[Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

[Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v2.6.1:

  https://github.com/mdroth/qemu/commits/stable-2.6-staging

The release is planned for 2016-08-17:

  http://wiki.qemu.org/Planning/2.6

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release.

Testing/feedback is greatly appreciated.

Thanks!

----------------------------------------------------------------
Alberto Garcia (2):
      blockdev: Fix regression with the default naming of throttling groups
      qemu-iotests: Test naming of throttling groups

Alex Williamson (1):
      vfio/pci: Fix VGA quirks

Artyom Tarasenko (1):
      target-sparc: fix register corruption in ldstub if there is no write permission

Aurelien Jarno (1):
      target-mips: fix call to memset in soft reset code

Daniel P. Berrange (2):
      io: remove mistaken call to object_ref on QTask
      ui: fix regression in printing VNC host/port on startup

Dave Hansen (1):
      target-i386: fix typo in xsetbv implementation

David Hildenbrand (1):
      s390x/ipl: fix reboots for migration from different bios

Dominik Dingel (1):
      exec.c: Ensure right alignment also for file backed ram

Eric Blake (7):
      json-streamer: Don't leak tokens on incomplete parse
      nbd: Don't trim unrequested bytes
      qapi: Fix crash on missing alternate member of QAPI struct
      nbd: Allow larger requests
      scsi: Advertise limits by blocksize, not 512
      nbd: More debug typo fixes, use correct formats
      nbd: Limit nbdflags to 16 bits

Fam Zheng (3):
      block: Drop bdrv_ioctl_bh_cb
      scsi-generic: Merge block max xfer len in INQUIRY response
      util: Fix MIN_NON_ZERO

Gavin Shan (1):
      vfio: Fix broken EEH

Gerd Hoffmann (6):
      spice/gl: add & use qemu_spice_gl_monitor_config
      vga: add sr_vbe register set
      vmsvga: move fifo sanity checks to vmsvga_fifo_length
      vmsvga: add more fifo checks
      vmsvga: shadow fifo registers
      vmsvga: don't process more than 1024 fifo commands at once

Greg Kurz (2):
      migration: regain control of images when migration fails to complete
      savevm: fail if migration blockers are present

Hemant Kumar (1):
      tools: kvm_stat: Powerpc related fixes

John Snow (1):
      ide: fix halted IO segfault at reset

Kevin Wolf (1):
      backup: Don't leak BackupBlockJob in error path

Li Zhijian (1):
      vl: change runstate only if new state is different from current state

Lin Ma (1):
      pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c

Max Reitz (1):
      qcow2: Avoid making the L1 table too big

Michael S. Tsirkin (3):
      virtio: set low features early on load
      Revert "virtio-net: unbreak self announcement and guest offloads after migration"
      pcie: fix link active status bit migration

Paolo Bonzini (2):
      target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
      json-streamer: fix double-free on exiting during a parse

Peter Lieven (4):
      block/nfs: refuse readahead if cache.direct is on
      block/iscsi: avoid potential overflow of acb->task->cdb
      net: fix qemu_announce_self not emitting packets
      block/iscsi: fix rounding in iscsi_allocationmap_set

Peter Maydell (1):
      nbd: Don't use *_to_cpup() functions

Prasad J Pandit (5):
      i386: kvmvapic: initialise imm32 variable
      esp: check command buffer length before write(CVE-2016-4439)
      esp: check dma length before reading scsi command(CVE-2016-4441)
      scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
      scsi: mptsas: infinite loop while fetching requests

Roman Kagan (1):
      usb:xhci: no DMA on HC reset

Stefan Hajnoczi (1):
      virtio: error out if guest exceeds virtqueue size

Stefan Weil (2):
      configure: Allow builds with extra warnings
      Fix some typos found by codespell

Steven Luo (1):
      Fix configure test for PBKDF2 in nettle

Thomas Huth (1):
      usb/ohci: Fix crash with when specifying too many num-ports

 audio/mixeng.c                          |  2 +-
 audio/ossaudio.c                        |  2 +-
 block/backup.c                          |  7 ++-
 block/io.c                              | 20 +------
 block/iscsi.c                           | 15 ++++-
 block/nbd-client.c                      |  4 --
 block/nbd-client.h                      |  2 +-
 block/nfs.c                             | 20 +++++--
 block/qcow2-cluster.c                   |  3 +-
 blockdev.c                              |  9 ++-
 configure                               |  3 +-
 contrib/ivshmem-server/ivshmem-server.h |  2 +-
 docs/specs/rocker.txt                   |  2 +-
 docs/throttle.txt                       |  2 +-
 exec.c                                  |  5 +-
 hw/display/vga.c                        | 50 +++++++++--------
 hw/display/vga_int.h                    |  1 +
 hw/display/vmware_vga.c                 | 78 +++++++++++++-------------
 hw/i2c/imx_i2c.c                        |  2 +-
 hw/i386/kvm/pci-assign.c                |  4 --
 hw/i386/kvmvapic.c                      |  2 +-
 hw/i386/pci-assign-load-rom.c           |  3 +
 hw/ide/core.c                           |  1 +
 hw/net/virtio-net.c                     | 40 ++++++--------
 hw/net/vmxnet3.c                        |  4 +-
 hw/pci/msi.c                            |  2 +-
 hw/pci/pci.c                            |  2 +
 hw/pci/pci_bridge.c                     |  2 +-
 hw/pci/pcie.c                           | 15 ++++-
 hw/s390x/ipl.c                          | 11 +++-
 hw/s390x/ipl.h                          |  2 +
 hw/scsi/esp.c                           | 17 ++++--
 hw/scsi/mptsas.c                        |  9 ++-
 hw/scsi/scsi-generic.c                  | 13 +++++
 hw/scsi/spapr_vscsi.c                   |  2 +-
 hw/scsi/vmw_pvscsi.c                    | 26 +++++++--
 hw/timer/a9gtimer.c                     |  2 +-
 hw/timer/aspeed_timer.c                 |  4 +-
 hw/usb/hcd-ohci.c                       |  6 ++
 hw/usb/hcd-xhci.c                       |  5 +-
 hw/vfio/common.c                        |  2 +-
 hw/vfio/pci-quirks.c                    |  8 +--
 hw/vfio/pci.h                           |  1 -
 hw/virtio/virtio.c                      | 15 +++++
 include/block/nbd.h                     |  7 ++-
 include/crypto/random.h                 |  2 +-
 include/hw/compat.h                     |  4 ++
 include/hw/pci/pci.h                    |  3 +
 include/hw/xen/xen_common.h             |  2 +-
 include/io/task.h                       |  2 +-
 include/migration/migration.h           |  1 +
 include/qemu/osdep.h                    | 18 +++++-
 include/ui/spice-display.h              |  1 +
 io/channel-websock.c                    |  3 +-
 kvm-all.c                               |  2 +-
 migration/migration.c                   | 40 +++++++++++---
 migration/ram.c                         |  2 +-
 migration/savevm.c                      |  2 +-
 nbd/client.c                            | 73 ++++++++++++------------
 nbd/server.c                            | 88 ++++++++++++++++-------------
 net/net.c                               |  2 +-
 qemu-nbd.c                              |  8 +--
 qga/channel-win32.c                     |  2 +-
 qga/commands.c                          |  4 +-
 qobject/json-streamer.c                 | 14 ++++-
 scripts/checkpatch.pl                   |  2 +-
 scripts/kvm/kvm_stat                    |  2 +
 scripts/qapi-visit.py                   |  6 ++
 slirp/socket.c                          |  2 +-
 target-cris/translate.c                 |  4 +-
 target-cris/translate_v10.c             |  2 +-
 target-i386/cpu.c                       |  2 +-
 target-i386/cpu.h                       |  2 +-
 target-i386/translate.c                 |  7 ++-
 target-mips/helper.c                    |  2 +-
 target-mips/op_helper.c                 |  2 +-
 target-sparc/translate.c                |  5 +-
 target-tricore/translate.c              |  2 +-
 tcg/README                              |  2 +-
 tests/qemu-iotests/093                  | 98 +++++++++++++++++++++++++++++++++
 tests/qemu-iotests/093.out              |  4 +-
 tests/tcg/cris/check_addo.c             | 14 ++---
 tests/test-qmp-input-visitor.c          | 14 +++++
 trace/simple.c                          |  4 +-
 ui/cocoa.m                              |  2 +-
 ui/spice-display.c                      | 30 ++++++++++
 ui/vnc.c                                |  2 +-
 util/oslib-posix.c                      | 13 -----
 util/timed-average.c                    |  4 +-
 vl.c                                    |  4 ++
 90 files changed, 628 insertions(+), 310 deletions(-)

[Qemu-devel] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

When processing Task Priorty Register(TPR) access, it could leak
automatic stack variable 'imm32' in patch_instruction().
Initialise the variable to avoid it.

Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvmvapic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index c69f374..ff1e31a 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
     CPUX86State *env = &cpu->env;
     VAPICHandlers *handlers;
     uint8_t opcode[2];
-    uint32_t imm32;
+    uint32_t imm32 = 0;
     target_ulong current_pc = 0;
     target_ulong current_cs_base = 0;
     int current_flags = 0;
-- 
1.9.1

[Qemu-devel] [PATCH 02/56] spice/gl: add & use qemu_spice_gl_monitor_config

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/ui/spice-display.h |  1 +
 ui/spice-display.c         | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
index 30ccfe3..568b64a 100644
--- a/include/ui/spice-display.h
+++ b/include/ui/spice-display.h
@@ -71,6 +71,7 @@ typedef struct QXLCookie {
             QXLRect area;
             int redraw;
         } render;
+        void *data;
     } u;
 } QXLCookie;
 
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 242ab5f..2a77a54 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
         qemu_bh_schedule(ssd->gl_unblock_bh);
         break;
     }
+    case QXL_COOKIE_TYPE_IO:
+        if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) {
+            g_free(cookie->u.data);
+        }
+        break;
 #endif
     default:
         /* should never be called, used in qxl native mode only */
@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops = {
 
 #ifdef HAVE_SPICE_GL
 
+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd,
+                                         int x, int y, int w, int h)
+{
+    QXLMonitorsConfig *config;
+    QXLCookie *cookie;
+
+    config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead));
+    config->count = 1;
+    config->max_allowed = 1;
+    config->heads[0].x = x;
+    config->heads[0].y = y;
+    config->heads[0].width = w;
+    config->heads[0].height = h;
+    cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+                            QXL_IO_MONITORS_CONFIG_ASYNC);
+    cookie->u.data = config;
+
+    spice_qxl_monitors_config_async(&ssd->qxl,
+                                    (uintptr_t)config,
+                                    MEMSLOT_GROUP_HOST,
+                                    (uintptr_t)cookie);
+}
+
 static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block)
 {
     uint64_t timeout;
@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener *dcl,
                          surface_width(ssd->ds),
                          surface_height(ssd->ds),
                          stride, fourcc, y_0_top);
+
+    qemu_spice_gl_monitor_config(ssd, x, y, w, h);
 }
 
 static void qemu_spice_gl_update(DisplayChangeListener *dcl,
-- 
1.9.1

[Qemu-devel] [PATCH 03/56] vl: change runstate only if new state is different from current state

[Michael Roth]

From: Li Zhijian <lizhijian@cn.fujitsu.com>

Previously, qemu will abort at following scenario:
(qemu) stop
(qemu) system_reset
(qemu) system_reset
(qemu) 2016-04-13T20:54:38.979158Z qemu-system-x86_64: invalid runstate transition: 'prelaunch' -> 'prelaunch'

Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1460604352-18630-1-git-send-email-lizhijian@cn.fujitsu.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e92a2d9cb3d8f589c9fe5d2eacc83d8dddea0e16)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 vl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vl.c b/vl.c
index 5fd22cb..5db5dc2 100644
--- a/vl.c
+++ b/vl.c
@@ -692,6 +692,10 @@ void runstate_set(RunState new_state)
 {
     assert(new_state < RUN_STATE__MAX);
 
+    if (current_run_state == new_state) {
+        return;
+    }
+
     if (!runstate_valid_transitions[current_run_state][new_state]) {
         error_report("invalid runstate transition: '%s' -> '%s'",
                      RunState_lookup[current_run_state],
-- 
1.9.1

[Qemu-devel] [PATCH 04/56] tools: kvm_stat: Powerpc related fixes

[Michael Roth]

From: Hemant Kumar <hemant@linux.vnet.ibm.com>

kvm_stat script is failing to execute on powerpc :
 # ./kvm_stat
Traceback (most recent call last):
  File "./kvm_stat", line 825, in <module>
    main()
  File "./kvm_stat", line 813, in main
    providers = get_providers(options)
  File "./kvm_stat", line 778, in get_providers
    providers.append(TracepointProvider())
  File "./kvm_stat", line 416, in __init__
    self.filters = get_filters()
  File "./kvm_stat", line 315, in get_filters
    if ARCH.exit_reasons:
AttributeError: 'ArchPPC' object has no attribute 'exit_reasons'

This is because, its trying to access a non-defined attribute.

Also, the IOCTL number of RESET is incorrect for powerpc. The correct
number has been added.

Signed-off-by: Hemant Kumar <hemant@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* cherry-picked from linux commit c7d4fb5a
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/kvm/kvm_stat | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/kvm/kvm_stat b/scripts/kvm/kvm_stat
index 769d884..27d217a 100755
--- a/scripts/kvm/kvm_stat
+++ b/scripts/kvm/kvm_stat
@@ -256,11 +256,13 @@ class ArchPPC(Arch):
         self.ioctl_numbers = IOCTL_NUMBERS
         self.ioctl_numbers['ENABLE'] = 0x20002400
         self.ioctl_numbers['DISABLE'] = 0x20002401
+        self.ioctl_numbers['RESET'] = 0x20002403
 
         # PPC comes in 32 and 64 bit and some generated ioctl
         # numbers depend on the wordsize.
         char_ptr_size = ctypes.sizeof(ctypes.c_char_p)
         self.ioctl_numbers['SET_FILTER'] = 0x80002406 | char_ptr_size << 16
+        self.exit_reasons = {}
 
 class ArchA64(Arch):
     def __init__(self):
-- 
1.9.1

[Qemu-devel] [PATCH 05/56] exec.c: Ensure right alignment also for file backed ram

[Michael Roth]

From: Dominik Dingel <dingel@linux.vnet.ibm.com>

While in the anonymous ram case we already take care of the right alignment
such an alignment gurantee does not exist for file backed ram allocation.

Instead, pagesize is used for alignment. On s390 this is not enough for gmap,
as we need to satisfy an alignment up to segments.

