[Qemu-devel] Patch Round-up for stable 2.2.1, freeze on 2015-03-05

[Qemu-devel] Patch Round-up for stable 2.2.1, freeze on 2015-03-05

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v2.2.1:

  https://github.com/mdroth/qemu/commits/stable-2.2-staging

The release is planned for 2015-03-10:

  http://wiki.qemu.org/Planning/2.2

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release.

Testing/feedback is greatly appreciated.

Thanks!

NOTE:

I also plan on including:

  6d4e4cb pc: acpi: fix WindowsXP BSOD when memory hotplug is enabled

However, the follow-up ACPI blob updates:

  e909c16 acpi: update generated hex files
  215d8d1 acpi-test: update expected DSDT

Don't match what's generated by stable-2.2-staging, so I've backed
it out for now while I figure out the best way to resolve this.

----------------------------------------------------------------
Alex Williamson (1):
      vfio-pci: Fix missing unparent of dynamically allocated MemoryRegion

Cornelia Huck (1):
      virtio: fix feature bit checks

Daniel P. Berrange (1):
      libcacard: stop linking against every single 3rd party library

David Gibson (1):
      PPC: Fix crash on spapr_tce_table_finalize()

Dinar Valeev (1):
      hw/input/hid.c Fix capslock hid code

Fam Zheng (1):
      qtest: Fix deadloop by running main loop AIO context's timers

Gary R Hook (1):
      block migration: fix return value

Kevin Wolf (3):
      qcow2: Fix header extension size check
      qcow2.py: Add required padding for header extensions
      block: Don't probe for unknown backing file format

Marcel Apfelbaum (1):
      vl.c: fix regression when reading machine type from config file

Max Filippov (2):
      target-xtensa: fix translation for opcodes crossing page boundary
      target-xtensa: test cross-page opcode

Max Reitz (13):
      block: Make essential BlockDriver objects public
      block: Omit bdrv_find_format for essential drivers
      block/vvfat: qcow driver may not be found
      block/nfs: Add create_opts
      block: Check create_opts before image creation
      qemu-img: Check create_opts before image creation
      qemu-img: Check create_opts before image amendment
      iotests: Only kill NBD server if it runs
      iotests: Add test for unsupported image creation
      qcow2: Prevent numerical overflow
      qcow2: Flushing the caches in qcow2_close may fail
      qcow2: Respect bdrv_truncate() error
      block/raw-posix: Fix ret in raw_open_common()

Paolo Bonzini (11):
      linuxboot: fix loading old kernels
      atomic: fix position of volatile qualifier
      serial: reset thri_pending on IER writes with THRI=0
      serial: refine serial_thr_ipending_needed
      pckbd: set bits 2-3-6-7 of the output port by default
      scsi: fix cancellation when I/O was completed but DMA was not.
      target-i386: fix movntsd on big-endian hosts
      vt82c686: avoid out-of-bounds read
      sb16: fix interrupt acknowledgement
      qemu-thread: fix qemu_event without futexes
      exec: change default exception_index value for migration to -1

Peter Maydell (3):
      audio: Don't free hw resources until after hw backend is stopped
      linux-user: Fix broken m68k signal handling on 64 bit hosts
      target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT

Peter Wu (1):
      block/iscsi: fix uninitialized variable

Vladimir Sementsov-Ogievskiy (1):
      migration/block: fix pending() return value

Zhang Haoyu (1):
      fix mc146818rtc wrong subsection name to avoid vmstate_subsection_load() fail

 audio/audio_template.h        |   2 +-
 block-migration.c             |  14 +++++++++++---
 block.c                       |  36 ++++++++++++++++++++----------------
 block/iscsi.c                 |   2 +-
 block/nfs.c                   |  15 +++++++++++++++
 block/qcow2-cluster.c         |   2 +- block/qcow2.c                 |  33 ++++++++++++++++++++++-----------
 block/raw-posix.c             |   3 ++-
 block/raw-win32.c             |   2 +-
 block/raw_bsd.c               |   2 +-
 block/vvfat.c                 |   6 ++++++
 cpus.c                        |   4 ++++
 exec.c                        |   4 ++--
 hw/audio/sb16.c               |   4 ++--
 hw/char/serial.c              |  31 +++++++++++++++++++++++++++----
 hw/input/hid.c                |   2 +-
 hw/input/pckbd.c              |  10 ++++++++--
 hw/isa/vt82c686.c             |   2 +-
 hw/misc/vfio.c                |   1 +
 hw/ppc/spapr_iommu.c          |   6 +++---
 hw/scsi/scsi-bus.c            |   2 ++
 hw/scsi/virtio-scsi.c         |   2 +-
 hw/timer/mc146818rtc.c        |   2 +-
 hw/virtio/dataplane/vring.c   |   4 ++--
 include/block/block_int.h     |   8 ++++++++
 include/qemu/atomic.h         |   4 ++--
 libcacard/Makefile            |   2 ++
 linux-user/signal.c           |   6 +++---
 pc-bios/linuxboot.bin         | Bin 1024 -> 1024 bytes
 pc-bios/optionrom/linuxboot.S |  37 +++++++++++++++++++++++++++----------
 qemu-img.c                    |  21 +++++++++++++++++++++
 target-arm/translate-a64.c    |   2 +-
 target-i386/translate.c       |   3 ++-
 target-xtensa/translate.c     |  27 +++++++++++++++++++++++----
 tests/qemu-iotests/026.out    | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/071.out    |   8 ++++++++
 tests/qemu-iotests/080        |   2 ++
 tests/qemu-iotests/080.out    |   2 ++
 tests/qemu-iotests/089.out    |   2 ++
 tests/qemu-iotests/113        |  76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/113.out    |  15 +++++++++++++++
 tests/qemu-iotests/114        |  61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/114.out    |  13 +++++++++++++
 tests/qemu-iotests/common.rc  |   4 +++-
 tests/qemu-iotests/group      |   2 ++
 tests/qemu-iotests/qcow2.py   |   4 ++++
 tests/tcg/xtensa/test_mmu.S   |  26 +++++++++++++-------------
 util/qemu-thread-posix.c      |   2 ++
 vl.c                          |  15 ++++++++-------
 49 files changed, 556 insertions(+), 97 deletions(-)
 create mode 100755 tests/qemu-iotests/113
 create mode 100644 tests/qemu-iotests/113.out
 create mode 100755 tests/qemu-iotests/114
 create mode 100644 tests/qemu-iotests/114.out

[Qemu-devel] [PATCH 01/43] block: Make essential BlockDriver objects public

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

There are some block drivers which are essential to QEMU and may not be
removed: These are raw, file and qcow2 (as the default non-raw format).
Make their BlockDriver objects public so they can be directly referenced
throughout the block layer without needing to call bdrv_find_format()
and having to deal with an error at runtime, while the real problem
occurred during linking (where raw, file or qcow2 were not linked into
qemu).

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 5f535a941e52229d81e55603eb69b2bd449b937a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c             | 2 +-
 block/raw-posix.c         | 2 +-
 block/raw-win32.c         | 2 +-
 block/raw_bsd.c           | 2 +-
 include/block/block_int.h | 8 ++++++++
 5 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index d120494..48aca2a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2847,7 +2847,7 @@ static QemuOptsList qcow2_create_opts = {
     }
 };
 
-static BlockDriver bdrv_qcow2 = {
+BlockDriver bdrv_qcow2 = {
     .format_name        = "qcow2",
     .instance_size      = sizeof(BDRVQcowState),
     .bdrv_probe         = qcow2_probe,
diff --git a/block/raw-posix.c b/block/raw-posix.c
index b1af77e..d8bbed0 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1684,7 +1684,7 @@ static QemuOptsList raw_create_opts = {
     }
 };
 
-static BlockDriver bdrv_file = {
+BlockDriver bdrv_file = {
     .format_name = "file",
     .protocol_name = "file",
     .instance_size = sizeof(BDRVRawState),
diff --git a/block/raw-win32.c b/block/raw-win32.c
index 7b58881..06243d7 100644
--- a/block/raw-win32.c
+++ b/block/raw-win32.c
@@ -540,7 +540,7 @@ static QemuOptsList raw_create_opts = {
     }
 };
 
-static BlockDriver bdrv_file = {
+BlockDriver bdrv_file = {
     .format_name	= "file",
     .protocol_name	= "file",
     .instance_size	= sizeof(BDRVRawState),
diff --git a/block/raw_bsd.c b/block/raw_bsd.c
index 401b967..ea2b864 100644
--- a/block/raw_bsd.c
+++ b/block/raw_bsd.c
@@ -173,7 +173,7 @@ static int raw_probe(const uint8_t *buf, int buf_size, const char *filename)
     return 1;
 }
 
-static BlockDriver bdrv_raw = {
+BlockDriver bdrv_raw = {
     .format_name          = "raw",
     .bdrv_probe           = &raw_probe,
     .bdrv_reopen_prepare  = &raw_reopen_prepare,
diff --git a/include/block/block_int.h b/include/block/block_int.h
index a1c17b9..2ae82c5 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -411,6 +411,14 @@ struct BlockDriverState {
     Error *backing_blocker;
 };
 
+
+/* Essential block drivers which must always be statically linked into qemu, and
+ * which therefore can be accessed without using bdrv_find_format() */
+extern BlockDriver bdrv_file;
+extern BlockDriver bdrv_raw;
+extern BlockDriver bdrv_qcow2;
+
+
 int get_tmp_filename(char *filename, int size);
 
 void bdrv_set_io_limits(BlockDriverState *bs,
-- 
1.9.1

[Qemu-devel] [PATCH 02/43] block: Omit bdrv_find_format for essential drivers

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

We can always assume raw, file and qcow2 being available; so do not use
bdrv_find_format() to locate their BlockDriver objects but statically
reference the respective objects.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit ef8104378c4a0497be079e48ee5ac5a89c68f978)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c       | 17 +++++------------
 block/qcow2.c |  7 +++----
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/block.c b/block.c
index a612594..a6197da 100644
--- a/block.c
+++ b/block.c
@@ -629,7 +629,7 @@ BlockDriver *bdrv_find_protocol(const char *filename,
     }
 
     if (!path_has_protocol(filename) || !allow_protocol_prefix) {
-        return bdrv_find_format("file");
+        return &bdrv_file;
     }
 
     p = strchr(filename, ':');
@@ -658,12 +658,7 @@ static int find_image_format(BlockDriverState *bs, const char *filename,
 
     /* Return the raw BlockDriver * to scsi-generic devices or empty drives */
     if (bs->sg || !bdrv_is_inserted(bs) || bdrv_getlength(bs) == 0) {
-        drv = bdrv_find_format("raw");
-        if (!drv) {
-            error_setg(errp, "Could not find raw image format");
-            ret = -ENOENT;
-        }
-        *pdrv = drv;
+        *pdrv = &bdrv_raw;
         return ret;
     }
 
@@ -1294,7 +1289,6 @@ int bdrv_append_temp_snapshot(BlockDriverState *bs, int flags, Error **errp)
     /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
     char *tmp_filename = g_malloc0(PATH_MAX + 1);
     int64_t total_size;
-    BlockDriver *bdrv_qcow2;
     QemuOpts *opts = NULL;
     QDict *snapshot_options;
     BlockDriverState *bs_snapshot;
@@ -1319,11 +1313,10 @@ int bdrv_append_temp_snapshot(BlockDriverState *bs, int flags, Error **errp)
         goto out;
     }
 
-    bdrv_qcow2 = bdrv_find_format("qcow2");
-    opts = qemu_opts_create(bdrv_qcow2->create_opts, NULL, 0,
+    opts = qemu_opts_create(bdrv_qcow2.create_opts, NULL, 0,
                             &error_abort);
     qemu_opt_set_number(opts, BLOCK_OPT_SIZE, total_size);
-    ret = bdrv_create(bdrv_qcow2, tmp_filename, opts, &local_err);
+    ret = bdrv_create(&bdrv_qcow2, tmp_filename, opts, &local_err);
     qemu_opts_del(opts);
     if (ret < 0) {
         error_setg_errno(errp, -ret, "Could not create temporary overlay "
@@ -1343,7 +1336,7 @@ int bdrv_append_temp_snapshot(BlockDriverState *bs, int flags, Error **errp)
     bs_snapshot = bdrv_new();
 
     ret = bdrv_open(&bs_snapshot, NULL, NULL, snapshot_options,
-                    flags, bdrv_qcow2, &local_err);
+                    flags, &bdrv_qcow2, &local_err);
     if (ret < 0) {
         error_propagate(errp, local_err);
         goto out;
diff --git a/block/qcow2.c b/block/qcow2.c
index 48aca2a..1d21a2a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1915,10 +1915,9 @@ static int qcow2_create2(const char *filename, int64_t total_size,
      * refcount of the cluster that is occupied by the header and the refcount
      * table)
      */
-    BlockDriver* drv = bdrv_find_format("qcow2");
-    assert(drv != NULL);
     ret = bdrv_open(&bs, filename, NULL, NULL,
-        BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH, drv, &local_err);
+                    BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH,
+                    &bdrv_qcow2, &local_err);
     if (ret < 0) {
         error_propagate(errp, local_err);
         goto out;
@@ -1970,7 +1969,7 @@ static int qcow2_create2(const char *filename, int64_t total_size,
     /* Reopen the image without BDRV_O_NO_FLUSH to flush it before returning */
     ret = bdrv_open(&bs, filename, NULL, NULL,
                     BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_BACKING,
-                    drv, &local_err);
+                    &bdrv_qcow2, &local_err);
     if (local_err) {
         error_propagate(errp, local_err);
         goto out;
-- 
1.9.1

[Qemu-devel] [PATCH 03/43] block/vvfat: qcow driver may not be found

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

Although virtually impossible right now, bdrv_find_format("qcow") may
fail. The vvfat block driver should heed that case.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 1bcb15cf776a57e8963072c1919a59a90aea8e94)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vvfat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/block/vvfat.c b/block/vvfat.c
index cefe3a4..e34a789 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2917,6 +2917,12 @@ static int enable_write_target(BDRVVVFATState *s, Error **errp)
     }
 
     bdrv_qcow = bdrv_find_format("qcow");
+    if (!bdrv_qcow) {
+        error_setg(errp, "Failed to locate qcow driver");
+        ret = -ENOENT;
+        goto err;
+    }
+
     opts = qemu_opts_create(bdrv_qcow->create_opts, NULL, 0, &error_abort);
     qemu_opt_set_number(opts, BLOCK_OPT_SIZE, s->sector_count * 512);
     qemu_opt_set(opts, BLOCK_OPT_BACKING_FILE, "fat:");
-- 
1.9.1

[Qemu-devel] [PATCH 04/43] block/nfs: Add create_opts

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

The nfs protocol driver is capable of creating images, but did not
specify any creation options. Fix it.

