_TIMER_PERIOD instead of waking up every *nano* second
> 
> Igor Mammedov (1):
>       qdev-monitor: Fix crash when device_add is called with abstract driver
> 
> Jason Wang (1):
>       virtio-net: only delete bh that existed
> 
> Markus Armbruster (2):
>       tests: Fix schema parser test for in-tree build
>       tests: Update .gitignore for test-int128 and test-bitops
> 
> Matthew Daley (1):
>       xen_disk: mark ioreq as mapped before unmapping in error case
> 
> Max Filippov (1):
>       exec: fix breakpoint_invalidate when pc may not be translated
> 
> Max Reitz (1):
>       qcow2: count_contiguous_clusters and compression
> 
> Mike Frysinger (1):
>       configure: detect endian via compile test
> 
> Paolo Bonzini (1):
>       monitor: eliminate monitor_event_state_lock
> 
> Peter Lieven (1):
>       qcow2: fix possible corruption when reading multiple clusters
> 
> Peter Maydell (1):
>       configure: Explicitly set ARFLAGS so we can build with GNU Make 4.0
> 
> Richard Henderson (1):
>       Adjust qapi-visit for python-2.4.3
> 
> Stefan Hajnoczi (1):
>       qdev-monitor: Unref device when device_add fails
> 
> Stefan Weil (5):
>       tci: Add implementation of rotl_i64, rotr_i64
>       bitops: Add rotate functions (rol8, ror8, ...)
>       misc: Use new rotate functions
>       qemu-char: Fix potential out of bounds access to local arrays
>       linux-user: Fix stat64 syscall for SPARC64
> 
> Vlad Yasevich (1):
>       qom: Fix memory leak in object_property_set_link()
> 
> Wenchao Xia (2):
>       qapi: fix memleak by adding implict struct functions in dealloc visitor
>       tests: fix memleak in error path test for input visitor
> 
>  audio/audio.c                  |    3 +-
>  backends/rng-egd.c             |    4 +-
>  block/qcow2-cluster.c          |    7 +++-
>  block/vmdk.c                   |    7 +++-
>  configure                      |   45 +++++++++------------
>  exec.c                         |    6 ++-
>  hw/block/xen_disk.c            |    1 +
>  hw/misc/vfio.c                 |    7 ++++
>  hw/net/virtio-net.c            |   10 ++---
>  hw/pci-host/piix.c             |    9 ++++-
>  hw/pci-host/q35.c              |   10 ++++-
>  hw/pci/pci.c                   |    8 ++++
>  include/hw/i386/pc.h           |    8 ++++
>  include/hw/pci-host/q35.h      |    1 +
>  include/qemu/bitops.h          |   80 +++++++++++++++++++++++++++++++++++++
>  include/sysemu/char.h          |    1 +
>  linux-user/syscall.c           |    6 +--
>  linux-user/syscall_defs.h      |   14 +++++++
>  memory.c                       |    4 +-
>  monitor.c                      |    6 ---
>  qapi/qapi-dealloc-visitor.c    |   20 ++++++++++
>  qdev-monitor.c                 |    8 ++++
>  qemu-char.c                    |   86 +++++++++++++++-------------------------
>  qom/object.c                   |    5 ++-
>  scripts/qapi-visit.py          |   17 ++++++--
>  target-arm/iwmmxt_helper.c     |    2 +-
>  tcg/optimize.c                 |   12 ++----
>  tcg/tci/tcg-target.c           |    1 -
>  tci.c                          |   14 +++++--
>  tests/.gitignore               |    3 ++
>  tests/Makefile                 |    8 ++--
>  tests/test-qmp-input-visitor.c |    1 +
>  32 files changed, 287 insertions(+), 127 deletions(-)
> 
> 
> 

This one is not yet here, but it's close:

http://permalink.gmane.org/gmane.comp.emulators.qemu/244329

It would also be nice to have the first 12 patches of
http://permalink.gmane.org/gmane.comp.emulators.qemu/244052, but perhaps
it's better to wait for 1.7.1.

Paolo