Reported-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>

Message-Id: <1461585338-45863-1-git-send-email-dingel@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d2f39add725e2be849f5fb014a72368f711056fc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 exec.c               |  5 +++--
 include/qemu/osdep.h | 13 +++++++++++++
 util/oslib-posix.c   | 13 -------------
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/exec.c b/exec.c
index c4f9036..fc75266 100644
--- a/exec.c
+++ b/exec.c
@@ -1296,7 +1296,7 @@ static void *file_ram_alloc(RAMBlock *block,
     }
 
     page_size = qemu_fd_getpagesize(fd);
-    block->mr->align = page_size;
+    block->mr->align = MAX(page_size, QEMU_VMALLOC_ALIGN);
 
     if (memory < page_size) {
         error_setg(errp, "memory size 0x" RAM_ADDR_FMT " must be equal to "
@@ -1317,7 +1317,8 @@ static void *file_ram_alloc(RAMBlock *block,
         perror("ftruncate");
     }
 
-    area = qemu_ram_mmap(fd, memory, page_size, block->flags & RAM_SHARED);
+    area = qemu_ram_mmap(fd, memory, block->mr->align,
+                         block->flags & RAM_SHARED);
     if (area == MAP_FAILED) {
         error_setg_errno(errp, errno,
                          "unable to map backing store for guest RAM");
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 408783f..783270f 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -247,6 +247,19 @@ void qemu_anon_ram_free(void *ptr, size_t size);
 
 #endif
 
+#if defined(__linux__) && \
+    (defined(__x86_64__) || defined(__arm__) || defined(__aarch64__))
+   /* Use 2 MiB alignment so transparent hugepages can be used by KVM.
+      Valgrind does not support alignments larger than 1 MiB,
+      therefore we need special code which handles running on Valgrind. */
+#  define QEMU_VMALLOC_ALIGN (512 * 4096)
+#elif defined(__linux__) && defined(__s390x__)
+   /* Use 1 MiB (segment size) alignment so gmap can be used by KVM. */
+#  define QEMU_VMALLOC_ALIGN (256 * 4096)
+#else
+#  define QEMU_VMALLOC_ALIGN getpagesize()
+#endif
+
 int qemu_madvise(void *addr, size_t len, int advice);
 
 int qemu_open(const char *name, int flags, ...);
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index 6cc4b8f..4adde93 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -26,19 +26,6 @@
  * THE SOFTWARE.
  */
 
-#if defined(__linux__) && \
-    (defined(__x86_64__) || defined(__arm__) || defined(__aarch64__))
-   /* Use 2 MiB alignment so transparent hugepages can be used by KVM.
-      Valgrind does not support alignments larger than 1 MiB,
-      therefore we need special code which handles running on Valgrind. */
-#  define QEMU_VMALLOC_ALIGN (512 * 4096)
-#elif defined(__linux__) && defined(__s390x__)
-   /* Use 1 MiB (segment size) alignment so gmap can be used by KVM. */
-#  define QEMU_VMALLOC_ALIGN (256 * 4096)
-#else
-#  define QEMU_VMALLOC_ALIGN getpagesize()
-#endif
-
 #include "qemu/osdep.h"
 #include <termios.h>
 #include <termios.h>
-- 
1.9.1

[Qemu-devel] [PATCH 06/56] usb:xhci: no DMA on HC reset

[Michael Roth]

From: Roman Kagan <rkagan@virtuozzo.com>

This patch is a rough fix to a memory corruption we are observing when
running VMs with xhci USB controller and OVMF firmware.

Specifically, on the following call chain

xhci_reset
  xhci_disable_slot
    xhci_disable_ep
      xhci_set_ep_state

QEMU overwrites guest memory using stale guest addresses.

This doesn't happen when the guest (firmware) driver sets up xhci for
the first time as there are no slots configured yet.  However when the
firmware hands over the control to the OS some slots and endpoints are
already set up with their context in the guest RAM.  Now the OS' driver
resets the controller again and xhci_set_ep_state then reads and writes
that memory which is now owned by the OS.

As a quick fix, skip calling xhci_set_ep_state in xhci_disable_ep if the
device context base address array pointer is zero (indicating we're in
the HC reset and no DMA is possible).

Cc: qemu-stable@nongnu.org
Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
Message-id: 1462384435-1034-1-git-send-email-rkagan@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 491d68d9382dbb588f2ff5132ee3d87ce2f1b230)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-xhci.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index bcde8a2..43ba615 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1531,7 +1531,10 @@ static TRBCCode xhci_disable_ep(XHCIState *xhci, unsigned int slotid,
         usb_packet_cleanup(&epctx->transfers[i].packet);
     }
 
-    xhci_set_ep_state(xhci, epctx, NULL, EP_DISABLED);
+    /* only touch guest RAM if we're not resetting the HC */
+    if (xhci->dcbaap_low || xhci->dcbaap_high) {
+        xhci_set_ep_state(xhci, epctx, NULL, EP_DISABLED);
+    }
 
     timer_free(epctx->kick_timer);
     g_free(epctx);
-- 
1.9.1

[Qemu-devel] [PATCH 07/56] target-mips: fix call to memset in soft reset code

[Michael Roth]

From: Aurelien Jarno <aurelien@aurel32.net>

Recent versions of GCC report the following error when compiling
target-mips/helper.c:

  qemu/target-mips/helper.c:542:9: warning: ‘memset’ used with length
  equal to number of elements without multiplication by element size
  [-Wmemset-elt-size]

This is indeed correct and due to a wrong usage of sizeof(). Fix that.

Cc: Stefan Weil <sw@weilnetz.de>
Cc: Leon Alrae <leon.alrae@imgtec.com>
Cc: qemu-stable@nongnu.org
LP: https://bugs.launchpad.net/qemu/+bug/1577841
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Leon Alrae <leon.alrae@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
(cherry picked from commit 9d989c732b153fe1576adbddb9879313a24d3cd2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-mips/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-mips/helper.c b/target-mips/helper.c
index 1004ede..cfea177 100644
--- a/target-mips/helper.c
+++ b/target-mips/helper.c
@@ -539,7 +539,7 @@ void mips_cpu_do_interrupt(CPUState *cs)
         break;
     case EXCP_SRESET:
         env->CP0_Status |= (1 << CP0St_SR);
-        memset(env->CP0_WatchLo, 0, sizeof(*env->CP0_WatchLo));
+        memset(env->CP0_WatchLo, 0, sizeof(env->CP0_WatchLo));
         goto set_error_EPC;
     case EXCP_NMI:
         env->CP0_Status |= (1 << CP0St_NMI);
-- 
1.9.1

[Qemu-devel] [PATCH 08/56] target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

sfence was introduced before lfence and mfence.  This fixes Linux
2.4's measurement of checksumming speeds for the pIII_sse
algorithm:

md: linear personality registered as nr 1
md: raid0 personality registered as nr 2
md: raid1 personality registered as nr 3
md: raid5 personality registered as nr 4
raid5: measuring checksumming speed
   8regs     :   384.400 MB/sec
   32regs    :   259.200 MB/sec
invalid operand: 0000
CPU:    0
EIP:    0010:[<c0240b2a>]    Not tainted
EFLAGS: 00000246
eax: c15d8000   ebx: 00000000   ecx: 00000000   edx: c15d5000
esi: 8005003b   edi: 00000004   ebp: 00000000   esp: c15bdf50
ds: 0018   es: 0018   ss: 0018
Process swapper (pid: 1, stackpage=c15bd000)
Stack: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
       00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
       00000000 00000206 c0241c6c 00001000 c15d4000 c15d7000 c15d4000
c15d4000
Call Trace:    [<c0241c6c>] [<c0105000>] [<c0241db4>] [<c010503b>]
[<c0105000>]
  [<c0107416>] [<c0105030>]

Code: 0f ae f8 0f 10 04 24 0f 10 4c 24 10 0f 10 54 24 20 0f 10 5c
 <0>Kernel panic: Attempted to kill init!

Reported-by: Stefan Weil <sw@weilnetz.de>
Fixes: 121f3157887f92268a3d6169e2d4601f9292020b
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 14cb949a3e2efd64ea3271b919b33b452ce7b180)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/translate.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index 1a1214d..69760b4 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -8002,6 +8002,11 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s,
             }
             /* fallthru */
         case 0xf9 ... 0xff: /* sfence */
+            if (!(s->cpuid_features & CPUID_SSE)
+                || (prefixes & PREFIX_LOCK)) {
+                goto illegal_op;
+            }
+            break;
         case 0xe8 ... 0xef: /* lfence */
         case 0xf0 ... 0xf7: /* mfence */
             if (!(s->cpuid_features & CPUID_SSE2)
-- 
1.9.1

[Qemu-devel] [PATCH 09/56] configure: Allow builds with extra warnings

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

The clang compiler supports a useful compiler option -Weverything,
and GCC also has other warnings not enabled by -Wall.

If glib header files trigger a warning, however, testing glib with
-Werror will always fail. A size mismatch is also detected without
-Werror, so simply remove it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-Id: <1461879221-13338-1-git-send-email-sw@weilnetz.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5919e0328b7d6a08a661c3c747bae3e841d4e6f4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index c37fc5f..49bdb4b 100755
--- a/configure
+++ b/configure
@@ -2967,7 +2967,7 @@ int main(void) {
 }
 EOF
 
-if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then
+if ! compile_prog "$CFLAGS" "$LIBS" ; then
     error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\
                "You probably need to set PKG_CONFIG_LIBDIR"\
 	       "to point to the right pkg-config files for your"\
-- 
1.9.1

[Qemu-devel] [PATCH 10/56] migration: regain control of images when migration fails to complete

[Michael Roth]

From: Greg Kurz <gkurz@linux.vnet.ibm.com>

We currently have an error path during migration that can cause
the source QEMU to abort:

migration_thread()
  migration_completion()
    runstate_is_running() ----------------> true if guest is running
    bdrv_inactivate_all() ----------------> inactivate images
    qemu_savevm_state_complete_precopy()
     ... qemu_fflush()
           socket_writev_buffer() --------> error because destination fails
         qemu_fflush() -------------------> set error on migration stream
  migration_completion() -----------------> set migrate state to FAILED
migration_thread() -----------------------> break migration loop
  vm_start() -----------------------------> restart guest with inactive
                                            images

and you get:

qemu-system-ppc64: socket_writev_buffer: Got err=104 for (32768/18446744073709551615)
qemu-system-ppc64: /home/greg/Work/qemu/qemu-master/block/io.c:1342:bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed.
Aborted (core dumped)

If we try postcopy with a similar scenario, we also get the writev error
message but QEMU leaves the guest paused because entered_postcopy is true.

We could possibly do the same with precopy and leave the guest paused.
But since the historical default for migration errors is to restart the
source, this patch adds a call to bdrv_invalidate_cache_all() instead.

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Message-Id: <146357896785.6003.11983081732454362715.stgit@bahia.huguette.org>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
(cherry picked from commit fe904ea8242cbae2d7e69c052c754b8f5f1ba1d6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 migration/migration.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index 991313a..0563b4c 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -1597,19 +1597,32 @@ static void migration_completion(MigrationState *s, int current_active_state,
         rp_error = await_return_path_close_on_source(s);
         trace_migration_completion_postcopy_end_after_rp(rp_error);
         if (rp_error) {
-            goto fail;
+            goto fail_invalidate;
         }
     }
 
     if (qemu_file_get_error(s->to_dst_file)) {
         trace_migration_completion_file_err();
-        goto fail;
+        goto fail_invalidate;
     }
 
     migrate_set_state(&s->state, current_active_state,
                       MIGRATION_STATUS_COMPLETED);
     return;
 
+fail_invalidate:
+    /* If not doing postcopy, vm_start() will be called: let's regain
+     * control on images.
+     */
+    if (s->state == MIGRATION_STATUS_ACTIVE) {
+        Error *local_err = NULL;
+
+        bdrv_invalidate_cache_all(&local_err);
+        if (local_err) {
+            error_report_err(local_err);
+        }
+    }
+
 fail:
     migrate_set_state(&s->state, current_active_state,
                       MIGRATION_STATUS_FAILED);
-- 
1.9.1

[Qemu-devel] [PATCH 11/56] json-streamer: Don't leak tokens on incomplete parse

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Valgrind complained about a number of leaks in
tests/check-qobject-json:

==12657==    definitely lost: 17,247 bytes in 1,234 blocks

All of which had the same root cause: on an incomplete parse,
we were abandoning the token queue without cleaning up the
allocated data within each queue element.  Introduced in
commit 95385fe, when we switched from QList (which recursively
frees contents) to g_queue (which does not).

We don't yet require glib 2.32 with its g_queue_free_full(),
so open-code it instead.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463608012-12760-1-git-send-email-eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit ba4dba54347d5062436a8553f527dbbed6dcf069)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qobject/json-streamer.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 0251685..7164390 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -20,9 +20,15 @@
 #define MAX_TOKEN_COUNT (2ULL << 20)
 #define MAX_NESTING (1ULL << 10)
 
+static void json_message_free_token(void *token, void *opaque)
+{
+    g_free(token);
+}
+
 static void json_message_free_tokens(JSONMessageParser *parser)
 {
     if (parser->tokens) {
+        g_queue_foreach(parser->tokens, json_message_free_token, NULL);
         g_queue_free(parser->tokens);
         parser->tokens = NULL;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call.  To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.

Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qobject/json-streamer.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 7164390..c51c202 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input,
 {
     JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
     JSONToken *token;
+    GQueue *tokens;
 
     switch (type) {
     case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit:
     /* send current list of tokens to parser and reset tokenizer */
     parser->brace_count = 0;
     parser->bracket_count = 0;
-    /* parser->emit takes ownership of parser->tokens.  */
-    parser->emit(parser, parser->tokens);
+    /* parser->emit takes ownership of parser->tokens.  Remove our own
+     * reference to parser->tokens before handing it out to parser->emit.
+     */
+    tokens = parser->tokens;
     parser->tokens = g_queue_new();
+    parser->emit(parser, tokens);
     parser->token_size = 0;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 13/56] esp: check command buffer length before write(CVE-2016-4439)

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.

Fixes CVE-2016-4439.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/esp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8961be2..01497e6 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
         break;
     case ESP_FIFO:
         if (s->do_cmd) {
-            s->cmdbuf[s->cmdlen++] = val & 0xff;
+            if (s->cmdlen < TI_BUFSZ) {
+                s->cmdbuf[s->cmdlen++] = val & 0xff;
+            } else {
+                trace_esp_error_fifo_overrun();
+            }
         } else if (s->ti_size == TI_BUFSZ - 1) {
             trace_esp_error_fifo_overrun();
         } else {
-- 
1.9.1

[Qemu-devel] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441)

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.