A way to test this issue is the following:

$ qemu-img create -f nfs nfs://127.0.0.1/foo.qcow2 64M

Without this patch, it segfaults. With this patch, it does not. However,
this is not something that should really work; qemu-img should check
whether the parameter for the -f option (and -O for convert) is indeed a
format, and error out if it is not. Therefore, I am not making it an
iotest.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit fd752801ae1cc729359a37f29e32265de6948d37)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/nfs.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/block/nfs.c b/block/nfs.c
index c76e368..ca9e24e 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -409,6 +409,19 @@ out:
     return ret;
 }
 
+static QemuOptsList nfs_create_opts = {
+    .name = "nfs-create-opts",
+    .head = QTAILQ_HEAD_INITIALIZER(nfs_create_opts.head),
+    .desc = {
+        {
+            .name = BLOCK_OPT_SIZE,
+            .type = QEMU_OPT_SIZE,
+            .help = "Virtual disk size"
+        },
+        { /* end of list */ }
+    }
+};
+
 static int nfs_file_create(const char *url, QemuOpts *opts, Error **errp)
 {
     int ret = 0;
@@ -470,6 +483,8 @@ static BlockDriver bdrv_nfs = {
 
     .instance_size                  = sizeof(NFSClient),
     .bdrv_needs_filename            = true,
+    .create_opts                    = &nfs_create_opts,
+
     .bdrv_has_zero_init             = nfs_has_zero_init,
     .bdrv_get_allocated_file_size   = nfs_get_allocated_file_size,
     .bdrv_truncate                  = nfs_file_truncate,
-- 
1.9.1

[Qemu-devel] [PATCH 05/43] block: Check create_opts before image creation

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

If a driver supports image creation, it needs to set the .create_opts
field. We can use that to make sure .create_opts for both drivers
involved is not NULL in bdrv_img_create(), which is important so that
the create_opts pointer in that function is not NULL after the
qemu_opts_append() calls and when going into qemu_opts_create().

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c6149724080af7b3d5d61eac8942655e6d212783)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/block.c b/block.c
index a6197da..07f58fc 100644
--- a/block.c
+++ b/block.c
@@ -5534,6 +5534,18 @@ void bdrv_img_create(const char *filename, const char *fmt,
         return;
     }
 
+    if (!drv->create_opts) {
+        error_setg(errp, "Format driver '%s' does not support image creation",
+                   drv->format_name);
+        return;
+    }
+
+    if (!proto_drv->create_opts) {
+        error_setg(errp, "Protocol driver '%s' does not support image creation",
+                   proto_drv->format_name);
+        return;
+    }
+
     create_opts = qemu_opts_append(create_opts, drv->create_opts);
     create_opts = qemu_opts_append(create_opts, proto_drv->create_opts);
 
-- 
1.9.1

[Qemu-devel] [PATCH 06/43] qemu-img: Check create_opts before image creation

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

If a driver supports image creation, it needs to set the .create_opts
field. We can use that to make sure .create_opts for both drivers
involved is not NULL for the target image in qemu-img convert, which is
important so that the create_opts pointer in img_convert() is not NULL
after the qemu_opts_append() calls and when going into
qemu_opts_create().

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit f75613cf2488a37fb8019bc32a06ddbcd477d0ce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-img.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/qemu-img.c b/qemu-img.c
index a42335c..8c4edf3 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1531,6 +1531,20 @@ static int img_convert(int argc, char **argv)
         goto out;
     }
 
+    if (!drv->create_opts) {
+        error_report("Format driver '%s' does not support image creation",
+                     drv->format_name);
+        ret = -1;
+        goto out;
+    }
+
+    if (!proto_drv->create_opts) {
+        error_report("Protocol driver '%s' does not support image creation",
+                     proto_drv->format_name);
+        ret = -1;
+        goto out;
+    }
+
     create_opts = qemu_opts_append(create_opts, drv->create_opts);
     create_opts = qemu_opts_append(create_opts, proto_drv->create_opts);
 
-- 
1.9.1

[Qemu-devel] [PATCH 07/43] qemu-img: Check create_opts before image amendment

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

The image options which can be amended are described by the .create_opts
field for every driver. This field must therefore be non-NULL so that
anything can be amended in the first place. Check that this holds true
before going into qemu_opts_create() (because if .create_opts is NULL,
the create_opts pointer in img_amend() will be NULL after
qemu_opts_append()).

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b2439d26f078c826e5e06b34d978a6f6d5c7c56f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-img.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/qemu-img.c b/qemu-img.c
index 8c4edf3..7876258 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -2986,6 +2986,13 @@ static int img_amend(int argc, char **argv)
         goto out;
     }
 
+    if (!bs->drv->create_opts) {
+        error_report("Format driver '%s' does not support any options to amend",
+                     fmt);
+        ret = -1;
+        goto out;
+    }
+
     create_opts = qemu_opts_append(create_opts, bs->drv->create_opts);
     opts = qemu_opts_create(create_opts, NULL, 0, &error_abort);
     if (options && qemu_opts_do_parse(opts, options, NULL)) {
-- 
1.9.1

[Qemu-devel] [PATCH 08/43] iotests: Only kill NBD server if it runs

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

There may be NBD tests which do not create a sample image and simply
test whether wrong usage of the protocol is rejected as expected. In
this case, there will be no NBD server and trying to kill it during
clean-up will fail.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit f798068c565918ead63218d083ff814b7635be72)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/common.rc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
index 9c49deb..f2554ec 100644
--- a/tests/qemu-iotests/common.rc
+++ b/tests/qemu-iotests/common.rc
@@ -175,7 +175,9 @@ _cleanup_test_img()
     case "$IMGPROTO" in
 
         nbd)
-            kill $QEMU_NBD_PID
+            if [ -n "$QEMU_NBD_PID" ]; then
+                kill $QEMU_NBD_PID
+            fi
             rm -f "$TEST_IMG_FILE"
             ;;
         file)
-- 
1.9.1

[Qemu-devel] [PATCH 09/43] iotests: Add test for unsupported image creation

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

Add a test for creating and amending images (amendment uses the creation
options) with formats not supporting creation over protocols not
supporting creation.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2247798d13e5295a097da0a42f9d0d70d88690a4)

Conflicts:
	tests/qemu-iotests/group

*removed context dependency on iotest group 114

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/113     | 76 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/113.out | 15 +++++++++
 tests/qemu-iotests/group   |  1 +
 3 files changed, 92 insertions(+)
 create mode 100755 tests/qemu-iotests/113
 create mode 100644 tests/qemu-iotests/113.out

diff --git a/tests/qemu-iotests/113 b/tests/qemu-iotests/113
new file mode 100755
index 0000000..a2cd96b
--- /dev/null
+++ b/tests/qemu-iotests/113
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Test case for accessing creation options on image formats and
+# protocols not supporting image creation
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=mreitz@redhat.com
+
+seq="$(basename $0)"
+echo "QA output created by $seq"
+
+here="$PWD"
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+	_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+# We can only test one format here because we need its sample file
+_supported_fmt bochs
+_supported_proto nbd
+_supported_os Linux
+
+echo
+echo '=== Unsupported image creation in qemu-img create ==='
+echo
+
+$QEMU_IMG create -f $IMGFMT nbd://example.com 2>&1 64M | _filter_imgfmt
+
+echo
+echo '=== Unsupported image creation in qemu-img convert ==='
+echo
+
+# We could use any input image format here, but this is a bochs test, so just
+# use the bochs image
+_use_sample_img empty.bochs.bz2
+$QEMU_IMG convert -f $IMGFMT -O $IMGFMT "$TEST_IMG" nbd://example.com 2>&1 \
+    | _filter_imgfmt
+
+echo
+echo '=== Unsupported format in qemu-img amend ==='
+echo
+
+# The protocol does not matter here
+_use_sample_img empty.bochs.bz2
+$QEMU_IMG amend -f $IMGFMT -o foo=bar "$TEST_IMG" 2>&1 | _filter_imgfmt
+
+
+# success, all done
+echo
+echo '*** done'
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/113.out b/tests/qemu-iotests/113.out
new file mode 100644
index 0000000..00bdfd6
--- /dev/null
+++ b/tests/qemu-iotests/113.out
@@ -0,0 +1,15 @@
+QA output created by 113
+
+=== Unsupported image creation in qemu-img create ===
+
+qemu-img: nbd://example.com: Format driver 'IMGFMT' does not support image creation
+
+=== Unsupported image creation in qemu-img convert ===
+
+qemu-img: Format driver 'IMGFMT' does not support image creation
+
+=== Unsupported format in qemu-img amend ===
+
+qemu-img: Format driver 'IMGFMT' does not support any options to amend
+
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 7dfe469..fd2c64a 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -112,3 +112,4 @@
 107 rw auto quick
 108 rw auto quick
 111 rw auto quick
+113 rw auto quick
-- 
1.9.1

[Qemu-devel] [PATCH 10/43] qcow2: Prevent numerical overflow

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

In qcow2_alloc_cluster_offset(), *num is limited to
INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is
of type uint64_t, we might as well cast *num to that type before
performing the shift.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 11c89769dc3e638ef72915d97058411ddf79b64b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-cluster.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index df0b2c9..1fea514 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1263,7 +1263,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
 
 again:
     start = offset;
-    remaining = *num << BDRV_SECTOR_BITS;
+    remaining = (uint64_t)*num << BDRV_SECTOR_BITS;
     cluster_offset = 0;
     *host_offset = 0;
     cur_bytes = 0;
-- 
1.9.1

[Qemu-devel] [PATCH 11/43] qcow2: Flushing the caches in qcow2_close may fail

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

qcow2_cache_flush() may fail; if one of the caches failed to be flushed
successfully to disk in qcow2_close() the image should not be marked
clean, and we should emit a warning.

This breaks the (qcow2-specific) iotests 026, 071 and 089; change their
output accordingly.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 3b5e14c76a6bb142bf250ddf99e24a0ac8c7bc12)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              |  19 +++++--
 tests/qemu-iotests/026.out | 120 +++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/071.out |   8 +++
 tests/qemu-iotests/089.out |   2 +
 4 files changed, 146 insertions(+), 3 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index 1d21a2a..a33e863 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1428,10 +1428,23 @@ static void qcow2_close(BlockDriverState *bs)
     s->l1_table = NULL;
 
     if (!(bs->open_flags & BDRV_O_INCOMING)) {
-        qcow2_cache_flush(bs, s->l2_table_cache);
-        qcow2_cache_flush(bs, s->refcount_block_cache);
+        int ret1, ret2;
 
-        qcow2_mark_clean(bs);
+        ret1 = qcow2_cache_flush(bs, s->l2_table_cache);
+        ret2 = qcow2_cache_flush(bs, s->refcount_block_cache);
+
+        if (ret1) {
+            error_report("Failed to flush the L2 table cache: %s",
+                         strerror(-ret1));
+        }
+        if (ret2) {
+            error_report("Failed to flush the refcount block cache: %s",
+                         strerror(-ret2));
+        }
+
+        if (!ret1 && !ret2) {
+            qcow2_mark_clean(bs);
+        }
     }
 
     qcow2_cache_destroy(bs, s->l2_table_cache);
diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
index f7c78e7..ad84ac2 100644
--- a/tests/qemu-iotests/026.out
+++ b/tests/qemu-iotests/026.out
@@ -14,6 +14,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_update; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 
 1 leaked clusters were found on the image.
@@ -21,6 +23,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_update; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 
 1 leaked clusters were found on the image.
@@ -38,6 +42,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_update; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 1 leaked clusters were found on the image.
@@ -45,6 +51,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_update; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 1 leaked clusters were found on the image.
@@ -70,7 +78,11 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: l2_load; errno: 5; imm: off; once: off; write 
 wrote 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 read failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -78,7 +90,11 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: l2_load; errno: 5; imm: off; once: off; write -b
 wrote 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 read failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -102,7 +118,11 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: l2_load; errno: 28; imm: off; once: off; write 
 wrote 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 read failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -110,12 +130,17 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: l2_load; errno: 28; imm: off; once: off; write -b
 wrote 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 read failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 5; imm: off; once: on; write 
+Failed to flush the L2 table cache: Input/output error
 write failed: Input/output error
 
 127 leaked clusters were found on the image.
@@ -123,6 +148,7 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 5; imm: off; once: on; write -b
+Failed to flush the L2 table cache: Input/output error
 write failed: Input/output error
 
 127 leaked clusters were found on the image.
@@ -130,6 +156,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 
 127 leaked clusters were found on the image.
@@ -137,6 +165,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 
 127 leaked clusters were found on the image.
@@ -144,6 +174,7 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 28; imm: off; once: on; write 
+Failed to flush the L2 table cache: No space left on device
 write failed: No space left on device
 
 127 leaked clusters were found on the image.
@@ -151,6 +182,7 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 28; imm: off; once: on; write -b
+Failed to flush the L2 table cache: No space left on device
 write failed: No space left on device
 
 127 leaked clusters were found on the image.
@@ -158,6 +190,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 127 leaked clusters were found on the image.
@@ -165,6 +199,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_update; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 127 leaked clusters were found on the image.
@@ -182,11 +218,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_alloc.write; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_alloc.write; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 
 1 leaked clusters were found on the image.
@@ -204,11 +244,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_alloc.write; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l2_alloc.write; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 1 leaked clusters were found on the image.
@@ -226,11 +270,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: write_aio; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: write_aio; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -246,11 +294,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: write_aio; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: write_aio; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -266,11 +318,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_load; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_load; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -286,51 +342,67 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_load; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_load; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 5; imm: off; once: on; write 
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 5; imm: off; once: on; write -b
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 28; imm: off; once: on; write 
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 28; imm: off; once: on; write -b
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_update_part; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -346,11 +418,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -366,11 +442,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -386,11 +466,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: cluster_alloc; errno: 5; imm: off; once: off; write 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: cluster_alloc; errno: 5; imm: off; once: off; write -b
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -406,11 +490,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: cluster_alloc; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: cluster_alloc; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 
@@ -429,6 +517,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.hookup; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 55 leaked clusters were found on the image.
@@ -436,6 +526,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.hookup; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 251 leaked clusters were found on the image.
@@ -453,11 +545,15 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.write; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.write; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -473,6 +569,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 11 leaked clusters were found on the image.
@@ -480,6 +578,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 23 leaked clusters were found on the image.
@@ -497,6 +597,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 11 leaked clusters were found on the image.
@@ -504,6 +606,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 23 leaked clusters were found on the image.
@@ -521,6 +625,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write 
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 11 leaked clusters were found on the image.
@@ -528,6 +634,8 @@ This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write -b
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 23 leaked clusters were found on the image.
@@ -543,6 +651,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_grow.alloc_table; errno: 5; imm: off; once: off
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -553,6 +663,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_grow.alloc_table; errno: 28; imm: off; once: off
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -563,6 +675,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_grow.write_table; errno: 5; imm: off; once: off
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -573,6 +687,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_grow.write_table; errno: 28; imm: off; once: off
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
@@ -583,6 +699,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_grow.activate_table; errno: 5; imm: off; once: off
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 write failed: Input/output error
 
 96 leaked clusters were found on the image.
@@ -595,6 +713,8 @@ No errors were found on the image.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
 Event: l1_grow.activate_table; errno: 28; imm: off; once: off
+Failed to flush the L2 table cache: No space left on device
+Failed to flush the refcount block cache: No space left on device
 write failed: No space left on device
 
 96 leaked clusters were found on the image.
diff --git a/tests/qemu-iotests/071.out b/tests/qemu-iotests/071.out
index 5f840a9..0624581 100644
--- a/tests/qemu-iotests/071.out
+++ b/tests/qemu-iotests/071.out
@@ -30,10 +30,14 @@ blkverify: read sector_num=0 nb_sectors=4 contents mismatch in sector 0
 
 === Testing blkdebug through filename ===
 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 read failed: Input/output error
 
 === Testing blkdebug through file blockref ===
 
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 read failed: Input/output error
 
 === Testing blkdebug on existing block device ===
@@ -48,6 +52,8 @@ read failed: Input/output error
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN"}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}
+qemu-system-x86_64: Failed to flush the L2 table cache: Input/output error
+qemu-system-x86_64: Failed to flush the refcount block cache: Input/output error
 
 
 === Testing blkverify on existing block device ===
@@ -86,5 +92,7 @@ read failed: Input/output error
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN"}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}
+qemu-system-x86_64: Failed to flush the L2 table cache: Input/output error
+qemu-system-x86_64: Failed to flush the refcount block cache: Input/output error
 
 *** done
diff --git a/tests/qemu-iotests/089.out b/tests/qemu-iotests/089.out
index b2b0390..bf3b8a0 100644
--- a/tests/qemu-iotests/089.out
+++ b/tests/qemu-iotests/089.out
@@ -24,6 +24,8 @@ read 512/512 bytes at offset 0
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 wrote 512/512 bytes at offset 229376
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Failed to flush the L2 table cache: Input/output error
+Failed to flush the refcount block cache: Input/output error
 read failed: Input/output error
 
 === Testing qemu-img info output ===
-- 
1.9.1

[Qemu-devel] [PATCH 12/43] qcow2: Respect bdrv_truncate() error

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

bdrv_truncate() may fail and qcow2_write_compressed() should return the
error code in that case.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6a69b9620ac1562a067990d87284a85552bfd61b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index a33e863..c98d3b7 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2162,8 +2162,7 @@ static int qcow2_write_compressed(BlockDriverState *bs, int64_t sector_num,
         /* align end of file to a sector boundary to ease reading with
            sector based I/Os */
         cluster_offset = bdrv_getlength(bs->file);
-        bdrv_truncate(bs->file, cluster_offset);
-        return 0;
+        return bdrv_truncate(bs->file, cluster_offset);
     }
 
     if (nb_sectors != s->cluster_sectors) {
-- 
1.9.1

[Qemu-devel] [PATCH 13/43] block/raw-posix: Fix ret in raw_open_common()

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

The return value must be negative on error; there is one place in
raw_open_common() where errp is set, but ret remains 0. Fix it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 01212d4ed68fc8daa29062a9a38650cf8febe392)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/raw-posix.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/raw-posix.c b/block/raw-posix.c
index d8bbed0..ef21242 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -446,6 +446,7 @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
     }
 
     if (fstat(s->fd, &st) < 0) {
+        ret = -errno;
         error_setg_errno(errp, errno, "Could not stat file");
         goto fail;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 14/43] block migration: fix return value

[Michael Roth]

From: Gary R Hook <gary.hook@nimboxx.com>

Modify block_save_iterate() to return positive/zero/negative
(success/not done/failure) return status. The computation of
the blocks transferred (an int64_t) exceeds the size of an
int return value.

Signed-off-by: Gary R Hook <gary.hook@nimboxx.com>
Reviewed-by: ChenLiang <chenliang88@huawei.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1416958202-15913-1-git-send-email-gary.hook@nimboxx.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit ebd9fbd7e102c533143c2c8372312b75c2b2678a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block-migration.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/block-migration.c b/block-migration.c
index 08db01a..74d9eb1 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -653,6 +653,7 @@ static int block_save_iterate(QEMUFile *f, void *opaque)
 {
     int ret;
     int64_t last_ftell = qemu_ftell(f);
+    int64_t delta_ftell;
 
     DPRINTF("Enter save live iterate submitted %d transferred %d\n",
             block_mig_state.submitted, block_mig_state.transferred);
@@ -702,7 +703,14 @@ static int block_save_iterate(QEMUFile *f, void *opaque)
     }
 
     qemu_put_be64(f, BLK_MIG_FLAG_EOS);
-    return qemu_ftell(f) - last_ftell;
+    delta_ftell = qemu_ftell(f) - last_ftell;
+    if (delta_ftell > 0) {
+        return 1;
+    } else if (delta_ftell < 0) {
+        return -1;
+    } else {
+        return 0;
+    }
 }
 
 /* Called with iothread lock taken.  */
-- 
1.9.1

[Qemu-devel] [PATCH 15/43] qcow2: Fix header extension size check

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.

This patch adds the missing check and a test case for it.

Cc: qemu-stable@nongnu.org
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1416935562-7760-2-git-send-email-kwolf@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 2 +-
 tests/qemu-iotests/080     | 2 ++
 tests/qemu-iotests/080.out | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index c98d3b7..e4e690a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -117,7 +117,7 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 #ifdef DEBUG_EXT
         printf("ext.magic = 0x%x\n", ext.magic);
 #endif
-        if (ext.len > end_offset - offset) {
+        if (offset > end_offset || ext.len > end_offset - offset) {
             error_setg(errp, "Header extension too large");
             return -EINVAL;
         }
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 9de337c..73795f1 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -78,6 +78,8 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xf
 poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
 poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x$(printf %x $offset_ext_size)"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f7a943c..33d1f71 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,6 +13,8 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
 no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
 
 == Huge refcount table size ==
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
-- 
1.9.1

[Qemu-devel] [PATCH 16/43] qcow2.py: Add required padding for header extensions

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The qcow2 specification requires that the header extension data be
padded to round up the extension size to the next multiple of 8 bytes.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1416935562-7760-3-git-send-email-kwolf@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 8884dd1bbc5ce42cd657ffcbef3a477443468974)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/qcow2.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/qemu-iotests/qcow2.py b/tests/qemu-iotests/qcow2.py
index 2058596..9cc4cf7 100755
--- a/tests/qemu-iotests/qcow2.py
+++ b/tests/qemu-iotests/qcow2.py
@@ -7,6 +7,10 @@ import string
 class QcowHeaderExtension:
 
     def __init__(self, magic, length, data):
+        if length % 8 != 0:
+            padding = 8 - (length % 8)
+            data += "\0" * padding
+
         self.magic  = magic
         self.length = length
         self.data   = data
-- 
1.9.1

[Qemu-devel] [PATCH 17/43] block: Don't probe for unknown backing file format

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

If a qcow2 image specifies a backing file format that doesn't correspond
to any format driver that qemu knows, we shouldn't fall back to probing,
but simply error out.

Not looking up the backing file driver in bdrv_open_backing_file(), but
just filling in the "driver" option if it isn't there moves us closer to
the goal of having everything in QDict options and gets us the error
handling of bdrv_open(), which correctly refuses unknown drivers.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1416935562-7760-4-git-send-email-kwolf@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c5f6e493bb5339d244eae5d3f21c5b6d73996739)

Conflicts:
	tests/qemu-iotests/group

*resolved context conflict due to group 113 being present locally

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c                    |  7 +++---
 tests/qemu-iotests/114     | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/114.out | 13 ++++++++++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 78 insertions(+), 4 deletions(-)
 create mode 100755 tests/qemu-iotests/114
 create mode 100644 tests/qemu-iotests/114.out

diff --git a/block.c b/block.c
index 07f58fc..8717597 100644
--- a/block.c
+++ b/block.c
@@ -1175,7 +1175,6 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *options, Error **errp)
 {
     char *backing_filename = g_malloc0(PATH_MAX);
     int ret = 0;
-    BlockDriver *back_drv = NULL;
     BlockDriverState *backing_hd;
     Error *local_err = NULL;
 
@@ -1208,14 +1207,14 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *options, Error **errp)
 
     backing_hd = bdrv_new();
 
-    if (bs->backing_format[0] != '\0') {
-        back_drv = bdrv_find_format(bs->backing_format);
+    if (bs->backing_format[0] != '\0' && !qdict_haskey(options, "driver")) {
+        qdict_put(options, "driver", qstring_from_str(bs->backing_format));
     }
 
     assert(bs->backing_hd == NULL);
     ret = bdrv_open(&backing_hd,
                     *backing_filename ? backing_filename : NULL, NULL, options,
-                    bdrv_backing_flags(bs->open_flags), back_drv, &local_err);
+                    bdrv_backing_flags(bs->open_flags), NULL, &local_err);
     if (ret < 0) {
         bdrv_unref(backing_hd);
         backing_hd = NULL;
diff --git a/tests/qemu-iotests/114 b/tests/qemu-iotests/114
new file mode 100755
index 0000000..d02e7ff
--- /dev/null
+++ b/tests/qemu-iotests/114
@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# Test invalid backing file format in qcow2 images
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq="$(basename $0)"
+echo "QA output created by $seq"
+
+here="$PWD"
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+	_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow2
+_supported_proto generic
+_supported_os Linux
+
+
+TEST_IMG="$TEST_IMG.base" _make_test_img 64M
+_make_test_img -b "$TEST_IMG.base" 64M
+
+# Set an invalid backing file format
+$PYTHON qcow2.py "$TEST_IMG" add-header-ext 0xE2792ACA "foo"
+_img_info
+
+# Try opening the image. Should fail (and not probe) in the first case, but
+# overriding the backing file format should be possible.
+$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
+$QEMU_IO -c "open -o backing.driver=$IMGFMT $TEST_IMG" -c "read 0 4k" | _filter_qemu_io
+
+# success, all done
+echo '*** done'
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/114.out b/tests/qemu-iotests/114.out
new file mode 100644
index 0000000..6c6b210
--- /dev/null
+++ b/tests/qemu-iotests/114.out
@@ -0,0 +1,13 @@
+QA output created by 114
+Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=67108864 
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file='TEST_DIR/t.IMGFMT.base' 
+image: TEST_DIR/t.IMGFMT
+file format: IMGFMT
+virtual size: 64M (67108864 bytes)
+cluster_size: 65536
+backing file: TEST_DIR/t.IMGFMT.base
+backing file format: foo
+qemu-io: can't open device TEST_DIR/t.qcow2: Could not open backing file: Unknown driver 'foo'
+read 4096/4096 bytes at offset 0
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index fd2c64a..da59f57 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -113,3 +113,4 @@
 108 rw auto quick
 111 rw auto quick
 113 rw auto quick
+114 rw auto quick
-- 
1.9.1

[Qemu-devel] [PATCH 18/43] linuxboot: fix loading old kernels

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

Old kernels that used high memory only allowed the initrd to be in the
first 896MB of memory.  If you load the initrd above, they complain
that "initrd extends beyond end of memory".

In order to fix this, while not breaking machines with small amounts
of memory fixed by cdebec5 (linuxboot: compute initrd loading address,
2014-10-06), we need to distinguish two cases.  If pc.c placed the
initrd at end of memory, use the new algorithm based on the e801
memory map.  If instead pc.c placed the initrd at the maximum address
specified by the bzImage, leave it there.

The only interesting part is that the low-memory info block is now
loaded very early, in real mode, and thus the 32-bit address has
to be converted into a real mode segment.  The initrd address is
also patched in the info block before entering real mode, it is
simpler that way.

This fixes booting the RHEL4.8 32-bit installation image with 1GB
of RAM.