Fixes CVE-2016-4441.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/esp.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
     }
 }
 
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
 {
     uint32_t dmalen;
     int target;
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
         dmalen = s->rregs[ESP_TCLO];
         dmalen |= s->rregs[ESP_TCMID] << 8;
         dmalen |= s->rregs[ESP_TCHI] << 16;
+        if (dmalen > buflen) {
+            return 0;
+        }
         s->dma_memory_read(s->dma_opaque, buf, dmalen);
     } else {
         dmalen = s->ti_size;
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
         s->dma_cb = handle_satn;
         return;
     }
-    len = get_cmd(s, buf);
+    len = get_cmd(s, buf, sizeof(buf));
     if (len)
         do_cmd(s, buf);
 }
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
         s->dma_cb = handle_s_without_atn;
         return;
     }
-    len = get_cmd(s, buf);
+    len = get_cmd(s, buf, sizeof(buf));
     if (len) {
         do_busid_cmd(s, buf, 0);
     }
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
         s->dma_cb = handle_satn_stop;
         return;
     }
-    s->cmdlen = get_cmd(s, s->cmdbuf);
+    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
     if (s->cmdlen) {
         trace_esp_handle_satn_stop(s->cmdlen);
         s->do_cmd = 1;
-- 
1.9.1

[Qemu-devel] [PATCH 15/56] block/nfs: refuse readahead if cache.direct is on

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

if we open a NFS export with disabled cache we should refuse
the readahead feature as it will cache data inside libnfs.

If a export was opened with readahead enabled it should
futher not be allowed to disable the cache while running.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id: 1463662083-20814-2-git-send-email-pl@kamp.de
Signed-off-by: Jeff Cody <jcody@redhat.com>
(cherry picked from commit 38f8d5e0251ae7d8257cf099cb3e5a375ef60378)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/nfs.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/block/nfs.c b/block/nfs.c
index 9f51cc3..60be45e 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -1,7 +1,7 @@
 /*
  * QEMU Block driver for native access to files on NFS shares
  *
- * Copyright (c) 2014 Peter Lieven <pl@kamp.de>
+ * Copyright (c) 2014-2016 Peter Lieven <pl@kamp.de>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -47,6 +47,7 @@ typedef struct NFSClient {
     bool has_zero_init;
     AioContext *aio_context;
     blkcnt_t st_blocks;
+    bool cache_used;
 } NFSClient;
 
 typedef struct NFSRPC {
@@ -278,7 +279,7 @@ static void nfs_file_close(BlockDriverState *bs)
 }
 
 static int64_t nfs_client_open(NFSClient *client, const char *filename,
-                               int flags, Error **errp)
+                               int flags, Error **errp, int open_flags)
 {
     int ret = -EINVAL, i;
     struct stat st;
@@ -330,12 +331,18 @@ static int64_t nfs_client_open(NFSClient *client, const char *filename,
             nfs_set_tcp_syncnt(client->context, val);
 #ifdef LIBNFS_FEATURE_READAHEAD
         } else if (!strcmp(qp->p[i].name, "readahead")) {
+            if (open_flags & BDRV_O_NOCACHE) {
+                error_setg(errp, "Cannot enable NFS readahead "
+                                 "if cache.direct = on");
+                goto fail;
+            }
             if (val > QEMU_NFS_MAX_READAHEAD_SIZE) {
                 error_report("NFS Warning: Truncating NFS readahead"
                              " size to %d", QEMU_NFS_MAX_READAHEAD_SIZE);
                 val = QEMU_NFS_MAX_READAHEAD_SIZE;
             }
             nfs_set_readahead(client->context, val);
+            client->cache_used = true;
 #endif
 #ifdef LIBNFS_FEATURE_DEBUG
         } else if (!strcmp(qp->p[i].name, "debug")) {
@@ -418,7 +425,7 @@ static int nfs_file_open(BlockDriverState *bs, QDict *options, int flags,
     }
     ret = nfs_client_open(client, qemu_opt_get(opts, "filename"),
                           (flags & BDRV_O_RDWR) ? O_RDWR : O_RDONLY,
-                          errp);
+                          errp, bs->open_flags);
     if (ret < 0) {
         goto out;
     }
@@ -454,7 +461,7 @@ static int nfs_file_create(const char *url, QemuOpts *opts, Error **errp)
     total_size = ROUND_UP(qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0),
                           BDRV_SECTOR_SIZE);
 
-    ret = nfs_client_open(client, url, O_CREAT, errp);
+    ret = nfs_client_open(client, url, O_CREAT, errp, 0);
     if (ret < 0) {
         goto out;
     }
@@ -516,6 +523,11 @@ static int nfs_reopen_prepare(BDRVReopenState *state,
         return -EACCES;
     }
 
+    if ((state->flags & BDRV_O_NOCACHE) && client->cache_used) {
+        error_setg(errp, "Cannot disable cache if libnfs readahead is enabled");
+        return -EINVAL;
+    }
+
     /* Update cache for read-only reopens */
     if (!(state->flags & BDRV_O_RDWR)) {
         ret = nfs_fstat(client->context, client->fh, &st);
-- 
1.9.1

[Qemu-devel] [PATCH 16/56] usb/ohci: Fix crash with when specifying too many num-ports

[Michael Roth]

From: Thomas Huth <thuth@redhat.com>

QEMU currently crashes when an OHCI controller is instantiated with
too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1".
Thus add a proper check in usb_ohci_init() to make sure that we
do not use more than OHCI_MAX_PORTS = 15 ports here.

Ticket: https://bugs.launchpad.net/qemu/+bug/1581308
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1463995387-11710-1-git-send-email-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d400fc018b326104d26d730e5cc8c36c1f662c34)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/hcd-ohci.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index ffab561..16d9ff7 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -1848,6 +1848,12 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
 
     ohci->as = as;
 
+    if (num_ports > OHCI_MAX_PORTS) {
+        error_setg(errp, "OHCI num-ports=%d is too big (limit is %d ports)",
+                   num_ports, OHCI_MAX_PORTS);
+        return;
+    }
+
     if (usb_frame_time == 0) {
 #ifdef OHCI_TIME_WARP
         usb_frame_time = NANOSECONDS_PER_SECOND;
-- 
1.9.1

[Qemu-devel] [PATCH 17/56] vga: add sr_vbe register set

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/vga.c     | 50 ++++++++++++++++++++++++++++----------------------
 hw/display/vga_int.h |  1 +
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 4a55ec6..9ebc54f 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
 }
 
+static inline uint8_t sr(VGACommonState *s, int idx)
+{
+    return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
+}
+
 static void vga_update_memory_access(VGACommonState *s)
 {
     hwaddr base, offset, size;
@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
         s->has_chain4_alias = false;
         s->plane_updated = 0xf;
     }
-    if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
-        VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+    if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
+        VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
         offset = 0;
         switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
         case 0:
@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
           ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
     vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
 
-    clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
+    clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
     clock_sel = (s->msr >> 2) & 3;
     dots = (s->msr & 1) ? 8 : 9;
 
@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
 #endif
         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-        vbe_update_vgaregs(s);
         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
             s->update_retrace_info(s);
         }
@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
 
     if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
         shift_control = 0;
-        s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+        s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
     } else {
         shift_control = 2;
         /* set chain 4 mode */
-        s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+        s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
         /* activate all planes */
-        s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+        s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
     }
     s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
         (shift_control << 5);
@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
         break;
     }
 
-    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
         /* chain 4 mode : simplest access */
         assert(addr < s->vram_size);
         ret = s->vram_ptr[addr];
@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
         break;
     }
 
-    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+    if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
         /* chain 4 mode : simplest access */
         plane = addr & 3;
         mask = (1 << plane);
-        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
             assert(addr < s->vram_size);
             s->vram_ptr[addr] = val;
 #ifdef DEBUG_VGA_MEM
@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
         /* odd/even mode (aka text mode mapping) */
         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
         mask = (1 << plane);
-        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+        if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
             addr = ((addr & ~1) << 1) | plane;
             if (addr >= s->vram_size) {
                 return;
@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
 
     do_write:
         /* mask data according to sr[2] */
-        mask = s->sr[VGA_SEQ_PLANE_WRITE];
+        mask = sr(s, VGA_SEQ_PLANE_WRITE);
         s->plane_updated |= mask; /* only used to detect font change */
         write_mask = mask16[mask];
         if (addr * sizeof(uint32_t) >= s->vram_size) {
@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
     /* total width & height */
     cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
     cwidth = 8;
-    if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
+    if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
         cwidth = 9;
     }
-    if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
+    if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
         cwidth = 16; /* NOTE: no 18 pixel wide */
     }
     width = (s->cr[VGA_CRTC_H_DISP] + 1);
@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
     int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
 
     /* compute font data address (in plane 2) */
-    v = s->sr[VGA_SEQ_CHARACTER_MAP];
+    v = sr(s, VGA_SEQ_CHARACTER_MAP);
     offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
     if (offset != s->font_offsets[0]) {
         s->font_offsets[0] = offset;
@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
     }
 
     if (shift_control == 0) {
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
             disp_width <<= 1;
         }
     } else if (shift_control == 1) {
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
             disp_width <<= 1;
         }
     }
@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
 
     if (shift_control == 0) {
         full_update |= update_palette16(s);
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
             v = VGA_DRAW_LINE4D2;
         } else {
             v = VGA_DRAW_LINE4;
@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
         bits = 4;
     } else if (shift_control == 1) {
         full_update |= update_palette16(s);
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
             v = VGA_DRAW_LINE2D2;
         } else {
             v = VGA_DRAW_LINE2;
@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
 #if 0
     printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
            width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
-           s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
+           s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
 #endif
     addr1 = (s->start_addr * 4);
     bwidth = (width * bits + 7) / 8;
@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
 {
     s->sr_index = 0;
     memset(s->sr, '\0', sizeof(s->sr));
+    memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
     s->gr_index = 0;
     memset(s->gr, '\0', sizeof(s->gr));
     s->ar_index = 0;
@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
         /* total width & height */
         cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
         cw = 8;
-        if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
+        if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
             cw = 9;
         }
-        if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
+        if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
             cw = 16; /* NOTE: no 18 pixel wide */
         }
         width = (s->cr[VGA_CRTC_H_DISP] + 1);
@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
 
     /* force refresh */
     s->graphic_mode = -1;
+    vbe_update_vgaregs(s);
     return 0;
 }
 
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
index bdb43a5..3ce5544 100644
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@@ -98,6 +98,7 @@ typedef struct VGACommonState {
     MemoryRegion chain4_alias;
     uint8_t sr_index;
     uint8_t sr[256];
+    uint8_t sr_vbe[256];
     uint8_t gr_index;
     uint8_t gr[256];
     uint8_t ar_index;
-- 
1.9.1

[Qemu-devel] [PATCH 18/56] vfio: Fix broken EEH

[Michael Roth]

From: Gavin Shan <gwshan@linux.vnet.ibm.com>

vfio_eeh_container_op() is the backend that communicates with
host kernel to support EEH functionality in QEMU. However, the
functon should return the value from host kernel instead of 0
unconditionally.

dwg: Specifically the problem occurs for the handful of EEH
sub-operations which can return a non-zero, non-error result.

Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
[dwg: clarification to commit message]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

(cherry picked from commit d917e88d85a147a99f38a62a4f95cac21e366d51)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/vfio/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index f27db36..e1927a5 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -1147,7 +1147,7 @@ static int vfio_eeh_container_op(VFIOContainer *container, uint32_t op)
         return -errno;
     }
 
-    return 0;
+    return ret;
 }
 
 static VFIOContainer *vfio_eeh_as_container(AddressSpace *as)
-- 
1.9.1

[Qemu-devel] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

at least in the path via virtio-blk the maximum size is not
restricted.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/block/iscsi.c b/block/iscsi.c
index 302baf8..172e6cf 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
         return &acb->common;
     }
 
+    if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
+        error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
+                     acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
+        qemu_aio_unref(acb);
+        return NULL;
+    }
+
     acb->task = malloc(sizeof(struct scsi_task));
     if (acb->task == NULL) {
         error_report("iSCSI: Failed to allocate task for scsi command. %s",
-- 
1.9.1

[Qemu-devel] [PATCH 20/56] nbd: Don't trim unrequested bytes

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Similar to commit df7b97ff, we are mishandling clients that
give an unaligned NBD_CMD_TRIM request, and potentially
trimming bytes that occur before their request; which in turn
can cause potential unintended data loss (unlikely in
practice, since most clients are sane and issue aligned trim
requests).  However, while we fixed read and write by switching
to the byte interfaces of blk_, we don't yet have a byte
interface for discard.  On the other hand, trim is advisory, so
rounding the user's request to simply ignore the first and last
unaligned sectors (or the entire request, if it is sub-sector
in length) is just fine.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1464173965-9694-1-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 353ab969730742b7392414d62f4ba9632e8cf22c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 nbd/server.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 2184c64..cc4bda3 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1153,12 +1153,20 @@ static void nbd_trip(void *opaque)
         break;
     case NBD_CMD_TRIM:
         TRACE("Request type is TRIM");
-        ret = blk_co_discard(exp->blk, (request.from + exp->dev_offset)
-                                       / BDRV_SECTOR_SIZE,
-                             request.len / BDRV_SECTOR_SIZE);
-        if (ret < 0) {
-            LOG("discard failed");
-            reply.error = -ret;
+        /* Ignore unaligned head or tail, until block layer adds byte
+         * interface */
+        if (request.len >= BDRV_SECTOR_SIZE) {
+            request.len -= (request.from + request.len) % BDRV_SECTOR_SIZE;
+            ret = blk_co_discard(exp->blk,
+                                 DIV_ROUND_UP(request.from + exp->dev_offset,
+                                              BDRV_SECTOR_SIZE),
+                                 request.len / BDRV_SECTOR_SIZE);
+            if (ret < 0) {
+                LOG("discard failed");
+                reply.error = -ret;
+            }
+        } else {
+            TRACE("trim request too small, ignoring");
         }
         if (nbd_co_send_reply(req, &reply, 0) < 0) {
             goto out;
-- 
1.9.1

[Qemu-devel] [PATCH 21/56] savevm: fail if migration blockers are present

[Michael Roth]

From: Greg Kurz <gkurz@linux.vnet.ibm.com>

QEMU has currently two ways to prevent migration to occur:
- migration blocker when it depends on runtime state
- VMStateDescription.unmigratable when migration is not supported at all

This patch gathers all the logic into a single function to be called from
both the savevm and the migrate paths.