Cc: qemu-stable@nongnu.org
Cc: mst@redhat.com
Cc: jsnow@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 269e2358492b674c50160553d037702e916b9f1b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 pc-bios/linuxboot.bin         | Bin 1024 -> 1024 bytes
 pc-bios/optionrom/linuxboot.S |  37 +++++++++++++++++++++++++++----------
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/pc-bios/linuxboot.bin b/pc-bios/linuxboot.bin
index 130103fb739228a6869aaf1b174b9d20c13378fc..923d1796fbc58f1a836c160be533d1cf697b7511 100644
GIT binary patch
delta 142
zcmZqRXyBNj#iGKj$vjbS<zxpYS+0XGSo#j68UEiPKG~5;c5)+=ut=jF8xu2AF_&7}
zaW);M|NsA+@8AMT$}#QW22wHtj6c-UjDa#~sth0g|1U|HcrA)eEv?f|f@!h=qa+g#
o^JH&Ed5B`!$=!@w1k-jf00F<!fu0k62VPqJWthB%=`*7=0A&s>tpET3

delta 89
zcmV-f0H*(d2!IHXDg?v=$pVossgsWZS(EMo83L>VlL-PJ0%li}!2uqVMgp}0xE7KA
v9R$Z_iNlfnG8kuOkAoNj003sV000004<f*f$d172nf;Rt1M`zm17HDDa`7NG

diff --git a/pc-bios/optionrom/linuxboot.S b/pc-bios/optionrom/linuxboot.S
index 5bc0af0..ba821ab 100644
--- a/pc-bios/optionrom/linuxboot.S
+++ b/pc-bios/optionrom/linuxboot.S
@@ -76,7 +76,31 @@ boot_kernel:
 
 
 copy_kernel:
-	/* Compute initrd address */
+	/* Read info block in low memory (0x10000 or 0x90000) */
+	read_fw		FW_CFG_SETUP_ADDR
+	shr		$4, %eax
+	mov		%eax, %es
+	xor		%edi, %edi
+	read_fw_blob_addr32_edi(FW_CFG_SETUP)
+
+	cmpw            $0x203, %es:0x206      // if protocol >= 0x203
+	jae             1f                     // have initrd_max
+	movl            $0x37ffffff, %es:0x22c // else assume 0x37ffffff
+1:
+
+	/* Check if using kernel-specified initrd address */
+	read_fw		FW_CFG_INITRD_ADDR
+	mov		%eax, %edi             // (load_kernel wants it in %edi)
+	read_fw		FW_CFG_INITRD_SIZE     // find end of initrd
+	add		%edi, %eax
+	xor		%es:0x22c, %eax        // if it matches es:0x22c
+	and		$-4096, %eax           // (apart from padding for page)
+	jz		load_kernel            // then initrd is not at top
+					       // of memory
+
+	/* pc.c placed the initrd at end of memory.  Compute a better
+	 * initrd address based on e801 data.
+	 */
 	mov		$0xe801, %ax
 	xor		%cx, %cx
 	xor		%dx, %dx
@@ -107,7 +131,9 @@ copy_kernel:
 	read_fw         FW_CFG_INITRD_SIZE
 	subl            %eax, %edi
 	andl            $-4096, %edi          /* EDI = start of initrd */
+	movl		%edi, %es:0x218       /* put it in the header */
 
+load_kernel:
 	/* We need to load the kernel into memory we can't access in 16 bit
 	   mode, so let's get into 32 bit mode, write the kernel and jump
 	   back again. */
@@ -139,19 +165,10 @@ copy_kernel:
 	/* We're now running in 16-bit CS, but 32-bit ES! */
 
 	/* Load kernel and initrd */
-	pushl		%edi
 	read_fw_blob_addr32_edi(FW_CFG_INITRD)
 	read_fw_blob_addr32(FW_CFG_KERNEL)
 	read_fw_blob_addr32(FW_CFG_CMDLINE)
 
-	read_fw		FW_CFG_SETUP_ADDR
-	mov		%eax, %edi
-	mov		%eax, %ebx
-	read_fw_blob_addr32_edi(FW_CFG_SETUP)
-
-	/* Update the header with the initrd address we chose above */
-	popl		%es:0x218(%ebx)
-
 	/* And now jump into Linux! */
 	mov		$0, %eax
 	mov		%eax, %cr0
-- 
1.9.1

[Qemu-devel] [PATCH 19/43] audio: Don't free hw resources until after hw backend is stopped

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

When stopping an audio voice, call the audio backend's fini
method before calling audio_pcm_hw_free_resources_ rather than
afterwards. This allows backends which use helper threads (like
pulseaudio) to terminate those threads before the conv_buf or
mix_buf are freed and avoids race conditions where the helper
may access a NULL pointer or freed memory.

Cc: qemu-stable@nongnu.org
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1418406239-9838-1-git-send-email-peter.maydell@linaro.org
(cherry picked from commit b28fb27b5edf77f6fd0ac550a156fb20f2218db3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 audio/audio_template.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/audio/audio_template.h b/audio/audio_template.h
index 8173188..584e536 100644
--- a/audio/audio_template.h
+++ b/audio/audio_template.h
@@ -191,9 +191,9 @@ static void glue (audio_pcm_hw_gc_, TYPE) (HW **hwp)
         audio_detach_capture (hw);
 #endif
         QLIST_REMOVE (hw, entries);
+        glue (hw->pcm_ops->fini_, TYPE) (hw);
         glue (s->nb_hw_voices_, TYPE) += 1;
         glue (audio_pcm_hw_free_resources_ ,TYPE) (hw);
-        glue (hw->pcm_ops->fini_, TYPE) (hw);
         g_free (hw);
         *hwp = NULL;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 20/43] target-xtensa: fix translation for opcodes crossing page boundary

[Michael Roth]

From: Max Filippov <jcmvbkbc@gmail.com>

If TB ends with an opcode that crosses page boundary and the following
page is not executable then EPC1 for the code fetch exception wrongly
points at the beginning of the TB. Always treat instruction that crosses
page boundary as a separate TB.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
(cherry picked from commit 01673a3401614b4199c9946ad47b97bedfc7a7c2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-xtensa/translate.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/target-xtensa/translate.c b/target-xtensa/translate.c
index badca19..a81573d 100644
--- a/target-xtensa/translate.c
+++ b/target-xtensa/translate.c
@@ -887,6 +887,11 @@ static TCGv_i32 gen_mac16_m(TCGv_i32 v, bool hi, bool is_unsigned)
     return m;
 }
 
+static inline unsigned xtensa_op0_insn_len(unsigned op0)
+{
+    return op0 >= 8 ? 2 : 3;
+}
+
 static void disas_xtensa_insn(CPUXtensaState *env, DisasContext *dc)
 {
 #define HAS_OPTION_BITS(opt) do { \
@@ -989,6 +994,7 @@ static void disas_xtensa_insn(CPUXtensaState *env, DisasContext *dc)
     uint8_t b0 = cpu_ldub_code(env, dc->pc);
     uint8_t b1 = cpu_ldub_code(env, dc->pc + 1);
     uint8_t b2 = 0;
+    unsigned len = xtensa_op0_insn_len(OP0);
 
     static const uint32_t B4CONST[] = {
         0xffffffff, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 16, 32, 64, 128, 256
@@ -998,13 +1004,19 @@ static void disas_xtensa_insn(CPUXtensaState *env, DisasContext *dc)
         32768, 65536, 2, 3, 4, 5, 6, 7, 8, 10, 12, 16, 32, 64, 128, 256
     };
 
-    if (OP0 >= 8) {
-        dc->next_pc = dc->pc + 2;
+    switch (len) {
+    case 2:
         HAS_OPTION(XTENSA_OPTION_CODE_DENSITY);
-    } else {
-        dc->next_pc = dc->pc + 3;
+        break;
+
+    case 3:
         b2 = cpu_ldub_code(env, dc->pc + 2);
+        break;
+
+    default:
+        RESERVED();
     }
+    dc->next_pc = dc->pc + len;
 
     switch (OP0) {
     case 0: /*QRST*/
@@ -2949,6 +2961,12 @@ invalid_opcode:
 #undef HAS_OPTION
 }
 
+static inline unsigned xtensa_insn_len(CPUXtensaState *env, DisasContext *dc)
+{
+    uint8_t b0 = cpu_ldub_code(env, dc->pc);
+    return xtensa_op0_insn_len(OP0);
+}
+
 static void check_breakpoint(CPUXtensaState *env, DisasContext *dc)
 {
     CPUState *cs = CPU(xtensa_env_get_cpu(env));
@@ -3081,6 +3099,7 @@ void gen_intermediate_code_internal(XtensaCPU *cpu,
     } while (dc.is_jmp == DISAS_NEXT &&
             insn_count < max_insns &&
             dc.pc < next_page_start &&
+            dc.pc + xtensa_insn_len(env, &dc) <= next_page_start &&
             tcg_ctx.gen_opc_ptr < gen_opc_end);
 
     reset_litbase(&dc);
-- 
1.9.1

[Qemu-devel] [PATCH 21/43] target-xtensa: test cross-page opcode

[Michael Roth]

From: Max Filippov <jcmvbkbc@gmail.com>

Alter cross-page TB test to also test cross-page opcode.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
(cherry picked from commit 85d36377e4ff8b98119420099d445369bfd6b7bb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/tcg/xtensa/test_mmu.S | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/tests/tcg/xtensa/test_mmu.S b/tests/tcg/xtensa/test_mmu.S
index 58c5bca..a15316f 100644
--- a/tests/tcg/xtensa/test_mmu.S
+++ b/tests/tcg/xtensa/test_mmu.S
@@ -641,7 +641,7 @@ test cross_page_tb
     witlb   a2, a3
     wdtlb   a2, a3
 
-    movi    a2, 0x00007ffd
+    movi    a2, 0x00007ffc
     movi    a3, 20f
     movi    a4, 21f
     sub     a4, a4, a3
@@ -651,7 +651,7 @@ test cross_page_tb
     addi    a2, a2, 1
     addi    a3, a3, 1
 1:
-    movi    a2, 0x00007ffd
+    movi    a2, 0x00007ffc
     movi    a3, 0x00008000
     /* DTLB: OK, ITLB: OK */
     jx      a2
@@ -668,10 +668,10 @@ test cross_page_tb
     movi    a3, 1
     assert  eq, a2, a3
     rsr     a2, epc1
-    movi    a3, 0x8000
+    movi    a3, 0x7fff
     assert  eq, a2, a3
     rsr     a2, excsave1
-    movi    a3, 0x00007ffd
+    movi    a3, 0x00007ffc
     assert  ne, a2, a3
 
     reset_ps
@@ -680,7 +680,7 @@ test cross_page_tb
     movi    a2, 0x0400000c /* PPN */
     movi    a3, 0x00008000 /* VPN */
     wdtlb   a2, a3
-    movi    a2, 0x00007ffd
+    movi    a2, 0x00007ffc
     movi    a3, 0x00008000
     /* DTLB: FAIL, ITLB: OK */
     jx      a2
@@ -689,10 +689,10 @@ test cross_page_tb
     movi    a3, 28
     assert  eq, a2, a3
     rsr     a2, epc1
-    movi    a3, 0x7ffd
+    movi    a3, 0x7ffc
     assert  eq, a2, a3
     rsr     a2, excsave1
-    movi    a3, 0x00007ffd
+    movi    a3, 0x00007ffc
     assert  eq, a2, a3
 
     reset_ps
@@ -703,7 +703,7 @@ test cross_page_tb
     witlb   a2, a3
     movi    a2, 0x04000003 /* PPN */
     wdtlb   a2, a3
-    movi    a2, 0x00007ffd
+    movi    a2, 0x00007ffc
     movi    a3, 0x00008000
     /* DTLB: OK, ITLB: FAIL */
     jx      a2
@@ -712,10 +712,10 @@ test cross_page_tb
     movi    a3, 20
     assert  eq, a2, a3
     rsr     a2, epc1
-    movi    a3, 0x8000
+    movi    a3, 0x7fff
     assert  eq, a2, a3
     rsr     a2, excsave1
-    movi    a3, 0x00007ffd
+    movi    a3, 0x00007ffc
     assert  ne, a2, a3
 
     reset_ps
@@ -724,7 +724,7 @@ test cross_page_tb
     movi    a2, 0x0400000c /* PPN */
     movi    a3, 0x00008000 /* VPN */
     wdtlb   a2, a3
-    movi    a2, 0x00007ffd
+    movi    a2, 0x00007ffc
     movi    a3, 0x00008000
     /* DTLB: FAIL, ITLB: FAIL */
     jx      a2
@@ -733,10 +733,10 @@ test cross_page_tb
     movi    a3, 28
     assert  eq, a2, a3
     rsr     a2, epc1
-    movi    a3, 0x7ffd
+    movi    a3, 0x7ffc
     assert  eq, a2, a3
     rsr     a2, excsave1
-    movi    a3, 0x00007ffd
+    movi    a3, 0x00007ffc
     assert  eq, a2, a3
 test_end
 
-- 
1.9.1

[Qemu-devel] [PATCH 22/43] migration/block: fix pending() return value

[Michael Roth]

From: Vladimir Sementsov-Ogievskiy <vsementsov@parallels.com>

Because of wrong return value of .save_live_pending() in
migration/block.c, migration finishes before the whole disk is
transferred. Such situation occurs when the migration process is fast
enough, for example when source and dest are on the same host.

If in the bulk phase we return something < max_size, we will skip
transferring the tail of the device. Currently we have "set pending to
BLOCK_SIZE if it is zero" for bulk phase, but there no guarantee, that
it will be < max_size.

True approach is to return, for example, max_size+1 when we are in the
bulk phase.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@parallels.com>
Message-id: 1419933856-4018-2-git-send-email-vsementsov@parallels.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 04636dc410b163c2243e66c3813dd4900a50a4ed)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block-migration.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/block-migration.c b/block-migration.c
index 74d9eb1..2e92605 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -765,8 +765,8 @@ static uint64_t block_save_pending(QEMUFile *f, void *opaque, uint64_t max_size)
                        block_mig_state.read_done * BLOCK_SIZE;
 
     /* Report at least one block pending during bulk phase */
-    if (pending == 0 && !block_mig_state.bulk_completed) {
-        pending = BLOCK_SIZE;
+    if (pending <= max_size && !block_mig_state.bulk_completed) {
+        pending = max_size + BLOCK_SIZE;
     }
     blk_mig_unlock();
     qemu_mutex_unlock_iothread();
-- 
1.9.1

[Qemu-devel] [PATCH 23/43] atomic: fix position of volatile qualifier

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

What needs to be volatile is not the pointer, but the pointed-to
value!

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2cbcfb281afa041a41f6e4c4da0f5c9314084604)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/qemu/atomic.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
index 492bce1..93c2ae2 100644
--- a/include/qemu/atomic.h
+++ b/include/qemu/atomic.h
@@ -122,11 +122,11 @@
 #endif
 
 #ifndef atomic_read
-#define atomic_read(ptr)       (*(__typeof__(*ptr) *volatile) (ptr))
+#define atomic_read(ptr)       (*(__typeof__(*ptr) volatile*) (ptr))
 #endif
 
 #ifndef atomic_set
-#define atomic_set(ptr, i)     ((*(__typeof__(*ptr) *volatile) (ptr)) = (i))
+#define atomic_set(ptr, i)     ((*(__typeof__(*ptr) volatile*) (ptr)) = (i))
 #endif
 
 /* These have the same semantics as Java volatile variables.
-- 
1.9.1

[Qemu-devel] [PATCH 24/43] PPC: Fix crash on spapr_tce_table_finalize()

[Michael Roth]

From: David Gibson <david@gibson.dropbear.id.au>

spapr_tce_table_finalize() can SEGV if the object was not previously
realized.  In particular this can be triggered by running
         qemu-system-ppc -device spapr-tce-table,?

The basic problem is that we have mismatched initialization versus
finalization: spapr_tce_table_finalize() is attempting to undo things that
are done in spapr_tce_table_realize(), not an instance_init function.

Therefore, replace spapr_tce_table_finalize() with
spapr_tce_table_unrealize().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Cc: qemu-stable@nongnu.org
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 5f9490de566c5b092a6cfedc3c7a37a9c9dee917)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ppc/spapr_iommu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr_iommu.c b/hw/ppc/spapr_iommu.c
index 6c91d8e..da47474 100644
--- a/hw/ppc/spapr_iommu.c
+++ b/hw/ppc/spapr_iommu.c
@@ -173,9 +173,9 @@ sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn,
     return tcet;
 }
 
-static void spapr_tce_table_finalize(Object *obj)
+static void spapr_tce_table_unrealize(DeviceState *dev, Error **errp)
 {
-    sPAPRTCETable *tcet = SPAPR_TCE_TABLE(obj);
+    sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev);
 
     QLIST_REMOVE(tcet, list);
 
@@ -420,6 +420,7 @@ static void spapr_tce_table_class_init(ObjectClass *klass, void *data)
     DeviceClass *dc = DEVICE_CLASS(klass);
     dc->init = spapr_tce_table_realize;
     dc->reset = spapr_tce_reset;
+    dc->unrealize = spapr_tce_table_unrealize;
 
     QLIST_INIT(&spapr_tce_tables);
 
@@ -435,7 +436,6 @@ static TypeInfo spapr_tce_table_info = {
     .parent = TYPE_DEVICE,
     .instance_size = sizeof(sPAPRTCETable),
     .class_init = spapr_tce_table_class_init,
-    .instance_finalize = spapr_tce_table_finalize,
 };
 
 static void register_types(void)
-- 
1.9.1

[Qemu-devel] [PATCH 25/43] vl.c: fix regression when reading machine type from config file

[Michael Roth]

From: Marcel Apfelbaum <marcel@redhat.com>

After 'Machine as QOM' series the machine type input triggers
the creation of the machine class.
If the machine type is set in the configuration file, the machine
class is not updated accordingly and remains the default.

Fixed that by querying the machine options after the configuration
file is loaded.

Cc: qemu-stable@nongnu.org
Reported-by: William Dauchy <william@gandi.net>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 364c3e6b8dd7912e01d19122d791b8c8f6df4f6c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 vl.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/vl.c b/vl.c
index eb89d62..91411c1 100644
--- a/vl.c
+++ b/vl.c
@@ -2886,9 +2886,6 @@ int main(int argc, char **argv, char **envp)
                 exit(1);
             }
             switch(popt->index) {
-            case QEMU_OPTION_M:
-                machine_class = machine_parse(optarg);
-                break;
             case QEMU_OPTION_no_kvm_irqchip: {
                 olist = qemu_find_opts("machine");
                 qemu_opts_parse(olist, "kernel_irqchip=off", 0);
@@ -3506,16 +3503,13 @@ int main(int argc, char **argv, char **envp)
                 olist = qemu_find_opts("machine");
                 qemu_opts_parse(olist, "accel=kvm", 0);
                 break;
+            case QEMU_OPTION_M:
             case QEMU_OPTION_machine:
                 olist = qemu_find_opts("machine");
                 opts = qemu_opts_parse(olist, optarg, 1);
                 if (!opts) {
                     exit(1);
                 }
-                optarg = qemu_opt_get(opts, "type");
-                if (optarg) {
-                    machine_class = machine_parse(optarg);
-                }
                 break;
              case QEMU_OPTION_no_kvm:
                 olist = qemu_find_opts("machine");
@@ -3807,6 +3801,13 @@ int main(int argc, char **argv, char **envp)
             }
         }
     }
+
+    opts = qemu_get_machine_opts();
+    optarg = qemu_opt_get(opts, "type");
+    if (optarg) {
+        machine_class = machine_parse(optarg);
+    }
+
     loc_set_none();
 
     os_daemonize();
-- 
1.9.1

[Qemu-devel] [PATCH 26/43] serial: reset thri_pending on IER writes with THRI=0

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

This is responsible for failure of migration from 2.2 to 2.1, because
thr_ipending is always one in practice.

serial.c is setting thr_ipending unconditionally.  However, thr_ipending
is not used at all if THRI=0, and it will be overwritten again the next
time THRE or THRI changes.  For that reason, we can set thr_ipending to
zero every time THRI is reset.

There is disagreement on whether LSR.THRE should be resampled when IER.THRI
goes from 1 to 1.  This patch does not touch the code, leaving that for
QEMU 2.3+.

This has no semantic change and is enough to fix migration in the common
case where the interrupt is not pending or is reported in IIR.  It does not
change the migration format, so 2.2.0 -> 2.1 will remain broken but we
can fix 2.2.1 -> 2.1 without breaking 2.2.1 <-> 2.2.0.

The case that remains broken (the one in which the subsection is strictly
necessary) is when THRE=1, the THRI interrupt has *not* been acknowledged
yet, and a higher-priority interrupt comes.  In this case, you need the
subsection to tell the source that the lower-priority THRI interrupt is
pending.  The subsection's breakage of migration, in this case, prevents
continuing the VM on the destination with an invalid state.

Cc: qemu-stable@nongnu.org
Reported-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4e02b0fcf5c97579d0d3261c80c65abcf92870fe)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/char/serial.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/hw/char/serial.c b/hw/char/serial.c
index ebcacdc..8c42d03 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -350,10 +350,24 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val,
                      s->poll_msl = 0;
                 }
             }
-            if (s->lsr & UART_LSR_THRE) {
+
+            /* Turning on the THRE interrupt on IER can trigger the interrupt
+             * if LSR.THRE=1, even if it had been masked before by reading IIR.
+             * This is not in the datasheet, but Windows relies on it.  It is
+             * unclear if THRE has to be resampled every time THRI becomes
+             * 1, or only on the rising edge.  Bochs does the latter, and Windows
+             * always toggles IER to all zeroes and back to all ones.  But for
+             * now leave it as it has always been in QEMU.
+             *
+             * If IER.THRI is zero, thr_ipending is not used.  Set it to zero
+             * so that the thr_ipending subsection is not migrated.
+             */
+            if ((s->ier & UART_IER_THRI) && (s->lsr & UART_LSR_THRE)) {
                 s->thr_ipending = 1;
-                serial_update_irq(s);
+            } else {
+                s->thr_ipending = 0;
             }
+            serial_update_irq(s);
         }
         break;
     case 2:
-- 
1.9.1

[Qemu-devel] [PATCH 27/43] serial: refine serial_thr_ipending_needed

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

If the THR interrupt is disabled, there is no need to migrate thr_ipending
because LSR.THRE will be sampled again when the interrupt is enabled.
(This is the behavior that is not documented in the datasheet, but
relied on by Windows!)

Note that in this case IIR will never be 0x2 so, if thr_ipending were
to be one, QEMU would produce the subsection.

Reported-by: Igor Mammedov <imammedo@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit bfa7362889d05d6951493d1c298289b39cf9bf86)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/char/serial.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/hw/char/serial.c b/hw/char/serial.c
index 8c42d03..51d939e 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -637,8 +637,17 @@ static int serial_post_load(void *opaque, int version_id)
 static bool serial_thr_ipending_needed(void *opaque)
 {
     SerialState *s = opaque;
-    bool expected_value = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
-    return s->thr_ipending != expected_value;
+
+    if (s->ier & UART_IER_THRI) {
+        bool expected_value = ((s->iir & UART_IIR_ID) == UART_IIR_THRI);
+        return s->thr_ipending != expected_value;
+    } else {
+        /* LSR.THRE will be sampled again when the interrupt is
+         * enabled.  thr_ipending is not used in this case, do
+         * not migrate it.
+         */
+        return false;
+    }
 }
 
 const VMStateDescription vmstate_serial_thr_ipending = {
-- 
1.9.1

[Qemu-devel] [PATCH 28/43] pckbd: set bits 2-3-6-7 of the output port by default

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

OSes typically write 0xdd/0xdf to turn the A20 line off and on.  This
has bits 2-3-6-7 on, so that the output port subsection is migrated.
Change the reset value and migration default to include those four
bits, thus avoiding that the subsection is migrated.

This strictly speaking changes guest ABI, but the long time during which
we have not migrated the value means that the guests really do not care
much; so the change is for all machine types.

Reported-by: Igor Mammedov <imammedo@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d13c0404092eb46e548754a47a808da1bb8d4fd0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/input/pckbd.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/input/pckbd.c b/hw/input/pckbd.c
index 2b0cd3d..9b9a7d7 100644
--- a/hw/input/pckbd.c
+++ b/hw/input/pckbd.c
@@ -101,6 +101,12 @@
 #define KBD_OUT_OBF             0x10    /* Keyboard output buffer full */
 #define KBD_OUT_MOUSE_OBF       0x20    /* Mouse output buffer full */
 
+/* OSes typically write 0xdd/0xdf to turn the A20 line off and on.
+ * We make the default value of the outport include these four bits,
+ * so that the subsection is rarely necessary.
+ */
+#define KBD_OUT_ONES            0xcc
+
 /* Mouse Commands */
 #define AUX_SET_SCALE11		0xE6	/* Set 1:1 scaling */
 #define AUX_SET_SCALE21		0xE7	/* Set 2:1 scaling */
@@ -367,13 +373,13 @@ static void kbd_reset(void *opaque)
 
     s->mode = KBD_MODE_KBD_INT | KBD_MODE_MOUSE_INT;
     s->status = KBD_STAT_CMD | KBD_STAT_UNLOCKED;
-    s->outport = KBD_OUT_RESET | KBD_OUT_A20;
+    s->outport = KBD_OUT_RESET | KBD_OUT_A20 | KBD_OUT_ONES;
     s->outport_present = false;
 }
 
 static uint8_t kbd_outport_default(KBDState *s)
 {
-    return KBD_OUT_RESET | KBD_OUT_A20
+    return KBD_OUT_RESET | KBD_OUT_A20 | KBD_OUT_ONES
            | (s->status & KBD_STAT_OBF ? KBD_OUT_OBF : 0)
            | (s->status & KBD_STAT_MOUSE_OBF ? KBD_OUT_MOUSE_OBF : 0);
 }
-- 
1.9.1

[Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The m68k signal frame setup code which writes the signal return
trampoline code to the stack was assuming that a 'long' was 32 bits;
on 64 bit systems this meant we would end up writing the 32 bit
(2 insn) trampoline sequence to retaddr+4,retaddr+6 instead of
the intended retaddr+0,retaddr+2, resulting in a guest crash when
it tried to execute the invalid zero-bytes at retaddr+0.
Fix by using uint32_t instead; also use uint16_t rather than short
for consistency. This fixes bug LP:1404690.

Reported-by: Michel Boaventura
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit 1669add752d9f29283f8ebf6a863d7b1e2d0f146)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/signal.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index e11b208..a324fd1 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -5091,7 +5091,7 @@ static void setup_frame(int sig, struct target_sigaction *ka,
     /* moveq #,d0; trap #0 */
 
     __put_user(0x70004e40 + (TARGET_NR_sigreturn << 16),
-                      (long *)(frame->retcode));
+                      (uint32_t *)(frame->retcode));
 
     /* Set up to return from userspace */
 
@@ -5225,8 +5225,8 @@ static void setup_rt_frame(int sig, struct target_sigaction *ka,
     /* moveq #,d0; notb d0; trap #0 */
 
     __put_user(0x70004600 + ((TARGET_NR_rt_sigreturn ^ 0xff) << 16),
-               (long *)(frame->retcode + 0));
-    __put_user(0x4e40, (short *)(frame->retcode + 4));
+               (uint32_t *)(frame->retcode + 0));
+    __put_user(0x4e40, (uint16_t *)(frame->retcode + 4));
 
     if (err)
         goto give_sigsegv;
-- 
1.9.1

[Qemu-devel] [PATCH 30/43] scsi: fix cancellation when I/O was completed but DMA was not.

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

Commit d577646 (scsi: Introduce scsi_req_cancel_complete, 2014-09-25)
was supposed to have no semantic change, but it missed a case.  When
r->aiocb has already been NULLed, but DMA was not complete and the
SCSI layer was waiting for scsi_req_continue, after the patch the
SCSI layer will not call the .cancel callback of SCSIBusInfo.

Fixes: d5776465ee9a55815792efa34d79de240f4ffd99
Cc: qemu-stable@nongnu.org
Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 488eef2f1d16c97cf7f9ebf644ecafa1ea1e9acc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-bus.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index 24f7b74..9b740a3 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1770,6 +1770,8 @@ void scsi_req_cancel(SCSIRequest *req)
     req->io_canceled = true;
     if (req->aiocb) {
         blk_aio_cancel(req->aiocb);
+    } else {
+        scsi_req_cancel_complete(req);
     }
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 31/43] target-i386: fix movntsd on big-endian hosts

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

This was accessing an XMM register's low half without going through XMM_Q.

Cc: qemu-stable@nongnu.org
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 07958082fdf39284935d38a5b8aec1fe7d020637)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/translate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index 782f7d2..269b885 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -3069,7 +3069,8 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
                 goto illegal_op;
             gen_lea_modrm(env, s, modrm);
             if (b1 & 1) {
-                gen_stq_env_A0(s, offsetof(CPUX86State, xmm_regs[reg]));
+                gen_stq_env_A0(s, offsetof(CPUX86State,
+                                           xmm_regs[reg].XMM_Q(0)));
             } else {
                 tcg_gen_ld32u_tl(cpu_T[0], cpu_env, offsetof(CPUX86State,
                     xmm_regs[reg].XMM_L(0)));
-- 
1.9.1

[Qemu-devel] [PATCH 32/43] vt82c686: avoid out-of-bounds read

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

superio_ioport_readb can read the 256th element of the array.
Coverity reports an out-of-bounds write in superio_ioport_writeb,
but it does not show the corresponding out-of-bounds read
because it cannot prove that it can happen.  Fix the root
cause of the problem (zhanghailang's patch instead fixes
the logic in superio_ioport_writeb).