This fixes a bug with 9p, at least, where savevm would succeed and the
following would happen in the guest after loadvm:

$ ls /host
ls: cannot access /host: Protocol error

With this patch:

(qemu) savevm foo
Migration is disabled when VirtFS export path '/' is mounted in the guest
using mount_tag 'host'

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <146239057139.11271.9011797645454781543.stgit@bahia.huguette.org>

[Update subject according to Paolo's suggestion - Amit]

Signed-off-by: Amit Shah <amit.shah@redhat.com>
(cherry picked from commit 24f3902b088cd4f2dbebfd90527b5d81d6a050e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/migration/migration.h |  1 +
 migration/migration.c         | 21 +++++++++++++++------
 migration/savevm.c            |  2 +-
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/include/migration/migration.h b/include/migration/migration.h
index ac2c12c..9e36a97 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -210,6 +210,7 @@ int migrate_fd_close(MigrationState *s);
 void add_migration_state_change_notifier(Notifier *notify);
 void remove_migration_state_change_notifier(Notifier *notify);
 MigrationState *migrate_init(const MigrationParams *params);
+bool migration_is_blocked(Error **errp);
 bool migration_in_setup(MigrationState *);
 bool migration_has_finished(MigrationState *);
 bool migration_has_failed(MigrationState *);
diff --git a/migration/migration.c b/migration/migration.c
index 0563b4c..6cecc35 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -992,6 +992,20 @@ void qmp_migrate_incoming(const char *uri, Error **errp)
     once = false;
 }
 
+bool migration_is_blocked(Error **errp)
+{
+    if (qemu_savevm_state_blocked(errp)) {
+        return true;
+    }
+
+    if (migration_blockers) {
+        *errp = error_copy(migration_blockers->data);
+        return true;
+    }
+
+    return false;
+}
+
 void qmp_migrate(const char *uri, bool has_blk, bool blk,
                  bool has_inc, bool inc, bool has_detach, bool detach,
                  Error **errp)
@@ -1014,12 +1028,7 @@ void qmp_migrate(const char *uri, bool has_blk, bool blk,
         return;
     }
 
-    if (qemu_savevm_state_blocked(errp)) {
-        return;
-    }
-
-    if (migration_blockers) {
-        *errp = error_copy(migration_blockers->data);
+    if (migration_is_blocked(errp)) {
         return;
     }
 
diff --git a/migration/savevm.c b/migration/savevm.c
index 16ba443..8346649 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -1169,7 +1169,7 @@ static int qemu_savevm_state(QEMUFile *f, Error **errp)
     MigrationState *ms = migrate_init(&params);
     ms->to_dst_file = f;
 
-    if (qemu_savevm_state_blocked(errp)) {
+    if (migration_is_blocked(errp)) {
         return -EINVAL;
     }
 
-- 
1.9.1

[Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle

[Michael Roth]

From: Steven Luo <steven+qemu@steven676.net>

On my Debian jessie system, including nettle/pbkdf2.h does not cause
NULL to be defined, which causes the test to fail to compile.  Include
stddef.h to bring in a definition of NULL.

Cc: qemu-trivial@nongnu.org
Cc: qemu-stable@nongnu.org
Signed-off-by: Steven Luo <steven+qemu@steven676.net>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 9e87a691bd46846e2232f8c30605c491c85ac987)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index 49bdb4b..60e3c0d 100755
--- a/configure
+++ b/configure
@@ -2342,6 +2342,7 @@ if test "$nettle" != "no"; then
         nettle="yes"
 
         cat > $TMPC << EOF
+#include <stddef.h>
 #include <nettle/pbkdf2.h>
 int main(void) {
      pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
-- 
1.9.1

[Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index e690b4e..e1d6d06 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
     return log;
 }
 
-static void
+static int
 pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
 {
     int i;
@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
     uint32_t req_ring_size, cmp_ring_size;
     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
 
+    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+        return -1;
+    }
     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
 
     /* Flush ring state page changes */
     smp_wmb();
+
+    return 0;
 }
 
-static void
+static int
 pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
 {
     int i;
     uint32_t len_log2;
     uint32_t ring_size;
 
+    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+        return -1;
+    }
     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
     len_log2 = pvscsi_log2(ring_size - 1);
 
@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
 
     /* Flush ring state page changes */
     smp_wmb();
+
+    return 0;
 }
 
 static void
@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
 
     pvscsi_dbg_dump_tx_rings_config(rc);
-    pvscsi_ring_init_data(&s->rings, rc);
+    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+        return PVSCSI_COMMAND_PROCESSING_FAILED;
+    }
+
     s->rings_info_valid = TRUE;
     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
 }
@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
     }
 
     if (s->rings_info_valid) {
-        pvscsi_ring_init_msg(&s->rings, rc);
+        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
+            return PVSCSI_COMMAND_PROCESSING_FAILED;
+        }
         s->msg_ring_info_valid = TRUE;
     }
     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
-- 
1.9.1

[Qemu-devel] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests

[Michael Roth]

From: Prasad J Pandit <pjp@fedoraproject.org>

The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
looks for requests and fetches them. A loop doing that in
mptsas_fetch_requests() could run infinitely if 's->state' was
not operational. Move check to avoid such a loop.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/mptsas.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 499c146..be88e16 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
     hwaddr addr;
     int size;
 
-    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-        return;
-    }
-
     /* Read the message header from the guest first. */
     addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
     pci_dma_read(pci, addr, req, sizeof(hdr));
@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
 {
     MPTSASState *s = opaque;
 
+    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
+        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
+        return;
+    }
     while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
         mptsas_fetch_request(s);
     }
-- 
1.9.1

[Qemu-devel] [PATCH 25/56] block: Drop bdrv_ioctl_bh_cb

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

Similar to the "!drv || !drv->bdrv_aio_ioctl" case above, here it is
okay to set co.ret and return. As pointed out by Paolo, a BH will be
created as necessary by the caller (bdrv_co_maybe_schedule_bh).
Besides, as pointed out by Kevin, "data" was leaked before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20160601015223.19277-1-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit c8a9fd80719e63615dac12e3625223fb54aa8430)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/io.c | 20 ++------------------
 1 file changed, 2 insertions(+), 18 deletions(-)

diff --git a/block/io.c b/block/io.c
index a7dbf85..d02e0d5 100644
--- a/block/io.c
+++ b/block/io.c
@@ -2595,19 +2595,6 @@ int bdrv_discard(BlockDriverState *bs, int64_t sector_num, int nb_sectors)
     return rwco.ret;
 }
 
-typedef struct {
-    CoroutineIOCompletion *co;
-    QEMUBH *bh;
-} BdrvIoctlCompletionData;
-
-static void bdrv_ioctl_bh_cb(void *opaque)
-{
-    BdrvIoctlCompletionData *data = opaque;
-
-    bdrv_co_io_em_complete(data->co, -ENOTSUP);
-    qemu_bh_delete(data->bh);
-}
-
 static int bdrv_co_do_ioctl(BlockDriverState *bs, int req, void *buf)
 {
     BlockDriver *drv = bs->drv;
@@ -2625,11 +2612,8 @@ static int bdrv_co_do_ioctl(BlockDriverState *bs, int req, void *buf)
 
     acb = drv->bdrv_aio_ioctl(bs, req, buf, bdrv_co_io_em_complete, &co);
     if (!acb) {
-        BdrvIoctlCompletionData *data = g_new(BdrvIoctlCompletionData, 1);
-        data->bh = aio_bh_new(bdrv_get_aio_context(bs),
-                                bdrv_ioctl_bh_cb, data);
-        data->co = &co;
-        qemu_bh_schedule(data->bh);
+        co.ret = -ENOTSUP;
+        goto out;
     }
     qemu_coroutine_yield();
 out:
-- 
1.9.1

[Qemu-devel] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/vmware_vga.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 0c63fa8..63a7c05 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
     if (!s->config || !s->enable) {
         return 0;
     }
+
+    /* Check range and alignment.  */
+    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+        return 0;
+    }
+    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+        return 0;
+    }
+    if (CMD(max) > SVGA_FIFO_SIZE) {
+        return 0;
+    }
+    if (CMD(max) < CMD(min) + 10 * 1024) {
+        return 0;
+    }
+
     num = CMD(next_cmd) - CMD(stop);
     if (num < 0) {
         num += CMD(max) - CMD(min);
@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
     case SVGA_REG_CONFIG_DONE:
         if (value) {
             s->fifo = (uint32_t *) s->fifo_ptr;
-            /* Check range and alignment.  */
-            if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-                break;
-            }
-            if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-                break;
-            }
-            if (CMD(max) > SVGA_FIFO_SIZE) {
-                break;
-            }
-            if (CMD(max) < CMD(min) + 10 * 1024) {
-                break;
-            }
             vga_dirty_log_stop(&s->vga);
         }
         s->config = !!value;
-- 
1.9.1

[Qemu-devel] [PATCH 27/56] vmsvga: add more fifo checks

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/vmware_vga.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 63a7c05..a26e62e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
     if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
         return 0;
     }
-    if (CMD(max) > SVGA_FIFO_SIZE) {
+    if (CMD(max) > SVGA_FIFO_SIZE ||
+        CMD(min) >= SVGA_FIFO_SIZE ||
+        CMD(stop) >= SVGA_FIFO_SIZE ||
+        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
         return 0;
     }
     if (CMD(max) < CMD(min) + 10 * 1024) {
-- 
1.9.1

[Qemu-devel] [PATCH 28/56] vmsvga: shadow fifo registers

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
 1 file changed, 28 insertions(+), 29 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index a26e62e..de2567b 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -66,17 +66,11 @@ struct vmsvga_state_s {
     uint8_t *fifo_ptr;
     unsigned int fifo_size;
 
-    union {
-        uint32_t *fifo;
-        struct QEMU_PACKED {
-            uint32_t min;
-            uint32_t max;
-            uint32_t next_cmd;
-            uint32_t stop;
-            /* Add registers here when adding capabilities.  */
-            uint32_t fifo[0];
-        } *cmd;
-    };
+    uint32_t *fifo;
+    uint32_t fifo_min;
+    uint32_t fifo_max;
+    uint32_t fifo_next;
+    uint32_t fifo_stop;
 
 #define REDRAW_FIFO_LEN  512
     struct vmsvga_rect_s {
@@ -198,7 +192,7 @@ enum {
      */
     SVGA_FIFO_MIN = 0,
     SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
-    SVGA_FIFO_NEXT_CMD,
+    SVGA_FIFO_NEXT,
     SVGA_FIFO_STOP,
 
     /*
@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
 }
 #endif
 
-#define CMD(f)  le32_to_cpu(s->cmd->f)
-
 static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
 {
     int num;
@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
         return 0;
     }
 
+    s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
+    s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
+    s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
+    s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
+
     /* Check range and alignment.  */
-    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+    if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
         return 0;
     }
-    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+    if (s->fifo_min < sizeof(uint32_t) * 4) {
         return 0;
     }
-    if (CMD(max) > SVGA_FIFO_SIZE ||
-        CMD(min) >= SVGA_FIFO_SIZE ||
-        CMD(stop) >= SVGA_FIFO_SIZE ||
-        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
+    if (s->fifo_max > SVGA_FIFO_SIZE ||
+        s->fifo_min >= SVGA_FIFO_SIZE ||
+        s->fifo_stop >= SVGA_FIFO_SIZE ||
+        s->fifo_next >= SVGA_FIFO_SIZE) {
         return 0;
     }
-    if (CMD(max) < CMD(min) + 10 * 1024) {
+    if (s->fifo_max < s->fifo_min + 10 * 1024) {
         return 0;
     }
 
-    num = CMD(next_cmd) - CMD(stop);
+    num = s->fifo_next - s->fifo_stop;
     if (num < 0) {
-        num += CMD(max) - CMD(min);
+        num += s->fifo_max - s->fifo_min;
     }
     return num >> 2;
 }
 
 static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
 {
-    uint32_t cmd = s->fifo[CMD(stop) >> 2];
+    uint32_t cmd = s->fifo[s->fifo_stop >> 2];
 
-    s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
-    if (CMD(stop) >= CMD(max)) {
-        s->cmd->stop = s->cmd->min;
+    s->fifo_stop += 4;
+    if (s->fifo_stop >= s->fifo_max) {
+        s->fifo_stop = s->fifo_min;
     }
+    s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
     return cmd;
 }
 
@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
     len = vmsvga_fifo_length(s);
     while (len > 0) {
         /* May need to go back to the start of the command if incomplete */
-        cmd_start = s->cmd->stop;
+        cmd_start = s->fifo_stop;
 
         switch (cmd = vmsvga_fifo_read(s)) {
         case SVGA_CMD_UPDATE:
@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             break;
 
         rewind:
-            s->cmd->stop = cmd_start;
+            s->fifo_stop = cmd_start;
+            s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
             break;
         }
     }
-- 
1.9.1

[Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once

[Michael Roth]

From: Gerd Hoffmann <kraxel@redhat.com>

vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/vmware_vga.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index de2567b..e51a05e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
 static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 {
     uint32_t cmd, colour;
-    int args, len;
+    int args, len, maxloop = 1024;
     int x, y, dx, dy, width, height;
     struct vmsvga_cursor_definition_s cursor;
     uint32_t cmd_start;
 
     len = vmsvga_fifo_length(s);
-    while (len > 0) {
+    while (len > 0 && --maxloop > 0) {
         /* May need to go back to the start of the command if incomplete */
         cmd_start = s->fifo_stop;
 
-- 
1.9.1

[Qemu-devel] [PATCH 30/56] io: remove mistaken call to object_ref on QTask

[Michael Roth]

From: "Daniel P. Berrange" <berrange@redhat.com>

The QTask struct is just a standalone struct, not a QOM Object,
so calling object_ref() on it is not appropriate. This results
in mangling the 'destroy' field in the QTask struct, causing
the later call to qtask_free() to try to call the function
at address 0x1, with predictably segfault happy results.

There is in fact no need for ref counting with QTask, as the
call to qtask_abort() or qtask_complete() will automatically
free associated memory.