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 9feb8adeaa850d15b930c30f22c1ed2f2f695172)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/isa/vt82c686.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index e0c235c..a43e26d 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -36,7 +36,7 @@
 
 typedef struct SuperIOConfig
 {
-    uint8_t config[0xff];
+    uint8_t config[0x100];
     uint8_t index;
     uint8_t data;
 } SuperIOConfig;
-- 
1.9.1

[Qemu-devel] [PATCH 33/43] virtio: fix feature bit checks

[Michael Roth]

From: Cornelia Huck <cornelia.huck@de.ibm.com>

Several places check against the feature bit number instead of against
the feature bit. Fix them.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 91d5c57a2e98845c02cda026f3f6a88cb5e14225)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/virtio-scsi.c       | 2 +-
 hw/virtio/dataplane/vring.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index ef48550..a44c410 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -144,7 +144,7 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
      *
      * TODO: always disable this workaround for virtio 1.0 devices.
      */
-    if ((vdev->guest_features & VIRTIO_F_ANY_LAYOUT) == 0) {
+    if ((vdev->guest_features & (1 << VIRTIO_F_ANY_LAYOUT)) == 0) {
         req_size = req->elem.out_sg[0].iov_len;
         resp_size = req->elem.in_sg[0].iov_len;
     }
diff --git a/hw/virtio/dataplane/vring.c b/hw/virtio/dataplane/vring.c
index 61f6d83..78c6f45 100644
--- a/hw/virtio/dataplane/vring.c
+++ b/hw/virtio/dataplane/vring.c
@@ -133,12 +133,12 @@ bool vring_should_notify(VirtIODevice *vdev, Vring *vring)
      * interrupts. */
     smp_mb();
 
-    if ((vdev->guest_features & VIRTIO_F_NOTIFY_ON_EMPTY) &&
+    if ((vdev->guest_features & (1 << VIRTIO_F_NOTIFY_ON_EMPTY)) &&
         unlikely(vring->vr.avail->idx == vring->last_avail_idx)) {
         return true;
     }
 
-    if (!(vdev->guest_features & VIRTIO_RING_F_EVENT_IDX)) {
+    if (!(vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX))) {
         return !(vring->vr.avail->flags & VRING_AVAIL_F_NO_INTERRUPT);
     }
     old = vring->signalled_used;
-- 
1.9.1

[Qemu-devel] [PATCH 34/43] sb16: fix interrupt acknowledgement

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

SoundBlaster 16 emulation is very broken and consumes a lot of CPU, but a
small fix was suggested offlist and it is enough to fix some games.  I
got Epic Pinball to work with the "SoundBlaster Clone" option.

The processing of the interrupt register is wrong due to two missing
"not"s.  This causes the interrupt flag to remain set even after the
Acknowledge ports have been read (0x0e and 0x0f).

The line was introduced by commit 85571bc (audio merge (malc), 2004-11-07),
but the code might have been broken before because I did not look closely
at the huge patches from 10 years ago.

Reported-by: Joshua Bair <j_bair@bellsouth.net>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 9939375c282a0f97afa69dc6799d3c77aaf7d544)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/audio/sb16.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index bda26d0..444eb9e 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -999,7 +999,7 @@ static IO_READ_PROTO (dsp_read)
         retval = (!s->out_data_len || s->highspeed) ? 0 : 0x80;
         if (s->mixer_regs[0x82] & 1) {
             ack = 1;
-            s->mixer_regs[0x82] &= 1;
+            s->mixer_regs[0x82] &= ~1;
             qemu_irq_lower (s->pic);
         }
         break;
@@ -1008,7 +1008,7 @@ static IO_READ_PROTO (dsp_read)
         retval = 0xff;
         if (s->mixer_regs[0x82] & 2) {
             ack = 1;
-            s->mixer_regs[0x82] &= 2;
+            s->mixer_regs[0x82] &= ~2;
             qemu_irq_lower (s->pic);
         }
         break;
-- 
1.9.1

[Qemu-devel] [PATCH 35/43] hw/input/hid.c Fix capslock hid code

[Michael Roth]

From: Dinar Valeev <dvaleev@suse.com>

When ever USB keyboard is used, e.g. '-usbdevice keyboard' pressing
caps lock key send 0x32 hid code, which is treated as backslash.
Instead it should be 0x39 code. This affects sending uppercase keys,
as they typed whith caps lock active.

While on x86 this can be workarounded by using ps/2 protocol. On
Power it is crusial as we don't have anything else than USB.

This is fixes guest automation tasts over vnc.

Signed-off-by: Dinar Valeev <dvaleev@suse.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0ee4de5840ccc1072459ec68062bfb63c888a94d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/input/hid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/input/hid.c b/hw/input/hid.c
index 148c003..58212a7 100644
--- a/hw/input/hid.c
+++ b/hw/input/hid.c
@@ -41,7 +41,7 @@ static const uint8_t hid_usage_keys[0x100] = {
     0x07, 0x09, 0x0a, 0x0b, 0x0d, 0x0e, 0x0f, 0x33,
     0x34, 0x35, 0xe1, 0x31, 0x1d, 0x1b, 0x06, 0x19,
     0x05, 0x11, 0x10, 0x36, 0x37, 0x38, 0xe5, 0x55,
-    0xe2, 0x2c, 0x32, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e,
+    0xe2, 0x2c, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e,
     0x3f, 0x40, 0x41, 0x42, 0x43, 0x53, 0x47, 0x5f,
     0x60, 0x61, 0x56, 0x5c, 0x5d, 0x5e, 0x57, 0x59,
     0x5a, 0x5b, 0x62, 0x63, 0x00, 0x00, 0x00, 0x44,
-- 
1.9.1

[Qemu-devel] [PATCH 36/43] target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The LDT/STT (load/store unprivileged) instruction decode was using
the wrong MMU index value. This meant that instead of these insns
being "always access as if user-mode regardless of current privilege"
they were "always access as if kernel-mode regardless of current
privilege". This went unnoticed because AArch64 Linux doesn't use
these instructions.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
I'm not counting this as a security issue because I'm assuming
nobody treats TCG guests as a security boundary (certainly I
would not recommend doing so...)

(cherry picked from commit 949013ce111eb64f8bc81cf9a9f1cefd6a1678c3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/translate-a64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index 80d2c07..97206aa 100644
--- a/target-arm/translate-a64.c
+++ b/target-arm/translate-a64.c
@@ -2107,7 +2107,7 @@ static void disas_ldst_reg_imm9(DisasContext *s, uint32_t insn)
         }
     } else {
         TCGv_i64 tcg_rt = cpu_reg(s, rt);
-        int memidx = is_unpriv ? 1 : get_mem_index(s);
+        int memidx = is_unpriv ? MMU_USER_IDX : get_mem_index(s);
 
         if (is_store) {
             do_gpr_st_memidx(s, tcg_rt, tcg_addr, size, memidx);
-- 
1.9.1

[Qemu-devel] [PATCH 37/43] vfio-pci: Fix missing unparent of dynamically allocated MemoryRegion

[Michael Roth]

From: Alex Williamson <alex.williamson@redhat.com>

Commit d8d95814609e added explicit object_unparent() calls for
dynamically allocated MemoryRegions.  The VFIOMSIXInfo structure also
contains such a MemoryRegion, covering the mmap'd region of a PCI BAR
above the MSI-X table.  This structure is freed as part of the class
exit function and therefore also needs an explicit object_unparent().
Failing to do this results in random segfaults due to fields within
the structure, often the class pointer, being reclaimed and corrupted
by the time object_finalize_child_property() is called for the object.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org # 2.2
(cherry picked from commit 3a4dbe6aa934370a92372528c1255ee1504965ee)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/misc/vfio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index fd318a1..7bff62c 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -4049,6 +4049,7 @@ static void vfio_put_device(VFIODevice *vdev)
     DPRINTF("vfio_put_device: close vdev->fd\n");
     close(vdev->fd);
     if (vdev->msix) {
+        object_unparent(OBJECT(&vdev->msix->mmap_mem));
         g_free(vdev->msix);
         vdev->msix = NULL;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 38/43] qemu-thread: fix qemu_event without futexes

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

This had a possible deadlock that was visible with rcutorture.

    qemu_event_set                    qemu_event_wait
    ----------------------------------------------------------------
                                      cmpxchg reads FREE, writes BUSY
                                      futex_wait: pthread_mutex_lock
                                      futex_wait: value == BUSY
    xchg reads BUSY, writes SET
    futex_wake: pthread_cond_broadcast
                                      futex_wait: pthread_cond_wait
                                      <deadlock>

The fix is simply to avoid condvar tricks and do the obvious locking
around pthread_cond_broadcast:

    qemu_event_set        qemu_event_wait
    ----------------------------------------------------------------
                                      cmpxchg reads FREE, writes BUSY
                                      futex_wait: pthread_mutex_lock
                                      futex_wait: value == BUSY
    xchg reads BUSY, writes SET
    futex_wake: pthread_mutex_lock
    (blocks)
                                      futex_wait: pthread_cond_wait
    (mutex unlocked)
    futex_wake: pthread_cond_broadcast
    futex_wake: pthread_mutex_unlock
                                      futex_wait: pthread_mutex_unlock

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 158ef8cbb7e0fe8bb430310924b8bebe5f186e6e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 util/qemu-thread-posix.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/qemu-thread-posix.c b/util/qemu-thread-posix.c
index d05a649..bb14ad4 100644
--- a/util/qemu-thread-posix.c
+++ b/util/qemu-thread-posix.c
@@ -306,11 +306,13 @@ static inline void futex_wait(QemuEvent *ev, unsigned val)
 #else
 static inline void futex_wake(QemuEvent *ev, int n)
 {
+    pthread_mutex_lock(&ev->lock);
     if (n == 1) {
         pthread_cond_signal(&ev->cond);
     } else {
         pthread_cond_broadcast(&ev->cond);
     }
+    pthread_mutex_unlock(&ev->lock);
 }
 
 static inline void futex_wait(QemuEvent *ev, unsigned val)
-- 
1.9.1

[Qemu-devel] [PATCH 39/43] libcacard: stop linking against every single 3rd party library

[Michael Roth]

From: "Daniel P. Berrange" <berrange@redhat.com>

Building QEMU results in a libcacard.so that links against
practically the entire world

	linux-vdso.so.1 =>  (0x00007fff71e99000)
	libssl3.so => /usr/lib64/libssl3.so (0x00007f49f94b6000)
	libsmime3.so => /usr/lib64/libsmime3.so (0x00007f49f928e000)
	libnss3.so => /usr/lib64/libnss3.so (0x00007f49f8f67000)
	libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f49f8d3b000)
	libplds4.so => /usr/lib64/libplds4.so (0x00007f49f8b36000)
	libplc4.so => /usr/lib64/libplc4.so (0x00007f49f8931000)
	libnspr4.so => /usr/lib64/libnspr4.so (0x00007f49f86f2000)
	libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007f49f84ed000)
	libm.so.6 => /usr/lib64/libm.so.6 (0x00007f49f81e5000)
	libgthread-2.0.so.0 => /usr/lib64/libgthread-2.0.so.0 (0x00007f49f7fe3000)
	librt.so.1 => /usr/lib64/librt.so.1 (0x00007f49f7dda000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00007f49f7bc4000)
	libcap-ng.so.0 => /usr/lib64/libcap-ng.so.0 (0x00007f49f79be000)
	libuuid.so.1 => /usr/lib64/libuuid.so.1 (0x00007f49f77b8000)
	libgnutls.so.28 => /usr/lib64/libgnutls.so.28 (0x00007f49f749a000)
	libSDL-1.2.so.0 => /usr/lib64/libSDL-1.2.so.0 (0x00007f49f71fd000)
	libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007f49f6fe0000)
	libvte.so.9 => /usr/lib64/libvte.so.9 (0x00007f49f6d3f000)
	libXext.so.6 => /usr/lib64/libXext.so.6 (0x00007f49f6b2d000)
	libgtk-x11-2.0.so.0 => /usr/lib64/libgtk-x11-2.0.so.0 (0x00007f49f64a0000)
	libgdk-x11-2.0.so.0 => /usr/lib64/libgdk-x11-2.0.so.0 (0x00007f49f61de000)
	libpangocairo-1.0.so.0 => /usr/lib64/libpangocairo-1.0.so.0 (0x00007f49f5fd1000)
	libatk-1.0.so.0 => /usr/lib64/libatk-1.0.so.0 (0x00007f49f5daa000)
	libcairo.so.2 => /usr/lib64/libcairo.so.2 (0x00007f49f5a9d000)
	libgdk_pixbuf-2.0.so.0 => /usr/lib64/libgdk_pixbuf-2.0.so.0 (0x00007f49f5878000)
	libgio-2.0.so.0 => /usr/lib64/libgio-2.0.so.0 (0x00007f49f5500000)
	libpangoft2-1.0.so.0 => /usr/lib64/libpangoft2-1.0.so.0 (0x00007f49f52eb000)
	libpango-1.0.so.0 => /usr/lib64/libpango-1.0.so.0 (0x00007f49f50a0000)
	libgobject-2.0.so.0 => /usr/lib64/libgobject-2.0.so.0 (0x00007f49f4e4e000)
	libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00007f49f4b15000)
	libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007f49f48d6000)
	libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007f49f462b000)
	libX11.so.6 => /usr/lib64/libX11.so.6 (0x00007f49f42e8000)
	libxenstore.so.3.0 => /usr/lib64/libxenstore.so.3.0 (0x00007f49f40de000)
	libxenctrl.so.4.4 => /usr/lib64/libxenctrl.so.4.4 (0x00007f49f3eb6000)
	libxenguest.so.4.4 => /usr/lib64/libxenguest.so.4.4 (0x00007f49f3c8b000)
	libseccomp.so.2 => /usr/lib64/libseccomp.so.2 (0x00007f49f3a74000)
	librdmacm.so.1 => /usr/lib64/librdmacm.so.1 (0x00007f49f385d000)
	libibverbs.so.1 => /usr/lib64/libibverbs.so.1 (0x00007f49f364a000)
	libutil.so.1 => /usr/lib64/libutil.so.1 (0x00007f49f3447000)
	libc.so.6 => /usr/lib64/libc.so.6 (0x00007f49f3089000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f49f9902000)
	libp11-kit.so.0 => /usr/lib64/libp11-kit.so.0 (0x00007f49f2e23000)
	libtspi.so.1 => /usr/lib64/libtspi.so.1 (0x00007f49f2bb2000)
	libtasn1.so.6 => /usr/lib64/libtasn1.so.6 (0x00007f49f299f000)
	libnettle.so.4 => /usr/lib64/libnettle.so.4 (0x00007f49f276d000)
	libhogweed.so.2 => /usr/lib64/libhogweed.so.2 (0x00007f49f2545000)
	libgmp.so.10 => /usr/lib64/libgmp.so.10 (0x00007f49f22cd000)
	libncurses.so.5 => /usr/lib64/libncurses.so.5 (0x00007f49f20a5000)
	libtinfo.so.5 => /usr/lib64/libtinfo.so.5 (0x00007f49f1e7a000)
	libgmodule-2.0.so.0 => /usr/lib64/libgmodule-2.0.so.0 (0x00007f49f1c76000)
	libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x00007f49f1a6f000)
	libXrender.so.1 => /usr/lib64/libXrender.so.1 (0x00007f49f1865000)
	libXinerama.so.1 => /usr/lib64/libXinerama.so.1 (0x00007f49f1662000)
	libXi.so.6 => /usr/lib64/libXi.so.6 (0x00007f49f1452000)
	libXrandr.so.2 => /usr/lib64/libXrandr.so.2 (0x00007f49f1247000)
	libXcursor.so.1 => /usr/lib64/libXcursor.so.1 (0x00007f49f103c000)
	libXcomposite.so.1 => /usr/lib64/libXcomposite.so.1 (0x00007f49f0e39000)
	libXdamage.so.1 => /usr/lib64/libXdamage.so.1 (0x00007f49f0c35000)
	libharfbuzz.so.0 => /usr/lib64/libharfbuzz.so.0 (0x00007f49f09dd000)
	libpixman-1.so.0 => /usr/lib64/libpixman-1.so.0 (0x00007f49f072f000)
	libEGL.so.1 => /usr/lib64/libEGL.so.1 (0x00007f49f0505000)
	libpng16.so.16 => /usr/lib64/libpng16.so.16 (0x00007f49f02d2000)
	libxcb-shm.so.0 => /usr/lib64/libxcb-shm.so.0 (0x00007f49f00cd000)
	libxcb-render.so.0 => /usr/lib64/libxcb-render.so.0 (0x00007f49efec3000)
	libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x00007f49efca1000)
	libGL.so.1 => /usr/lib64/libGL.so.1 (0x00007f49efa06000)
	libffi.so.6 => /usr/lib64/libffi.so.6 (0x00007f49ef7fe000)
	libselinux.so.1 => /usr/lib64/libselinux.so.1 (0x00007f49ef5d8000)
	libresolv.so.2 => /usr/lib64/libresolv.so.2 (0x00007f49ef3be000)
	libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f49ef193000)
	libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00007f49eef83000)
	libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007f49eed6c000)
	liblzma.so.5 => /usr/lib64/liblzma.so.5 (0x00007f49eeb46000)
	libnl-route-3.so.200 => /usr/lib64/libnl-route-3.so.200 (0x00007f49ee8e2000)
	libnl-3.so.200 => /usr/lib64/libnl-3.so.200 (0x00007f49ee6c4000)
	libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f49ee2d6000)
	libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f49ee067000)
	libgraphite2.so.3 => /usr/lib64/libgraphite2.so.3 (0x00007f49ede48000)
	libX11-xcb.so.1 => /usr/lib64/libX11-xcb.so.1 (0x00007f49edc46000)
	libxcb-dri2.so.0 => /usr/lib64/libxcb-dri2.so.0 (0x00007f49eda41000)
	libxcb-xfixes.so.0 => /usr/lib64/libxcb-xfixes.so.0 (0x00007f49ed838000)
	libxcb-shape.so.0 => /usr/lib64/libxcb-shape.so.0 (0x00007f49ed634000)
	libgbm.so.1 => /usr/lib64/libgbm.so.1 (0x00007f49ed426000)
	libwayland-client.so.0 => /usr/lib64/libwayland-client.so.0 (0x00007f49ed217000)
	libwayland-server.so.0 => /usr/lib64/libwayland-server.so.0 (0x00007f49ed005000)
	libglapi.so.0 => /usr/lib64/libglapi.so.0 (0x00007f49ecddb000)
	libdrm.so.2 => /usr/lib64/libdrm.so.2 (0x00007f49ecbce000)
	libXau.so.6 => /usr/lib64/libXau.so.6 (0x00007f49ec9ca000)
	libxcb-glx.so.0 => /usr/lib64/libxcb-glx.so.0 (0x00007f49ec7b0000)
	libxcb-dri3.so.0 => /usr/lib64/libxcb-dri3.so.0 (0x00007f49ec5ad000)
	libxcb-present.so.0 => /usr/lib64/libxcb-present.so.0 (0x00007f49ec3aa000)
	libxcb-randr.so.0 => /usr/lib64/libxcb-randr.so.0 (0x00007f49ec19b000)
	libxcb-sync.so.1 => /usr/lib64/libxcb-sync.so.1 (0x00007f49ebf94000)
	libxshmfence.so.1 => /usr/lib64/libxshmfence.so.1 (0x00007f49ebd91000)
	libXxf86vm.so.1 => /usr/lib64/libXxf86vm.so.1 (0x00007f49ebb8a000)
	libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007f49eb91d000)
	libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00007f49eb6cf000)
	libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007f49eb3ec000)
	libcom_err.so.2 => /usr/lib64/libcom_err.so.2 (0x00007f49eb1e8000)
	libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00007f49eafb4000)
	libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00007f49eada5000)
	libkeyutils.so.1 => /usr/lib64/libkeyutils.so.1 (0x00007f49eaba0000)

All libcacard actually needs are the NSS libs. Linking against the entire
world is a regression caused by

  commit 9d171bd9375e4d08feff9adda15163e0811f5f42
  Author: Michael Tokarev <mjt@tls.msk.ru>
  Date:   Thu May 8 16:48:27 2014 +0400

    libcacard: remove libcacard-specific CFLAGS and LIBS from global vars

Which removed the setting of the LIBS variable in libcacard/Makefile.

Adding it back as an empty assignment brings the linked libs back to a more
reasonable set

	linux-vdso.so.1 =>  (0x00007fff575c1000)
	libssl3.so => /usr/lib64/libssl3.so (0x00007f7f753b1000)
	libsmime3.so => /usr/lib64/libsmime3.so (0x00007f7f75189000)
	libnss3.so => /usr/lib64/libnss3.so (0x00007f7f74e62000)
	libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f7f74c36000)
	libplds4.so => /usr/lib64/libplds4.so (0x00007f7f74a31000)
	libplc4.so => /usr/lib64/libplc4.so (0x00007f7f7482c000)
	libnspr4.so => /usr/lib64/libnspr4.so (0x00007f7f745ed000)
	libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007f7f743d0000)
	libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007f7f741cc000)
	libgthread-2.0.so.0 => /usr/lib64/libgthread-2.0.so.0 (0x00007f7f73fca000)
	libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00007f7f73c90000)
	libc.so.6 => /usr/lib64/libc.so.6 (0x00007f7f738d3000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00007f7f736bd000)
	librt.so.1 => /usr/lib64/librt.so.1 (0x00007f7f734b4000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f7f757fd000)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Cc: <qemu-stable@nongnu.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b41112c46b93f781669c0eb89e51d3a87af6bb49)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 libcacard/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libcacard/Makefile b/libcacard/Makefile
index 0e7903f..b5eddff 100644
--- a/libcacard/Makefile
+++ b/libcacard/Makefile
@@ -19,6 +19,8 @@ vscclient$(EXESUF): libcacard/vscclient.o libcacard.la
 
 libcacard.la: LDFLAGS += -rpath $(libdir) -no-undefined \
 	-export-symbols $(SRC_PATH)/libcacard/libcacard.syms
+# Prevent libcacard.so linking against the entire world of 3rd party libs
+libcacard.la: LIBS =
 libcacard.la: $(libcacard-lobj-y)
 	$(call LINK,$^)
 
-- 
1.9.1

[Qemu-devel] [PATCH 40/43] fix mc146818rtc wrong subsection name to avoid vmstate_subsection_load() fail

[Michael Roth]

From: Zhang Haoyu <zhanghy@sangfor.com.cn>

fix mc146818rtc wrong subsection name to avoid vmstate_subsection_load() fail
during incoming migration or loadvm.

Signed-off-by: Zhang Haoyu <zhanghy@sangfor.com.cn>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit bb426311901776b95b021cece831b69dce4ef5ee)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/timer/mc146818rtc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/timer/mc146818rtc.c b/hw/timer/mc146818rtc.c
index f18d128..9373e18 100644
--- a/hw/timer/mc146818rtc.c
+++ b/hw/timer/mc146818rtc.c
@@ -734,7 +734,7 @@ static int rtc_post_load(void *opaque, int version_id)
 }
 
 static const VMStateDescription vmstate_rtc_irq_reinject_on_ack_count = {
-    .name = "irq_reinject_on_ack_count",
+    .name = "mc146818rtc/irq_reinject_on_ack_count",
     .version_id = 1,
     .minimum_version_id = 1,
     .fields = (VMStateField[]) {
-- 
1.9.1

[Qemu-devel] [PATCH 41/43] block/iscsi: fix uninitialized variable

[Michael Roth]

From: Peter Wu <peter@lekensteyn.nl>

'ret' was never initialized in the success path.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit debfb917a4f9c0784772c86f110f2bcd22e5a14f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index ed375fc..12ddbfb 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -1286,7 +1286,7 @@ static int iscsi_open(BlockDriverState *bs, QDict *options, int flags,
     QemuOpts *opts;
     Error *local_err = NULL;
     const char *filename;
-    int i, ret;
+    int i, ret = 0;
 
     if ((BDRV_SECTOR_SIZE % 512) != 0) {
         error_setg(errp, "iSCSI: Invalid BDRV_SECTOR_SIZE. "
-- 
1.9.1

[Qemu-devel] [PATCH 42/43] qtest: Fix deadloop by running main loop AIO context's timers

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

qemu_clock_run_timers() only takes care of main_loop_tlg, we shouldn't
forget aio timer list groups.

Currently, the qemu_clock_deadline_ns_all (a few lines above) counts all
the timergroups of this clock type, including aio tlg, but we don't fire
them, so they are never cleared, which makes a dead loop.

For example, this function hangs when trying to drive throttled block
request queue with qtest clock_step.

Signed-off-by: Fam Zheng <famz@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1421661103-29153-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit efef88b3d9ad4325172ed288032807fa88d683cc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cpus.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cpus.c b/cpus.c
index 0c33458..ff555e2 100644
--- a/cpus.c
+++ b/cpus.c
@@ -372,15 +372,19 @@ static void icount_warp_rt(void *opaque)
 void qtest_clock_warp(int64_t dest)
 {
     int64_t clock = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+    AioContext *aio_context;
     assert(qtest_enabled());
+    aio_context = qemu_get_aio_context();
     while (clock < dest) {
         int64_t deadline = qemu_clock_deadline_ns_all(QEMU_CLOCK_VIRTUAL);
         int64_t warp = qemu_soonest_timeout(dest - clock, deadline);
+
         seqlock_write_lock(&timers_state.vm_clock_seqlock);
         timers_state.qemu_icount_bias += warp;
         seqlock_write_unlock(&timers_state.vm_clock_seqlock);
 
         qemu_clock_run_timers(QEMU_CLOCK_VIRTUAL);
+        timerlist_run_timers(aio_context->tlg.tl[QEMU_CLOCK_VIRTUAL]);
         clock = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
     }
     qemu_clock_notify(QEMU_CLOCK_VIRTUAL);
-- 
1.9.1

[Qemu-devel] [PATCH 43/43] exec: change default exception_index value for migration to -1

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

In QEMU 2.2 the exception_index value was added to the migration stream
through a subsection.  The default was set to 0, which is wrong and
should have been -1.

However, 2.2 does not have commit e511b4d (cpu-exec: reset exception_index
correctly, 2014-11-26), hence in 2.2 the exception_index is never used
and is set to -1 on the next call to cpu_exec.  So we can change the
migration stream to make the default -1.  The effects are:

- 2.2.1 -> 2.2.0: cpu->exception_index set incorrectly to 0 if it
were -1 on the source; then reset to -1 in cpu_exec.  This is TCG
only; KVM does not use exception_index.

- 2.2.0 -> 2.2.1: cpu->exception_index set incorrectly to -1 if it
were 0 on the source; but it would be reset to -1 in cpu_exec anyway.
This is TCG only; KVM does not use exception_index.

- 2.2.1 -> 2.1: two bugs fixed: 1) can migrate backwards if
cpu->exception_index is set to -1; 2) should not migrate backwards
(but 2.2.0 allows it) if cpu->exception_index is set to 0

- 2.2.0 -> 2.3.0: 2.2.0 will send the subsection unnecessarily if
exception_index is -1, but that is not a problem.  2.3.0 will set
cpu->exception_index to -1 if it is 0 on the source, but this would
be anyway a problem for 2.2.0 -> 2.2.x migration (due to lack of
commit e511b4d in 2.2.x) so we can ignore it

- 2.2.1 -> 2.3.0: everything works.

In addition, play it safe and never send the subsection unless TCG
is in use.  KVM does not use exception_index (PPC KVM stores values
in it for use in the subsequent call to ppc_cpu_do_interrupt, but
does not need it as soon as kvm_handle_debug returns).  Xen and
qtest do not run any code for the CPU at all.