This fixes the crash shown in

  https://bugs.launchpad.net/qemu/+bug/1589923

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit bc35d51077b33e68a0ab10a057f352747214223f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 io/channel-websock.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/io/channel-websock.c b/io/channel-websock.c
index 7081787..d5a4ed3 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -316,14 +316,13 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
         return TRUE;
     }
 
-    object_ref(OBJECT(task));
     trace_qio_channel_websock_handshake_reply(ioc);
     qio_channel_add_watch(
         wioc->master,
         G_IO_OUT,
         qio_channel_websock_handshake_send,
         task,
-        (GDestroyNotify)object_unref);
+        NULL);
     return FALSE;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 31/56] ui: fix regression in printing VNC host/port on startup

[Michael Roth]

From: "Daniel P. Berrange" <berrange@redhat.com>

If VNC is chosen as the compile time default display backend,
QEMU will print the host/port it listens on at startup.
Previously this would look like

  VNC server running on '::1:5900'

but in 04d2529da27db512dcbd5e99d0e26d333f16efcc the ':' was
accidentally replaced with a ';'. This the ':' back.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1465382576-25552-1-git-send-email-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 83cf07b0b577bde1afe1329d25bbcc762966e637)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 ui/vnc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index d2ebf1f..3e89dad 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3193,7 +3193,7 @@ char *vnc_display_local_addr(const char *id)
         qapi_free_SocketAddress(addr);
         return NULL;
     }
-    ret = g_strdup_printf("%s;%s", addr->u.inet.data->host,
+    ret = g_strdup_printf("%s:%s", addr->u.inet.data->host,
                           addr->u.inet.data->port);
     qapi_free_SocketAddress(addr);
 
-- 
1.9.1

[Qemu-devel] [PATCH 32/56] net: fix qemu_announce_self not emitting packets

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

commit fefe2a78 accidently dropped the code path for injecting
raw packets. This feature is needed for sending gratuitous ARPs
after an incoming migration has completed. The result is increased
network downtime for vservers where the network card is not virtio-net
with the VIRTIO_NET_F_GUEST_ANNOUNCE feature.

Fixes: fefe2a78abde932e0f340b21bded2c86def1d242
Cc: qemu-stable@nongnu.org
Cc: hongyang.yang@easystack.cn
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit ca1ee3d6b546e841a1b9db413eb8fa09f13a061b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 net/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index 0ad6217..6b0b375 100644
--- a/net/net.c
+++ b/net/net.c
@@ -724,7 +724,7 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender,
         return 0;
     }
 
-    if (nc->info->receive_iov) {
+    if (nc->info->receive_iov && !(flags & QEMU_NET_PACKET_FLAG_RAW)) {
         ret = nc->info->receive_iov(nc, iov, iovcnt);
     } else {
         ret = nc_sendv_compat(nc, iov, iovcnt, flags);
-- 
1.9.1

[Qemu-devel] [PATCH 33/56] backup: Don't leak BackupBlockJob in error path

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
(cherry picked from commit 91ab68837933232bcef99da7c968e6d41900419b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/backup.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/block/backup.c b/block/backup.c
index 491fd14..370c285 100644
--- a/block/backup.c
+++ b/block/backup.c
@@ -504,6 +504,7 @@ void backup_start(BlockDriverState *bs, BlockDriverState *target,
 {
     int64_t len;
     BlockDriverInfo bdi;
+    BackupBlockJob *job = NULL;
     int ret;
 
     assert(bs);
@@ -568,8 +569,7 @@ void backup_start(BlockDriverState *bs, BlockDriverState *target,
         goto error;
     }
 
-    BackupBlockJob *job = block_job_create(&backup_job_driver, bs, speed,
-                                           cb, opaque, errp);
+    job = block_job_create(&backup_job_driver, bs, speed, cb, opaque, errp);
     if (!job) {
         goto error;
     }
@@ -610,4 +610,7 @@ void backup_start(BlockDriverState *bs, BlockDriverState *target,
     if (sync_bitmap) {
         bdrv_reclaim_dirty_bitmap(bs, sync_bitmap, NULL);
     }
+    if (job) {
+        block_job_unref(&job->common);
+    }
 }
-- 
1.9.1

[Qemu-devel] [PATCH 34/56] qcow2: Avoid making the L1 table too big

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

We refuse to open images whose L1 table we deem "too big". Consequently,
we should not produce such images ourselves.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 20160615153630.2116-3-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
[mreitz: Added QEMU_BUILD_BUG_ON()]
Signed-off-by: Max Reitz <mreitz@redhat.com>

(cherry picked from commit 84c26520d3c1c9ff4a10455748139463278816d5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-cluster.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 31ecc10..22bdb47 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -64,7 +64,8 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
         }
     }
 
-    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
+    QEMU_BUILD_BUG_ON(QCOW_MAX_L1_SIZE > INT_MAX);
+    if (new_l1_size > QCOW_MAX_L1_SIZE / sizeof(uint64_t)) {
         return -EFBIG;
     }
 
-- 
1.9.1

[Qemu-devel] [PATCH 35/56] qapi: Fix crash on missing alternate member of QAPI struct

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

If a QAPI struct has a mandatory alternate member which is not
present on input, the input visitor reports an error for the
missing alternate without setting the discriminator, but the
cleanup code for the struct still tries to use the dealloc
visitor to clean up the alternate.

Commit dbf11922 changed visit_start_alternate to set *obj to NULL
when an error occurs, where it was previously left untouched.
Thus, before the patch, the dealloc visitor is blindly trying to
cleanup whatever branch corresponds to (*obj)->type == 0 (that is,
QTYPE_NONE, because *obj still pointed to zeroed memory), which
selects the default branch of the switch and sets an error, but
this second error is ignored by the way the dealloc visitor is
used; but after the patch, the attempt to switch dereferences NULL.

When cleaning up after a partial object parse, we specifically
check for !*obj after visit_start_struct() (see gen_visit_object());
doing the same for alternates fixes the crash. Enhance the testsuite
to give coverage for both missing struct and missing alternate
members.

Also add an abort - we expect visit_start_alternate() to either set an
error or to set (*obj)->type to a valid QType that corresponds to
actual user input, and QTYPE_NONE should never be reachable from valid
input.  Had the abort() been in place earlier, we might have noticed
the dealloc visitor dereferencing bogus zeroed memory prior to when
commit dbf11922 forced our hand by setting *obj to NULL and causing a
fault.

Test case:

{'execute':'blockdev-add', 'arguments':{'options':{'driver':'raw'}}}

The choice of 'driver':'raw' selects a BlockdevOptionsGenericFormat
struct, which has a mandatory 'file':'BlockdevRef' in QAPI.  Since
'file' is missing as a sibling of 'driver', this should report a
graceful error rather than fault.  After this patch, we are back to:

{"error": {"class": "GenericError", "desc": "Parameter 'file' is missing"}}

Generated code in qapi-visit.c changes as:

|@@ -2444,6 +2444,9 @@ void visit_type_BlockdevRef(Visitor *v,
|     if (err) {
|         goto out;
|     }
|+    if (!*obj) {
|+        goto out_obj;
|+    }
|     switch ((*obj)->type) {
|     case QTYPE_QDICT:
|         visit_start_struct(v, name, NULL, 0, &err);
|@@ -2459,10 +2462,13 @@ void visit_type_BlockdevRef(Visitor *v,
|     case QTYPE_QSTRING:
|         visit_type_str(v, name, &(*obj)->u.reference, &err);
|         break;
|+    case QTYPE_NONE:
|+        abort();
|     default:
|         error_setg(&err, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
|                    "BlockdevRef");
|     }
|+out_obj:
|     visit_end_alternate(v);

Reported by Kashyap Chamarthy <kchamart@redhat.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1466012271-5204-1-git-send-email-eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Tested-by: Kashyap Chamarthy <kchamart@redhat.com>
[Commit message tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>

(cherry picked from commit 9b4e38fe6a35890bb1d995316d7be08de0b30ee5)
Conflicts:
	tests/test-qmp-input-visitor.c

* removed contexual/functional dependencies on 68ab47e

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/qapi-visit.py          |  6 ++++++
 tests/test-qmp-input-visitor.c | 14 ++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
index 31d2330..6c1c1fb 100644
--- a/scripts/qapi-visit.py
+++ b/scripts/qapi-visit.py
@@ -170,6 +170,9 @@ void visit_type_%(c_name)s(Visitor *v, const char *name, %(c_name)s **obj, Error
     if (err) {
         goto out;
     }
+    if (!*obj) {
+        goto out_obj;
+    }
     switch ((*obj)->type) {
 ''',
                  c_name=c_name(name), promote_int=promote_int)
@@ -203,10 +206,13 @@ void visit_type_%(c_name)s(Visitor *v, const char *name, %(c_name)s **obj, Error
 ''')
 
     ret += mcgen('''
+    case QTYPE_NONE:
+        abort();
     default:
         error_setg(&err, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
                    "%(name)s");
     }
+out_obj:
     visit_end_alternate(v);
 out:
     error_propagate(errp, err);
diff --git a/tests/test-qmp-input-visitor.c b/tests/test-qmp-input-visitor.c
index 80527eb..8523283 100644
--- a/tests/test-qmp-input-visitor.c
+++ b/tests/test-qmp-input-visitor.c
@@ -739,6 +739,8 @@ static void test_visitor_in_errors(TestInputVisitorData *data,
     Error *err = NULL;
     Visitor *v;
     strList *q = NULL;
+    UserDefTwo *r = NULL;
+    WrapAlternate *s = NULL;
 
     v = visitor_input_test_init(data, "{ 'integer': false, 'boolean': 'foo', "
                                 "'string': -42 }");
@@ -757,6 +759,18 @@ static void test_visitor_in_errors(TestInputVisitorData *data,
     error_free_or_abort(&err);
     assert(q);
     qapi_free_strList(q);
+
+    v = visitor_input_test_init(data, "{ 'str':'hi' }");
+    visit_type_UserDefTwo(v, NULL, &r, &err);
+    error_free_or_abort(&err);
+    assert(r);
+    qapi_free_UserDefTwo(r);
+
+    v = visitor_input_test_init(data, "{ }");
+    visit_type_WrapAlternate(v, NULL, &s, &err);
+    error_free_or_abort(&err);
+    assert(s);
+    qapi_free_WrapAlternate(s);
 }
 
 static void test_visitor_in_wrong_type(TestInputVisitorData *data,
-- 
1.9.1

[Qemu-devel] [PATCH 36/56] pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c

[Michael Roth]

From: Lin Ma <lma@suse.com>

In function pci_assign_dev_load_option_rom, For those pci devices don't
have 'rom' file under sysfs or if loading ROM from external file, The
function returns NULL, and won't set the passed 'size' variable.

In these 2 cases, qemu still reports "Invalid ROM" error message, Users
may be confused by it.

Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvm/pci-assign.c      | 4 ----
 hw/i386/pci-assign-load-rom.c | 3 +++
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index bf425a2..8abce52 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev)
     pci_assign_dev_load_option_rom(&dev->dev, OBJECT(dev), &size,
                                    dev->host.domain, dev->host.bus,
                                    dev->host.slot, dev->host.function);
-
-    if (!size) {
-        error_report("pci-assign: Invalid ROM.");
-    }
 }
diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c
index 4bbb08c..0d8e4b2 100644
--- a/hw/i386/pci-assign-load-rom.c
+++ b/hw/i386/pci-assign-load-rom.c
@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner,
              domain, bus, slot, function);
 
     if (stat(rom_file, &st)) {
+        if (errno != ENOENT) {
+            error_report("pci-assign: Invalid ROM.");
+        }
         return NULL;
     }
 
-- 
1.9.1

[Qemu-devel] [PATCH 37/56] vfio/pci: Fix VGA quirks

[Michael Roth]

From: Alex Williamson <alex.williamson@redhat.com>

Commit 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic
alloc and consistent functions") converted VFIOPCIDevice.vga to be
dynamically allocted, negating the need for VFIOPCIDevice.has_vga.
Unfortunately not all of the has_vga users were converted, nor was
the field removed from the structure.  Correct these oversights.

Reported-by: Peter Maloney <peter.maloney@brockmann-consult.de>
Tested-by: Peter Maloney <peter.maloney@brockmann-consult.de>
Fixes: 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic alloc and consistent functions")
Fixes: https://bugs.launchpad.net/qemu/+bug/1591628
Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
(cherry picked from commit 4d3fc4fdc6857e33346ed58ae55870f59391ee71)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/vfio/pci-quirks.c | 8 ++++----
 hw/vfio/pci.h        | 1 -
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
index 49ecf11..6624905 100644
--- a/hw/vfio/pci-quirks.c
+++ b/hw/vfio/pci-quirks.c
@@ -315,7 +315,7 @@ static void vfio_probe_ati_bar4_quirk(VFIOPCIDevice *vdev, int nr)
 
     /* This windows doesn't seem to be used except by legacy VGA code */
     if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
-        !vdev->has_vga || nr != 4) {
+        !vdev->vga || nr != 4) {
         return;
     }
 
@@ -363,7 +363,7 @@ static void vfio_probe_ati_bar2_quirk(VFIOPCIDevice *vdev, int nr)
 
     /* Only enable on newer devices where BAR2 is 64bit */
     if (!vfio_pci_is(vdev, PCI_VENDOR_ID_ATI, PCI_ANY_ID) ||
-        !vdev->has_vga || nr != 2 || !vdev->bars[2].mem64) {
+        !vdev->vga || nr != 2 || !vdev->bars[2].mem64) {
         return;
     }
 
@@ -657,7 +657,7 @@ static void vfio_probe_nvidia_bar5_quirk(VFIOPCIDevice *vdev, int nr)
     VFIOConfigWindowQuirk *window;
 
     if (!vfio_pci_is(vdev, PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID) ||
-        !vdev->has_vga || nr != 5) {
+        !vdev->vga || nr != 5) {
         return;
     }
 
@@ -773,7 +773,7 @@ static void vfio_probe_nvidia_bar0_quirk(VFIOPCIDevice *vdev, int nr)
     QLIST_INSERT_HEAD(&vdev->bars[nr].quirks, quirk, next);
 
     /* The 0x1800 offset mirror only seems to get used by legacy VGA */
-    if (vdev->has_vga) {
+    if (vdev->vga) {
         quirk = g_malloc0(sizeof(*quirk));
         mirror = quirk->data = g_malloc0(sizeof(*mirror));
         mirror->mem = quirk->mem = g_new0(MemoryRegion, 1);
diff --git a/hw/vfio/pci.h b/hw/vfio/pci.h
index 3976f68..72174b3 100644
--- a/hw/vfio/pci.h
+++ b/hw/vfio/pci.h
@@ -130,7 +130,6 @@ typedef struct VFIOPCIDevice {
 #define VFIO_FEATURE_ENABLE_REQ (1 << VFIO_FEATURE_ENABLE_REQ_BIT)
     int32_t bootindex;
     uint8_t pm_cap;
-    bool has_vga;
     bool pci_aer;
     bool req_enabled;
     bool has_flr;
-- 
1.9.1

[Qemu-devel] [PATCH 38/56] nbd: Allow larger requests

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

The NBD layer was breaking up request at a limit of 2040 sectors
(just under 1M) to cater to old qemu-nbd. But the server limit
was raised to 32M in commit 2d8214885 to match the kernel, more
than three years ago; and the upstream NBD Protocol is proposing
documentation that without any explicit communication to state
otherwise, a client should be able to safely assume that a 32M
transaction will work.  It is time to rely on the larger sizing,
and any downstream distro that cares about maximum
interoperability to older qemu-nbd servers can just tweak the
value of #define NBD_MAX_SECTORS.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

(cherry picked from commit 476b923c32ece0e268580776aaf1fab4ab4459a8)
Conflicts:
	include/block/nbd.h

* removed context dependency on 943cec86

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/nbd-client.c  | 4 ----
 include/block/nbd.h | 1 +
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/block/nbd-client.c b/block/nbd-client.c
index 878e879..6f6df46 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -269,10 +269,6 @@ static int nbd_co_writev_1(BlockDriverState *bs, int64_t sector_num,
     return -reply.error;
 }
 
-/* qemu-nbd has a limit of slightly less than 1M per request.  Try to
- * remain aligned to 4K. */
-#define NBD_MAX_SECTORS 2040
-
 int nbd_client_co_readv(BlockDriverState *bs, int64_t sector_num,
                         int nb_sectors, QEMUIOVector *qiov)
 {
diff --git a/include/block/nbd.h b/include/block/nbd.h
index b86a976..36dde24 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -76,6 +76,7 @@ enum {
 
 /* Maximum size of a single READ/WRITE data buffer */
 #define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024)
+#define NBD_MAX_SECTORS (NBD_MAX_BUFFER_SIZE / BDRV_SECTOR_SIZE)
 
 ssize_t nbd_wr_syncv(QIOChannel *ioc,
                      struct iovec *iov,
-- 
1.9.1

[Qemu-devel] [PATCH 39/56] scsi-generic: Merge block max xfer len in INQUIRY response

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

The rationale is similar to the above mode sense response interception:
this is practically the only channel to communicate restraints from
elsewhere such as host and block driver.