Reported-by: Igor Mammedov <imammedo@redhat.com>
Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Tested-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1418989994-17244-3-git-send-email-pbonzini@redhat.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit adee64249ee37e822d578e65a765750e7f2081f6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/exec.c b/exec.c
index 71ac104..46fe70e 100644
--- a/exec.c
+++ b/exec.c
@@ -434,7 +434,7 @@ static int cpu_common_pre_load(void *opaque)
 {
     CPUState *cpu = opaque;
 
-    cpu->exception_index = 0;
+    cpu->exception_index = -1;
 
     return 0;
 }
@@ -443,7 +443,7 @@ static bool cpu_common_exception_index_needed(void *opaque)
 {
     CPUState *cpu = opaque;
 
-    return cpu->exception_index != 0;
+    return tcg_enabled() && cpu->exception_index != -1;
 }
 
 static const VMStateDescription vmstate_cpu_common_exception_index = {
-- 
1.9.1

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 2.2.1, freeze on 2015-03-05

[Gonglei (Arei)]

> Subject: [Qemu-stable] Patch Round-up for stable 2.2.1, freeze on 2015-03-05
> 
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.2.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.2-staging
> 
> The release is planned for 2015-03-10:
> 
>   http://wiki.qemu.org/Planning/2.2
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.
> 
Hi, Michael

I think the update for ipxe rom should be considered to be included in this release.

commit c246cee4eedb17ae3932d699e009a8b63240235f
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Wed Dec 17 13:56:50 2014 +0100

    update ipxe from 69313ed to 35c5379

I had reported a bug about ipxe, and Gerd pulled the new ipxe version:
 [Question] about ipxe version update
 http://lists.nongnu.org/archive/html/qemu-devel/2014-12/msg00475.html

Ccing Gerd Hoffmann.

Regards,
-Gonglei

> Testing/feedback is greatly appreciated.
> 
> Thanks!
> 
> NOTE:
> 
> I also plan on including:
> 
>   6d4e4cb pc: acpi: fix WindowsXP BSOD when memory hotplug is enabled
> 
> However, the follow-up ACPI blob updates:
> 
>   e909c16 acpi: update generated hex files
>   215d8d1 acpi-test: update expected DSDT
> 
> Don't match what's generated by stable-2.2-staging, so I've backed
> it out for now while I figure out the best way to resolve this.
> 
> ----------------------------------------------------------------
> Alex Williamson (1):
>       vfio-pci: Fix missing unparent of dynamically allocated MemoryRegion
> 
> Cornelia Huck (1):
>       virtio: fix feature bit checks
> 
> Daniel P. Berrange (1):
>       libcacard: stop linking against every single 3rd party library
> 
> David Gibson (1):
>       PPC: Fix crash on spapr_tce_table_finalize()
> 
> Dinar Valeev (1):
>       hw/input/hid.c Fix capslock hid code
> 
> Fam Zheng (1):
>       qtest: Fix deadloop by running main loop AIO context's timers
> 
> Gary R Hook (1):
>       block migration: fix return value
> 
> Kevin Wolf (3):
>       qcow2: Fix header extension size check
>       qcow2.py: Add required padding for header extensions
>       block: Don't probe for unknown backing file format
> 
> Marcel Apfelbaum (1):
>       vl.c: fix regression when reading machine type from config file
> 
> Max Filippov (2):
>       target-xtensa: fix translation for opcodes crossing page boundary
>       target-xtensa: test cross-page opcode
> 
> Max Reitz (13):
>       block: Make essential BlockDriver objects public
>       block: Omit bdrv_find_format for essential drivers
>       block/vvfat: qcow driver may not be found
>       block/nfs: Add create_opts
>       block: Check create_opts before image creation
>       qemu-img: Check create_opts before image creation
>       qemu-img: Check create_opts before image amendment
>       iotests: Only kill NBD server if it runs
>       iotests: Add test for unsupported image creation
>       qcow2: Prevent numerical overflow
>       qcow2: Flushing the caches in qcow2_close may fail
>       qcow2: Respect bdrv_truncate() error
>       block/raw-posix: Fix ret in raw_open_common()
> 
> Paolo Bonzini (11):
>       linuxboot: fix loading old kernels
>       atomic: fix position of volatile qualifier
>       serial: reset thri_pending on IER writes with THRI=0
>       serial: refine serial_thr_ipending_needed
>       pckbd: set bits 2-3-6-7 of the output port by default
>       scsi: fix cancellation when I/O was completed but DMA was not.
>       target-i386: fix movntsd on big-endian hosts
>       vt82c686: avoid out-of-bounds read
>       sb16: fix interrupt acknowledgement
>       qemu-thread: fix qemu_event without futexes
>       exec: change default exception_index value for migration to -1
> 
> Peter Maydell (3):
>       audio: Don't free hw resources until after hw backend is stopped
>       linux-user: Fix broken m68k signal handling on 64 bit hosts
>       target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT
> 
> Peter Wu (1):
>       block/iscsi: fix uninitialized variable
> 
> Vladimir Sementsov-Ogievskiy (1):
>       migration/block: fix pending() return value
> 
> Zhang Haoyu (1):
>       fix mc146818rtc wrong subsection name to avoid
> vmstate_subsection_load() fail
> 
>  audio/audio_template.h        |   2 +-
>  block-migration.c             |  14 +++++++++++---
>  block.c                       |  36 ++++++++++++++++++++----------------
>  block/iscsi.c                 |   2 +-
>  block/nfs.c                   |  15 +++++++++++++++
>  block/qcow2-cluster.c         |   2 +- block/qcow2.c
> |  33 ++++++++++++++++++++++-----------
>  block/raw-posix.c             |   3 ++-
>  block/raw-win32.c             |   2 +-
>  block/raw_bsd.c               |   2 +-
>  block/vvfat.c                 |   6 ++++++
>  cpus.c                        |   4 ++++
>  exec.c                        |   4 ++--
>  hw/audio/sb16.c               |   4 ++--
>  hw/char/serial.c              |  31 +++++++++++++++++++++++++++----
>  hw/input/hid.c                |   2 +-
>  hw/input/pckbd.c              |  10 ++++++++--
>  hw/isa/vt82c686.c             |   2 +-
>  hw/misc/vfio.c                |   1 +
>  hw/ppc/spapr_iommu.c          |   6 +++---
>  hw/scsi/scsi-bus.c            |   2 ++
>  hw/scsi/virtio-scsi.c         |   2 +-
>  hw/timer/mc146818rtc.c        |   2 +-
>  hw/virtio/dataplane/vring.c   |   4 ++--
>  include/block/block_int.h     |   8 ++++++++
>  include/qemu/atomic.h         |   4 ++--
>  libcacard/Makefile            |   2 ++
>  linux-user/signal.c           |   6 +++---
>  pc-bios/linuxboot.bin         | Bin 1024 -> 1024 bytes
>  pc-bios/optionrom/linuxboot.S |  37 +++++++++++++++++++++++++++----------
>  qemu-img.c                    |  21 +++++++++++++++++++++
>  target-arm/translate-a64.c    |   2 +-
>  target-i386/translate.c       |   3 ++-
>  target-xtensa/translate.c     |  27 +++++++++++++++++++++++----
>  tests/qemu-iotests/026.out    | 120
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/qemu-iotests/071.out    |   8 ++++++++
>  tests/qemu-iotests/080        |   2 ++
>  tests/qemu-iotests/080.out    |   2 ++
>  tests/qemu-iotests/089.out    |   2 ++
>  tests/qemu-iotests/113        |  76
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++
>  tests/qemu-iotests/113.out    |  15 +++++++++++++++
>  tests/qemu-iotests/114        |  61
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/qemu-iotests/114.out    |  13 +++++++++++++
>  tests/qemu-iotests/common.rc  |   4 +++-
>  tests/qemu-iotests/group      |   2 ++
>  tests/qemu-iotests/qcow2.py   |   4 ++++
>  tests/tcg/xtensa/test_mmu.S   |  26 +++++++++++++-------------
>  util/qemu-thread-posix.c      |   2 ++
>  vl.c                          |  15 ++++++++-------
>  49 files changed, 556 insertions(+), 97 deletions(-)
>  create mode 100755 tests/qemu-iotests/113
>  create mode 100644 tests/qemu-iotests/113.out
>  create mode 100755 tests/qemu-iotests/114
>  create mode 100644 tests/qemu-iotests/114.out
> 

Re: [Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts

[Laurent Vivier]

[-- Attachment #1: Type: text/plain, Size: 2307 bytes --]

Hi,
 
I think you should use abi_long instead of  uint32_t.
 
abi_long has an "aligned" attribute, and on m68k long are aligned on a short
boundary.
 

#ifdef TARGET_M68K
#define ABI_INT_ALIGNMENT 2
#define ABI_LONG_ALIGNMENT 2
#define ABI_LLONG_ALIGNMENT 2
#endif

typedef uint32_t abi_ulong __attribute__((aligned(ABI_LONG_ALIGNMENT)));

Regards,
Laurent

> Le 24 février 2015 à 22:48, Michael Roth <mdroth@linux.vnet.ibm.com> a écrit :
>
>
> From: Peter Maydell <peter.maydell@linaro.org>
>
> The m68k signal frame setup code which writes the signal return
> trampoline code to the stack was assuming that a 'long' was 32 bits;
> on 64 bit systems this meant we would end up writing the 32 bit
> (2 insn) trampoline sequence to retaddr+4,retaddr+6 instead of
> the intended retaddr+0,retaddr+2, resulting in a guest crash when
> it tried to execute the invalid zero-bytes at retaddr+0.
> Fix by using uint32_t instead; also use uint16_t rather than short
> for consistency. This fixes bug LP:1404690.
>
> Reported-by: Michel Boaventura
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
> (cherry picked from commit 1669add752d9f29283f8ebf6a863d7b1e2d0f146)
> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> ---
> linux-user/signal.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/linux-user/signal.c b/linux-user/signal.c
> index e11b208..a324fd1 100644
> --- a/linux-user/signal.c
> +++ b/linux-user/signal.c
> @@ -5091,7 +5091,7 @@ static void setup_frame(int sig, struct target_sigaction
> *ka,
> /* moveq #,d0; trap #0 */
>
> __put_user(0x70004e40 + (TARGET_NR_sigreturn << 16),
> - (long *)(frame->retcode));
> + (uint32_t *)(frame->retcode));
>
> /* Set up to return from userspace */
>
> @@ -5225,8 +5225,8 @@ static void setup_rt_frame(int sig, struct
> target_sigaction *ka,
> /* moveq #,d0; notb d0; trap #0 */
>
> __put_user(0x70004600 + ((TARGET_NR_rt_sigreturn ^ 0xff) << 16),
> - (long *)(frame->retcode + 0));
> - __put_user(0x4e40, (short *)(frame->retcode + 4));
> + (uint32_t *)(frame->retcode + 0));
> + __put_user(0x4e40, (uint16_t *)(frame->retcode + 4));
>
> if (err)
> goto give_sigsegv;
> --
> 1.9.1
>
>

[-- Attachment #2: Type: text/html, Size: 3945 bytes --]

Re: [Qemu-devel] Patch Round-up for stable 2.2.1, freeze on 2015-03-05

[Leon Alrae]

Hi Michael,

On 24/02/2015 21:47, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.2.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.2-staging
> 
> The release is planned for 2015-03-10:
> 
>   http://wiki.qemu.org/Planning/2.2
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.

Please include this commit which fixes a regression:

b40a153 target-mips: fix broken snapshotting

Thanks,
Leon

Re: [Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts

[Peter Maydell]

On 25 February 2015 at 17:39, Laurent Vivier <laurent@vivier.eu> wrote:
> Hi,
>
> I think you should use abi_long instead of  uint32_t.
>
> abi_long has an "aligned" attribute, and on m68k long are aligned on a short
> boundary.
>
>
> #ifdef TARGET_M68K
> #define ABI_INT_ALIGNMENT 2
> #define ABI_LONG_ALIGNMENT 2
> #define ABI_LLONG_ALIGNMENT 2
> #endif
>
> typedef uint32_t abi_ulong __attribute__((aligned(ABI_LONG_ALIGNMENT)));

In this instance it doesn't matter because get_sigframe() aligns
the pointer we're going to write the sigframe to, and the elements
in the struct before retcode[] won't make it worse than 4-aligned,
I think?

-- PMM

Re: [Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts

[Laurent Vivier]

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]


> Le 25 février 2015 à 12:28, Peter Maydell <peter.maydell@linaro.org> a écrit :
>
>
> On 25 February 2015 at 17:39, Laurent Vivier <laurent@vivier.eu> wrote:
> > Hi,
> >
> > I think you should use abi_long instead of uint32_t.
> >
> > abi_long has an "aligned" attribute, and on m68k long are aligned on a short
> > boundary.
> >
> >
> > #ifdef TARGET_M68K
> > #define ABI_INT_ALIGNMENT 2
> > #define ABI_LONG_ALIGNMENT 2
> > #define ABI_LLONG_ALIGNMENT 2
> > #endif
> >
> > typedef uint32_t abi_ulong __attribute__((aligned(ABI_LONG_ALIGNMENT)));
>
> In this instance it doesn't matter because get_sigframe() aligns
> the pointer we're going to write the sigframe to, and the elements
> in the struct before retcode[] won't make it worse than 4-aligned,
> I think?

Yes, I agree. But the aim of the abi_* types is to define the target ABI. Thus,
for consistency it should better to use the abi_long (or abi_ulong) instead of
uint32_t.
 
Regards,
Laurent

[-- Attachment #2: Type: text/html, Size: 2154 bytes --]

Re: [Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts

[Peter Maydell]

On 25 February 2015 at 20:58, Laurent Vivier <laurent@vivier.eu> wrote:
>
>> Le 25 février 2015 à 12:28, Peter Maydell <peter.maydell@linaro.org> a
>> écrit :
>>
>>
>> On 25 February 2015 at 17:39, Laurent Vivier <laurent@vivier.eu> wrote:
>> > Hi,
>> >
>> > I think you should use abi_long instead of uint32_t.
>> >
>> > abi_long has an "aligned" attribute, and on m68k long are aligned on a
>> > short
>> > boundary.
>> >
>> >
>> > #ifdef TARGET_M68K
>> > #define ABI_INT_ALIGNMENT 2
>> > #define ABI_LONG_ALIGNMENT 2
>> > #define ABI_LLONG_ALIGNMENT 2
>> > #endif
>> >
>> > typedef uint32_t abi_ulong __attribute__((aligned(ABI_LONG_ALIGNMENT)));
>>
>> In this instance it doesn't matter because get_sigframe() aligns
>> the pointer we're going to write the sigframe to, and the elements
>> in the struct before retcode[] won't make it worse than 4-aligned,
>> I think?
>
> Yes, I agree. But the aim of the abi_* types is to define the target ABI.
> Thus, for consistency it should better to use the abi_long (or abi_ulong)
> instead of uint32_t.

Well, strictly speaking this is writing instructions into a
byte array rather than ABI longs, so it ought to do it
byte-at-a-time to respect the definition of the struct.
Anyway, if you want to submit a patch I don't object.

-- PMM