The scsi bus we attach onto can have a larger max xfer len than what is
accepted by the host file system (guarding between the host scsi LUN and
QEMU), in which case the SG_IO we generate would get -EINVAL.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1464243305-10661-3-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 063143d5b1fde0fdcbae30bc7d6d14e76fa607d2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-generic.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 7459465..71372a8 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -222,6 +222,18 @@ static void scsi_read_complete(void * opaque, int ret)
             r->buf[3] |= 0x80;
         }
     }
+    if (s->type == TYPE_DISK &&
+        r->req.cmd.buf[0] == INQUIRY &&
+        r->req.cmd.buf[2] == 0xb0) {
+        uint32_t max_xfer_len = blk_get_max_transfer_length(s->conf.blk);
+        if (max_xfer_len) {
+            stl_be_p(&r->buf[8], max_xfer_len);
+            /* Also take care of the opt xfer len. */
+            if (ldl_be_p(&r->buf[12]) > max_xfer_len) {
+                stl_be_p(&r->buf[12], max_xfer_len);
+            }
+        }
+    }
     scsi_req_data(&r->req, len);
     scsi_req_unref(&r->req);
 }
-- 
1.9.1

[Qemu-devel] [PATCH 40/56] scsi: Advertise limits by blocksize, not 512

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

s->blocksize may be larger than 512, in which case our
tweaks to max_xfer_len and opt_xfer_len must be scaled
appropriately.

CC: qemu-stable@nongnu.org
Reported-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit efaf4781a995aacd22b1dd521b14e4644bafae14)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-generic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 71372a8..c4ba9a4 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -225,7 +225,8 @@ static void scsi_read_complete(void * opaque, int ret)
     if (s->type == TYPE_DISK &&
         r->req.cmd.buf[0] == INQUIRY &&
         r->req.cmd.buf[2] == 0xb0) {
-        uint32_t max_xfer_len = blk_get_max_transfer_length(s->conf.blk);
+        uint32_t max_xfer_len = blk_get_max_transfer_length(s->conf.blk) /
+            (s->blocksize / BDRV_SECTOR_SIZE);
         if (max_xfer_len) {
             stl_be_p(&r->buf[8], max_xfer_len);
             /* Also take care of the opt xfer len. */
-- 
1.9.1

[Qemu-devel] [PATCH 41/56] target-sparc: fix register corruption in ldstub if there is no write permission

[Michael Roth]

From: Artyom Tarasenko <atar4qemu@gmail.com>

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
(cherry picked from commit b64d2e57e704edbb56ae969de864292dd38379bf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-sparc/translate.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/target-sparc/translate.c b/target-sparc/translate.c
index 7998ff5..502510c 100644
--- a/target-sparc/translate.c
+++ b/target-sparc/translate.c
@@ -4668,12 +4668,15 @@ static void disas_sparc_insn(DisasContext * dc, unsigned int insn)
                 case 0xd:       /* ldstub -- XXX: should be atomically */
                     {
                         TCGv r_const;
+                        TCGv tmp = tcg_temp_new();
 
                         gen_address_mask(dc, cpu_addr);
-                        tcg_gen_qemu_ld8u(cpu_val, cpu_addr, dc->mem_idx);
+                        tcg_gen_qemu_ld8u(tmp, cpu_addr, dc->mem_idx);
                         r_const = tcg_const_tl(0xff);
                         tcg_gen_qemu_st8(r_const, cpu_addr, dc->mem_idx);
+                        tcg_gen_mov_tl(cpu_val, tmp);
                         tcg_temp_free(r_const);
+                        tcg_temp_free(tmp);
                     }
                     break;
                 case 0x0f:
-- 
1.9.1

[Qemu-devel] [PATCH 42/56] virtio: set low features early on load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

virtio migrates the low 32 feature bits twice, the first copy is there
for compatibility but ever since
019a3edbb25f1571e876f8af1ce4c55412939e5d: ("virtio: make features 64bit
wide") it's ignored on load. This is wrong since virtio_net_load tests
self announcement and guest offloads before the second copy including
high feature bits is loaded.  This means that self announcement, control
vq and guest offloads are all broken after migration.

Fix it up by loading low feature bits: somewhat ugly since high and low
bits become out of sync temporarily, but seems unavoidable for
compatibility.  The right thing to do for new features is probably to
test the host features, anyway.

Fixes: 019a3edbb25f1571e876f8af1ce4c55412939e5d
    ("virtio: make features 64bit wide")
Cc: qemu-stable@nongnu.org
Reported-by: Robin Geuze <robing@transip.nl>
Tested-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

(cherry picked from commit 62cee1a28aada2cce4b0e1fb835d8fc830aed7ac)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 30ede3d..90f86cf 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1506,6 +1506,16 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int version_id)
     }
     qemu_get_be32s(f, &features);
 
+    /*
+     * Temporarily set guest_features low bits - needed by
+     * virtio net load code testing for VIRTIO_NET_F_CTRL_GUEST_OFFLOADS
+     * VIRTIO_NET_F_GUEST_ANNOUNCE and VIRTIO_NET_F_CTRL_VQ.
+     *
+     * Note: devices should always test host features in future - don't create
+     * new dependencies like this.
+     */
+    vdev->guest_features = features;
+
     config_len = qemu_get_be32(f);
 
     /*
-- 
1.9.1

[Qemu-devel] [PATCH 43/56] Revert "virtio-net: unbreak self announcement and guest offloads after migration"

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

This reverts commit 1f8828ef573c83365b4a87a776daf8bcef1caa21.

Cc: qemu-stable@nongnu.org
Reported-by: Robin Geuze <robing@transip.nl>
Tested-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6c6668232e71b7cf7ff39fa1a7abf660c40f9cea)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 40 +++++++++++++++++-----------------------
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 5798f87..8aaa103 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1542,33 +1542,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
 {
     VirtIONet *n = opaque;
     VirtIODevice *vdev = VIRTIO_DEVICE(n);
-    int ret;
 
     if (version_id < 2 || version_id > VIRTIO_NET_VM_VERSION)
         return -EINVAL;
 
-    ret = virtio_load(vdev, f, version_id);
-    if (ret) {
-        return ret;
-    }
-
-    if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_GUEST_OFFLOADS)) {
-        n->curr_guest_offloads = qemu_get_be64(f);
-    } else {
-        n->curr_guest_offloads = virtio_net_supported_guest_offloads(n);
-    }
-
-    if (peer_has_vnet_hdr(n)) {
-        virtio_net_apply_guest_offloads(n);
-    }
-
-    if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_GUEST_ANNOUNCE) &&
-        virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_VQ)) {
-        n->announce_counter = SELF_ANNOUNCE_ROUNDS;
-        timer_mod(n->announce_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL));
-    }
-
-    return 0;
+    return virtio_load(vdev, f, version_id);
 }
 
 static int virtio_net_load_device(VirtIODevice *vdev, QEMUFile *f,
@@ -1665,6 +1643,16 @@ static int virtio_net_load_device(VirtIODevice *vdev, QEMUFile *f,
         }
     }
 
+    if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_GUEST_OFFLOADS)) {
+        n->curr_guest_offloads = qemu_get_be64(f);
+    } else {
+        n->curr_guest_offloads = virtio_net_supported_guest_offloads(n);
+    }
+
+    if (peer_has_vnet_hdr(n)) {
+        virtio_net_apply_guest_offloads(n);
+    }
+
     virtio_net_set_queues(n);
 
     /* Find the first multicast entry in the saved MAC filter */
@@ -1682,6 +1670,12 @@ static int virtio_net_load_device(VirtIODevice *vdev, QEMUFile *f,
         qemu_get_subqueue(n->nic, i)->link_down = link_down;
     }
 
+    if (virtio_vdev_has_feature(vdev, VIRTIO_NET_F_GUEST_ANNOUNCE) &&
+        virtio_vdev_has_feature(vdev, VIRTIO_NET_F_CTRL_VQ)) {
+        n->announce_counter = SELF_ANNOUNCE_ROUNDS;
+        timer_mod(n->announce_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL));
+    }
+
     return 0;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 44/56] s390x/ipl: fix reboots for migration from different bios

[Michael Roth]

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

When migrating from a different QEMU version, the start_address and
bios_start_address may differ. During migration these values are migrated
and overwrite the values that were detected by QEMU itself.

On a reboot, QEMU will reload its own BIOS, but use the migrated start
addresses, which does not work if the values differ.

Fix this by not relying on the migrated values anymore, but still
provide them during migration, so existing QEMUs continue to work.

Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit bb0995468a39f14077ceaa8ed5afdca849f00c7c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/ipl.c | 11 +++++++++--
 hw/s390x/ipl.h |  2 ++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index f104200..3173dcf 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -47,8 +47,8 @@ static const VMStateDescription vmstate_ipl = {
     .version_id = 0,
     .minimum_version_id = 0,
     .fields = (VMStateField[]) {
-        VMSTATE_UINT64(start_addr, S390IPLState),
-        VMSTATE_UINT64(bios_start_addr, S390IPLState),
+        VMSTATE_UINT64(compat_start_addr, S390IPLState),
+        VMSTATE_UINT64(compat_bios_start_addr, S390IPLState),
         VMSTATE_STRUCT(iplb, S390IPLState, 0, vmstate_iplb, IplParameterBlock),
         VMSTATE_BOOL(iplb_valid, S390IPLState),
         VMSTATE_UINT8(cssid, S390IPLState),
@@ -170,6 +170,13 @@ static void s390_ipl_realize(DeviceState *dev, Error **errp)
             stq_p(rom_ptr(INITRD_PARM_SIZE), initrd_size);
         }
     }
+    /*
+     * Don't ever use the migrated values, they could come from a different
+     * BIOS and therefore don't work. But still migrate the values, so
+     * QEMUs relying on it don't break.
+     */
+    ipl->compat_start_addr = ipl->start_addr;
+    ipl->compat_bios_start_addr = ipl->bios_start_addr;
     qemu_register_reset(qdev_reset_all_fn, dev);
 error:
     error_propagate(errp, err);
diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
index 6b48ed7..0bfb72b 100644
--- a/hw/s390x/ipl.h
+++ b/hw/s390x/ipl.h
@@ -33,7 +33,9 @@ struct S390IPLState {
     /*< private >*/
     DeviceState parent_obj;
     uint64_t start_addr;
+    uint64_t compat_start_addr;
     uint64_t bios_start_addr;
+    uint64_t compat_bios_start_addr;
     bool enforce_bios;
     IplParameterBlock iplb;
     bool iplb_valid;
-- 
1.9.1

[Qemu-devel] [PATCH 45/56] blockdev: Fix regression with the default naming of throttling groups

[Michael Roth]

From: Alberto Garcia <berto@igalia.com>

When I/O limits are set for a block device, the name of the throttling
group is taken from the BlockBackend if the user doesn't specify one.

Commit efaa7c4eeb7490c6f37f3 moved the naming of the BlockBackend in
blockdev_init() to the end of the function, after I/O limits are set.
The consequence is that the throttling group gets an empty name.

Signed-off-by: Alberto Garcia <berto@igalia.com>
Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Max Reitz <mreitz@redhat.com>
Cc: qemu-stable@nongnu.org
* backport of ff356ee
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/blockdev.c b/blockdev.c
index f1f520a..260a6f5 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -481,6 +481,7 @@ static BlockBackend *blockdev_init(const char *file, QDict *bs_opts,
     const char *id;
     BlockdevDetectZeroesOptions detect_zeroes =
         BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF;
+    const char *blk_id;
     const char *throttling_group = NULL;
 
     /* Check common options by copying from bs_opts to opts, all other options
@@ -510,6 +511,8 @@ static BlockBackend *blockdev_init(const char *file, QDict *bs_opts,
 
     writethrough = !qemu_opt_get_bool(opts, BDRV_OPT_CACHE_WB, true);
 
+    blk_id = qemu_opts_id(opts);
+
     qdict_extract_subqdict(bs_opts, &interval_dict, "stats-intervals.");
     qdict_array_split(interval_dict, &interval_list);
 
@@ -579,7 +582,7 @@ static BlockBackend *blockdev_init(const char *file, QDict *bs_opts,
 
         if (throttle_enabled(&cfg)) {
             if (!throttling_group) {
-                throttling_group = blk_name(blk);
+                throttling_group = blk_id;
             }
             blk_rs->throttle_group = g_strdup(throttling_group);
             blk_rs->throttle_state = throttle_group_incref(throttling_group);
@@ -614,7 +617,7 @@ static BlockBackend *blockdev_init(const char *file, QDict *bs_opts,
         /* disk I/O throttling */
         if (throttle_enabled(&cfg)) {
             if (!throttling_group) {
-                throttling_group = blk_name(blk);
+                throttling_group = blk_id;
             }
             bdrv_io_limits_enable(bs, throttling_group);
             bdrv_set_io_limits(bs, &cfg);
@@ -636,7 +639,7 @@ static BlockBackend *blockdev_init(const char *file, QDict *bs_opts,
     blk_set_enable_write_cache(blk, !writethrough);
     blk_set_on_error(blk, on_read_error, on_write_error);
 
-    if (!monitor_add_blk(blk, qemu_opts_id(opts), errp)) {
+    if (!monitor_add_blk(blk, blk_id, errp)) {
         blk_unref(blk);
         blk = NULL;
         goto err_no_bs_opts;
-- 
1.9.1

[Qemu-devel] [PATCH 46/56] qemu-iotests: Test naming of throttling groups

[Michael Roth]

From: Alberto Garcia <berto@igalia.com>

Throttling groups are named using the 'group' parameter of the
block_set_io_throttle command and the throttling.group command-line
option. If that parameter is unspecified the groups get the name of
the block device.

This patch adds a new test to check the naming of throttling groups.

Signed-off-by: Alberto Garcia <berto@igalia.com>
* backport of 435d5ee
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/093     | 98 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/093.out |  4 +-
 2 files changed, 100 insertions(+), 2 deletions(-)

diff --git a/tests/qemu-iotests/093 b/tests/qemu-iotests/093
index ce8e13c..ffcb271 100755
--- a/tests/qemu-iotests/093
+++ b/tests/qemu-iotests/093
@@ -184,5 +184,103 @@ class ThrottleTestCase(iotests.QMPTestCase):
 class ThrottleTestCoroutine(ThrottleTestCase):
     test_img = "null-co://"
 
+class ThrottleTestGroupNames(iotests.QMPTestCase):
+    test_img = "null-aio://"
+    max_drives = 3
+
+    def setUp(self):
+        self.vm = iotests.VM()
+        for i in range(0, self.max_drives):
+            self.vm.add_drive(self.test_img, "throttling.iops-total=100")
+        self.vm.launch()
+
+    def tearDown(self):
+        self.vm.shutdown()
+
+    def set_io_throttle(self, device, params):
+        params["device"] = device
+        result = self.vm.qmp("block_set_io_throttle", conv_keys=False, **params)
+        self.assert_qmp(result, 'return', {})
+
+    def verify_name(self, device, name):
+        result = self.vm.qmp("query-block")
+        for r in result["return"]:
+            if r["device"] == device:
+                info = r["inserted"]
+                if name:
+                    self.assertEqual(info["group"], name)
+                else:
+                    self.assertFalse(info.has_key('group'))
+                return
+
+        raise Exception("No group information found for '%s'" % device)
+
+    def test_group_naming(self):
+        params = {"bps": 0,
+                  "bps_rd": 0,
+                  "bps_wr": 0,
+                  "iops": 0,
+                  "iops_rd": 0,
+                  "iops_wr": 0}
+
+        # Check the drives added using the command line.
+        # The default throttling group name is the device name.
+        for i in range(self.max_drives):
+            devname = "drive%d" % i
+            self.verify_name(devname, devname)
+
+        # Clear throttling settings => the group name is gone.
+        for i in range(self.max_drives):
+            devname = "drive%d" % i
+            self.set_io_throttle(devname, params)
+            self.verify_name(devname, None)
+
+        # Set throttling settings using block_set_io_throttle and
+        # check the default group names.
+        params["iops"] = 10
+        for i in range(self.max_drives):
+            devname = "drive%d" % i
+            self.set_io_throttle(devname, params)
+            self.verify_name(devname, devname)
+
+        # Set a custom group name for each device
+        for i in range(3):
+            devname = "drive%d" % i
+            groupname = "group%d" % i
+            params['group'] = groupname
+            self.set_io_throttle(devname, params)
+            self.verify_name(devname, groupname)
+
+        # Put drive0 in group1 and check that all other devices remain
+        # unchanged
+        params['group'] = 'group1'
+        self.set_io_throttle('drive0', params)
+        self.verify_name('drive0', 'group1')
+        for i in range(1, self.max_drives):
+            devname = "drive%d" % i
+            groupname = "group%d" % i
+            self.verify_name(devname, groupname)
+
+        # Put drive0 in group2 and check that all other devices remain
+        # unchanged
+        params['group'] = 'group2'
+        self.set_io_throttle('drive0', params)
+        self.verify_name('drive0', 'group2')
+        for i in range(1, self.max_drives):
+            devname = "drive%d" % i
+            groupname = "group%d" % i
+            self.verify_name(devname, groupname)
+
+        # Clear throttling settings from drive0 check that all other
+        # devices remain unchanged
+        params["iops"] = 0
+        self.set_io_throttle('drive0', params)
+        self.verify_name('drive0', None)
+        for i in range(1, self.max_drives):
+            devname = "drive%d" % i
+            groupname = "group%d" % i
+            self.verify_name(devname, groupname)
+
+
 if __name__ == '__main__':
     iotests.main(supported_fmts=["raw"])
diff --git a/tests/qemu-iotests/093.out b/tests/qemu-iotests/093.out
index 89968f3..914e373 100644
--- a/tests/qemu-iotests/093.out
+++ b/tests/qemu-iotests/093.out
@@ -1,5 +1,5 @@
-....
+.....
 ----------------------------------------------------------------------
-Ran 4 tests
+Ran 5 tests
 
 OK
-- 
1.9.1

[Qemu-devel] [PATCH 47/56] util: Fix MIN_NON_ZERO

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

MIN_NON_ZERO(1, 0) is evaluated to 0. Rewrite the macro to fix it.

Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1468306113-847-1-git-send-email-famz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d27ba624aa1dfe5c07cc01200d95967ffce905d9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/qemu/osdep.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 783270f..94a1603 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -149,7 +149,8 @@ extern int daemon(int, int);
 /* Minimum function that returns zero only iff both values are zero.
  * Intended for use with unsigned values only. */
 #ifndef MIN_NON_ZERO
-#define MIN_NON_ZERO(a, b) (((a) != 0 && (a) < (b)) ? (a) : (b))
+#define MIN_NON_ZERO(a, b) ((a) == 0 ? (b) : \
+                                ((b) == 0 ? (a) : (MIN(a, b))))
 #endif
 
 /* Round number down to multiple */
-- 
1.9.1

[Qemu-devel] [PATCH 48/56] block/iscsi: fix rounding in iscsi_allocationmap_set

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

when setting clusters as alloacted the boundaries have
to be expanded. As Paolo pointed out the calculation of
the number of clusters is wrong:

Suppose cluster_sectors is 2, sector_num = 1, nb_sectors = 6:

In the "mark allocated" case, you want to set 0..8, i.e.
cluster_num=0, nb_clusters=4.

   0--.--2--.--4--.--6--.--8
   <--|_________________|-->  (<--> = expanded)

Instead you are setting nb_clusters=3, so that 6..8 is not marked.

   0--.--2--.--4--.--6--.--8
   <--|______________|!!!     (! = wrong)

Cc: qemu-stable@nongnu.org
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <1468831940-15556-2-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit eb36b953e0ebf4129b188a241fbc367062ac2e06)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index 172e6cf..0466c30 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -425,12 +425,14 @@ static unsigned long *iscsi_allocationmap_init(IscsiLun *iscsilun)
 static void iscsi_allocationmap_set(IscsiLun *iscsilun, int64_t sector_num,
                                     int nb_sectors)
 {
+    int64_t cluster_num, nb_clusters;
     if (iscsilun->allocationmap == NULL) {
         return;
     }
-    bitmap_set(iscsilun->allocationmap,
-               sector_num / iscsilun->cluster_sectors,
-               DIV_ROUND_UP(nb_sectors, iscsilun->cluster_sectors));
+    cluster_num = sector_num / iscsilun->cluster_sectors;
+    nb_clusters = DIV_ROUND_UP(sector_num + nb_sectors,
+                               iscsilun->cluster_sectors) - cluster_num;
+    bitmap_set(iscsilun->allocationmap, cluster_num, nb_clusters);
 }
 
 static void iscsi_allocationmap_clear(IscsiLun *iscsilun, int64_t sector_num,
-- 
1.9.1

[Qemu-devel] [PATCH 49/56] Fix some typos found by codespell

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit cb8d4c8f54b8271f642f02382eec29d468bb1c77)
* context prereq for 2cb34749
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 audio/mixeng.c                          |  2 +-
 audio/ossaudio.c                        |  2 +-
 contrib/ivshmem-server/ivshmem-server.h |  2 +-
 docs/specs/rocker.txt                   |  2 +-
 docs/throttle.txt                       |  2 +-
 hw/i2c/imx_i2c.c                        |  2 +-
 hw/net/vmxnet3.c                        |  4 ++--
 hw/pci/msi.c                            |  2 +-
 hw/pci/pci_bridge.c                     |  2 +-
 hw/scsi/spapr_vscsi.c                   |  2 +-
 hw/scsi/vmw_pvscsi.c                    |  2 +-
 hw/timer/a9gtimer.c                     |  2 +-
 hw/timer/aspeed_timer.c                 |  4 ++--
 include/crypto/random.h                 |  2 +-
 include/hw/xen/xen_common.h             |  2 +-
 include/io/task.h                       |  2 +-
 include/qemu/osdep.h                    |  2 +-
 kvm-all.c                               |  2 +-
 migration/migration.c                   |  2 +-
 migration/ram.c                         |  2 +-
 nbd/client.c                            |  2 +-
 qga/channel-win32.c                     |  2 +-
 qga/commands.c                          |  4 ++--
 scripts/checkpatch.pl                   |  2 +-
 slirp/socket.c                          |  2 +-
 target-cris/translate.c                 |  4 ++--
 target-cris/translate_v10.c             |  2 +-
 target-i386/cpu.c                       |  2 +-
 target-i386/cpu.h                       |  2 +-
 target-mips/op_helper.c                 |  2 +-
 target-tricore/translate.c              |  2 +-
 tcg/README                              |  2 +-
 tests/tcg/cris/check_addo.c             | 14 +++++++-------
 trace/simple.c                          |  4 ++--
 ui/cocoa.m                              |  2 +-
 util/timed-average.c                    |  4 ++--
 36 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/audio/mixeng.c b/audio/mixeng.c
index 981b97a..61ef869 100644
--- a/audio/mixeng.c
+++ b/audio/mixeng.c
@@ -270,7 +270,7 @@ f_sample *mixeng_clip[2][2][2][3] = {
  * August 21, 1998
  * Copyright 1998 Fabrice Bellard.
  *
- * [Rewrote completly the code of Lance Norskog And Sundry
+ * [Rewrote completely the code of Lance Norskog And Sundry
  * Contributors with a more efficient algorithm.]
  *
  * This source code is freely redistributable and may be used for
diff --git a/audio/ossaudio.c b/audio/ossaudio.c
index 349e9dd..a0d9cda 100644
--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -898,7 +898,7 @@ static struct audio_option oss_options[] = {
         .name  = "EXCLUSIVE",
         .tag   = AUD_OPT_BOOL,
         .valp  = &glob_conf.exclusive,
-        .descr = "Open device in exclusive mode (vmix wont work)"
+        .descr = "Open device in exclusive mode (vmix won't work)"
     },
 #ifdef USE_DSP_POLICY
     {
diff --git a/contrib/ivshmem-server/ivshmem-server.h b/contrib/ivshmem-server/ivshmem-server.h
index 3851639..d37ca85 100644
--- a/contrib/ivshmem-server/ivshmem-server.h
+++ b/contrib/ivshmem-server/ivshmem-server.h
@@ -15,7 +15,7 @@
  * unix socket. For each client, the server will create some eventfd
  * (see EVENTFD(2)), one per vector. These fd are transmitted to all
  * clients using the SCM_RIGHTS cmsg message. Therefore, each client is
- * able to send a notification to another client without beeing
+ * able to send a notification to another client without being
  * "profixied" by the server.
  *
  * We use this mechanism to send interruptions between guests.
diff --git a/docs/specs/rocker.txt b/docs/specs/rocker.txt
index d2a8262..1857b31 100644
--- a/docs/specs/rocker.txt
+++ b/docs/specs/rocker.txt
@@ -303,7 +303,7 @@ Endianness
 ----------
 
 Device registers are hard-coded to little-endian (LE).  The driver should
-convert to/from host endianess to LE for device register accesses.
+convert to/from host endianness to LE for device register accesses.
 
 Descriptors are LE.  Descriptor buffer TLVs will have LE type and length
 fields, but the value field can either be LE or network-byte-order, depending
diff --git a/docs/throttle.txt b/docs/throttle.txt
index 28204e4..06ed9b3 100644
--- a/docs/throttle.txt
+++ b/docs/throttle.txt
@@ -10,7 +10,7 @@ Introduction
 ------------
 QEMU includes a throttling module that can be used to set limits to
 I/O operations. The code itself is generic and independent of the I/O
-units, but it is currenly used to limit the number of bytes per second
+units, but it is currently used to limit the number of bytes per second
 and operations per second (IOPS) when performing disk I/O.
 
 This document explains how to use the throttling code in QEMU, and how
diff --git a/hw/i2c/imx_i2c.c b/hw/i2c/imx_i2c.c
index a01e43e..e19d4fa 100644
--- a/hw/i2c/imx_i2c.c
+++ b/hw/i2c/imx_i2c.c
@@ -247,7 +247,7 @@ static void imx_i2c_write(void *opaque, hwaddr offset,
             if (s->address == ADDR_RESET) {
                 if (i2c_start_transfer(s->bus, extract32(s->i2dr_write, 1, 7),
                                        extract32(s->i2dr_write, 0, 1))) {
-                    /* if non zero is returned, the adress is not valid */
+                    /* if non zero is returned, the address is not valid */
                     s->i2sr |= I2SR_RXAK;
                 } else {
                     s->address = s->i2dr_write;
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 093a71e..20f26b7 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -37,7 +37,7 @@
 #define VMXNET3_MSIX_BAR_SIZE 0x2000
 #define MIN_BUF_SIZE 60
 
-/* Compatability flags for migration */
+/* Compatibility flags for migration */
 #define VMXNET3_COMPAT_FLAG_OLD_MSI_OFFSETS_BIT 0
 #define VMXNET3_COMPAT_FLAG_OLD_MSI_OFFSETS \
     (1 << VMXNET3_COMPAT_FLAG_OLD_MSI_OFFSETS_BIT)
@@ -341,7 +341,7 @@ typedef struct {
         uint32_t mcast_list_len;
         uint32_t mcast_list_buff_size; /* needed for live migration. */
 
-        /* Compatability flags for migration */
+        /* Compatibility flags for migration */
         uint32_t compat_flags;
 } VMXNET3State;
 
diff --git a/hw/pci/msi.c b/hw/pci/msi.c
index e0e64c2..a87ef4d 100644
--- a/hw/pci/msi.c
+++ b/hw/pci/msi.c
@@ -40,7 +40,7 @@
  *
  * Setting this flag to false will remove MSI/MSI-X capability from all devices.
  *
- * It is preferrable for controllers to set this to true (non-broken) even if
+ * It is preferable for controllers to set this to true (non-broken) even if
  * they do not actually support MSI/MSI-X: guests normally probe the controller
  * type and do not attempt to enable MSI/MSI-X with interrupt controllers not
  * supporting such, so removing the capability is not required, and
diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index 3cf30bd..5118ef4 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -116,7 +116,7 @@ pcibus_t pci_bridge_get_base(const PCIDevice *bridge, uint8_t type)
     return base;
 }
 
-/* accessor funciton to get bridge filtering limit */
+/* accessor function to get bridge filtering limit */
 pcibus_t pci_bridge_get_limit(const PCIDevice *bridge, uint8_t type)
 {
     pcibus_t limit;
diff --git a/hw/scsi/spapr_vscsi.c b/hw/scsi/spapr_vscsi.c
index b00edf7..8fbd50f 100644
--- a/hw/scsi/spapr_vscsi.c
+++ b/hw/scsi/spapr_vscsi.c
@@ -698,7 +698,7 @@ static void vscsi_inquiry_no_target(VSCSIState *s, vscsi_req *req)
     uint8_t resp_data[36];
     int rc, len, alen;
 
-    /* We dont do EVPD. Also check that page_code is 0 */
+    /* We don't do EVPD. Also check that page_code is 0 */
     if ((cdb[1] & 0x01) || cdb[2] != 0) {
         /* Send INVALID FIELD IN CDB */
         vscsi_makeup_sense(s, req, ILLEGAL_REQUEST, 0x24, 0);
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index e1d6d06..2d7528d 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -63,7 +63,7 @@ typedef struct PVSCSIClass {
 #define PVSCSI_DEVICE_GET_CLASS(obj) \
     OBJECT_GET_CLASS(PVSCSIClass, (obj), TYPE_PVSCSI)
 
-/* Compatability flags for migration */
+/* Compatibility flags for migration */
 #define PVSCSI_COMPAT_OLD_PCI_CONFIGURATION_BIT 0
 #define PVSCSI_COMPAT_OLD_PCI_CONFIGURATION \
     (1 << PVSCSI_COMPAT_OLD_PCI_CONFIGURATION_BIT)
diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
index afe577c..772f85f 100644
--- a/hw/timer/a9gtimer.c
+++ b/hw/timer/a9gtimer.c
@@ -184,7 +184,7 @@ static void a9_gtimer_write(void *opaque, hwaddr addr, uint64_t value,
     case R_COUNTER_LO:
         /*
          * Keep it simple - ARM docco explicitly says to disable timer before
-         * modding it, so dont bother trying to do all the difficult on the fly
+         * modding it, so don't bother trying to do all the difficult on the fly
          * timer modifications - (if they even work in real hardware??).
          */
         if (s->control & R_CONTROL_TIMER_ENABLE) {
diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index 51e8303..ebec359 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -187,7 +187,7 @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
 }
 
 /* Control register operations are broken out into helpers that can be
- * explictly called on aspeed_timer_reset(), but also from
+ * explicitly called on aspeed_timer_reset(), but also from
  * aspeed_timer_ctrl_op().
  */
 
@@ -380,7 +380,7 @@ static void aspeed_timer_reset(DeviceState *dev)
 
     for (i = 0; i < ASPEED_TIMER_NR_TIMERS; i++) {
         AspeedTimer *t = &s->timers[i];
-        /* Explictly call helpers to avoid any conditional behaviour through
+        /* Explicitly call helpers to avoid any conditional behaviour through
          * aspeed_timer_set_ctrl().
          */
         aspeed_timer_ctrl_enable(t, false);
diff --git a/include/crypto/random.h b/include/crypto/random.h
index b3021c4..f9308f4 100644
--- a/include/crypto/random.h
+++ b/include/crypto/random.h
@@ -34,7 +34,7 @@
  * Fill @buf with @buflen bytes of cryptographically strong
  * random data
  *
- * Returns 0 on sucess, -1 on error
+ * Returns 0 on success, -1 on error
  */
 int qcrypto_random_bytes(uint8_t *buf,
                          size_t buflen,
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index bd65e67..7b52e8f 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -26,7 +26,7 @@
  * We don't support Xen prior to 4.2.0.
  */
 
-/* Xen 4.2 thru 4.6 */
+/* Xen 4.2 through 4.6 */
 #if CONFIG_XEN_CTRL_INTERFACE_VERSION < 471
 
 typedef xc_interface xenforeignmemory_handle;
diff --git a/include/io/task.h b/include/io/task.h
index 2e69d8a..a993212 100644
--- a/include/io/task.h
+++ b/include/io/task.h
@@ -219,7 +219,7 @@ void qio_task_run_in_thread(QIOTask *task,
  * qio_task_complete:
  * @task: the task struct
  *
- * Mark the operation as succesfully completed
+ * Mark the operation as successfully completed
  * and free the memory for @task.
  */
 void qio_task_complete(QIOTask *task);
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 94a1603..af83b1a 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -313,7 +313,7 @@ static inline void qemu_timersub(const struct timeval *val1,
 void qemu_set_cloexec(int fd);
 
 /* QEMU "hardware version" setting. Used to replace code that exposed
- * QEMU_VERSION to guests in the past and need to keep compatibilty.
+ * QEMU_VERSION to guests in the past and need to keep compatibility.
  * Do not use qemu_hw_version() in new code.
  */
 void qemu_set_hw_version(const char *);
diff --git a/kvm-all.c b/kvm-all.c
index e7b66df..f9ae8f9 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -413,7 +413,7 @@ static int kvm_physical_sync_dirty_bitmap(KVMMemoryListener *kml,
          * userspace memory corruption (which is not detectable by valgrind
          * too, in most cases).
          * So for now, let's align to 64 instead of HOST_LONG_BITS here, in
-         * a hope that sizeof(long) wont become >8 any time soon.
+         * a hope that sizeof(long) won't become >8 any time soon.
          */
         size = ALIGN(((mem->memory_size) >> TARGET_PAGE_BITS),
                      /*HOST_LONG_BITS*/ 64) / 8;
diff --git a/migration/migration.c b/migration/migration.c
index 6cecc35..4369e27 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -278,7 +278,7 @@ static void deferred_incoming_migration(Error **errp)
 void migrate_send_rp_req_pages(MigrationIncomingState *mis, const char *rbname,
                                ram_addr_t start, size_t len)
 {
-    uint8_t bufc[12 + 1 + 255]; /* start (8), len (4), rbname upto 256 */
+    uint8_t bufc[12 + 1 + 255]; /* start (8), len (4), rbname up to 256 */
     size_t msglen = 12; /* start + len */
 
     *(uint64_t *)bufc = cpu_to_be64((uint64_t)start);
diff --git a/migration/ram.c b/migration/ram.c
index 3f05738..88fbffc 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1272,7 +1272,7 @@ static int ram_save_target_page(MigrationState *ms, QEMUFile *f,
 }
 
 /**
- * ram_save_host_page: Starting at *offset send pages upto the end
+ * ram_save_host_page: Starting at *offset send pages up to the end
  *                     of the current host page.  It's valid for the initial
  *                     offset to point into the middle of a host page
  *                     in which case the remainder of the hostpage is sent.
diff --git a/nbd/client.c b/nbd/client.c
index 48f2a21..31b88f3 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -373,7 +373,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     length = be32_to_cpu(length);
     if (length != 0) {
-        error_setg(errp, "Start TLS reponse was not zero %x",
+        error_setg(errp, "Start TLS response was not zero %x",
                    length);
         return NULL;
     }
diff --git a/qga/channel-win32.c b/qga/channel-win32.c
index bb59661..68168d1 100644
--- a/qga/channel-win32.c
+++ b/qga/channel-win32.c
@@ -77,7 +77,7 @@ static gboolean ga_channel_prepare(GSource *source, gint *timeout_ms)
     }
 
 out:
-    /* dont block forever, iterate the main loop every once and a while */
+    /* don't block forever, iterate the main loop every once in a while */
     *timeout_ms = 500;
     /* if there's data in the read buffer, or another event is pending,
      * skip polling and issue user cb.
diff --git a/qga/commands.c b/qga/commands.c
index b653a46..3144464 100644
--- a/qga/commands.c
+++ b/qga/commands.c
@@ -182,8 +182,8 @@ GuestExecStatus *qmp_guest_exec_status(int64_t pid, Error **err)
          */
 #ifdef G_OS_WIN32
         /* Additionally WIN32 does not provide any additional information
-         * on whetherthe child exited or terminated via signal.
-         * We use this simple range check to distingish application exit code
+         * on whether the child exited or terminated via signal.
+         * We use this simple range check to distinguish application exit code
          * (usually value less then 256) and unhandled exception code with
          * ntstatus (always value greater then 0xC0000005). */
         if ((uint32_t)gei->status < 0xC0000000U) {
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index c9554ba..c939a32 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -363,7 +363,7 @@ sub sanitise_line {
 	for ($off = 1; $off < length($line); $off++) {
 		$c = substr($line, $off, 1);
 
-		# Comments we are wacking completly including the begin
+		# Comments we are wacking completely including the begin
 		# and end, all to $;.
 		if ($sanitise_quote eq '' && substr($line, $off, 2) eq '/*') {
 			$sanitise_quote = '*/';
diff --git a/slirp/socket.c b/slirp/socket.c
index a10eff1..b336586 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -206,7 +206,7 @@ soread(struct socket *so)
 	 * We don't test for <= 0 this time, because there legitimately
 	 * might not be any more data (since the socket is non-blocking),
 	 * a close will be detected on next iteration.
-	 * A return of -1 wont (shouldn't) happen, since it didn't happen above
+	 * A return of -1 won't (shouldn't) happen, since it didn't happen above
 	 */
 	if (n == 2 && nn == iov[0].iov_len) {
             int ret;
diff --git a/target-cris/translate.c b/target-cris/translate.c
index a73176c..5227f65 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -3049,7 +3049,7 @@ static unsigned int crisv32_decoder(CPUCRISState *env, DisasContext *dc)
  *
  * When the software returns from an exception, the branch will re-execute.
  * On QEMU care needs to be taken when a branch+delayslot sequence is broken
- * and the branch and delayslot dont share pages.
+ * and the branch and delayslot don't share pages.
  *
  * The TB contaning the branch insn will set up env->btarget and evaluate 
  * env->btaken. When the translation loop exits we will note that the branch 
@@ -3238,7 +3238,7 @@ void gen_intermediate_code(CPUCRISState *env, struct TranslationBlock *tb)
         }
 
         /* If we are rexecuting a branch due to exceptions on
-           delay slots dont break.  */
+           delay slots don't break.  */
         if (!(tb->pc & 1) && cs->singlestep_enabled) {
             break;
         }
diff --git a/target-cris/translate_v10.c b/target-cris/translate_v10.c
index 7607ead..06ba1ef 100644
--- a/target-cris/translate_v10.c
+++ b/target-cris/translate_v10.c
@@ -130,7 +130,7 @@ static void cris_set_prefix(DisasContext *dc)
     dc->tb_flags |= PFIX_FLAG;
     tcg_gen_ori_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], PFIX_FLAG);
 
-    /* prefix insns dont clear the x flag.  */
+    /* prefix insns don't clear the x flag.  */
     dc->clear_x = 0;
     cris_lock_irq(dc);
 }
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index d0b5b69..da5d081 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -2523,7 +2523,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
 
         /* The Linux kernel checks for the CMPLegacy bit and
          * discards multiple thread information if it is set.
-         * So dont set it here for Intel to make Linux guests happy.
+         * So don't set it here for Intel to make Linux guests happy.
          */
         if (cs->nr_cores * cs->nr_threads > 1) {
             if (env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1 ||
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 732eb6d..ea86758 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -1366,7 +1366,7 @@ void cpu_report_tpr_access(CPUX86State *env, TPRAccess access);
  * If value is NULL, no default will be set and the original
  * value from the CPU model table will be kept.
  *
- * It is valid to call this funciton only for properties that
+ * It is valid to call this function only for properties that
  * are already present in the kvm_default_props table.
  */
 void x86_cpu_change_kvm_default(const char *prop, const char *value);
diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index 4417e6b..ba847ab 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -581,7 +581,7 @@ static bool mips_vp_is_wfi(MIPSCPU *c)
 
 static inline void mips_vpe_wake(MIPSCPU *c)
 {
-    /* Dont set ->halted = 0 directly, let it be done via cpu_has_work
+    /* Don't set ->halted = 0 directly, let it be done via cpu_has_work
        because there might be other conditions that state that c should
        be sleeping.  */
     cpu_interrupt(CPU(c), CPU_INTERRUPT_WAKE);
diff --git a/target-tricore/translate.c b/target-tricore/translate.c
index 912bf22..26e86d6 100644
--- a/target-tricore/translate.c
+++ b/target-tricore/translate.c
@@ -2858,7 +2858,7 @@ static void gen_shaci(TCGv ret, TCGv r1, int32_t shift_count)
     } else if (shift_count == -32) {
         /* set PSW.C */
         tcg_gen_mov_tl(cpu_PSW_C, r1);
-        /* fill ret completly with sign bit */
+        /* fill ret completely with sign bit */
         tcg_gen_sari_tl(ret, r1, 31);
         /* clear PSW.V */
         tcg_gen_movi_tl(cpu_PSW_V, 0);
diff --git a/tcg/README b/tcg/README
index f4a8ac1..ce8beba 100644
--- a/tcg/README
+++ b/tcg/README
@@ -473,7 +473,7 @@ On a 32 bit target, all 64 bit operations are converted to 32 bits. A
 few specific operations must be implemented to allow it (see add2_i32,
 sub2_i32, brcond2_i32).
 
-On a 64 bit target, the values are transfered between 32 and 64-bit
+On a 64 bit target, the values are transferred between 32 and 64-bit
 registers using the following ops:
 - trunc_shr_i64_i32
 - ext_i32_i64
diff --git a/tests/tcg/cris/check_addo.c b/tests/tcg/cris/check_addo.c
index 3d8e789..4235e5f 100644
--- a/tests/tcg/cris/check_addo.c
+++ b/tests/tcg/cris/check_addo.c
@@ -51,7 +51,7 @@ int main(void)
 	t = (unsigned char *)x;
 	t -= 32768;
 	p = (unsigned char *) &y.v1;
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_pi_d(p, t);
@@ -62,7 +62,7 @@ int main(void)
 
 
 	t += 32770;
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_pi_w(p, t);
@@ -71,7 +71,7 @@ int main(void)
 	if (*r != 0x4455aa77)
 		err();
 
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_d(p, r);
@@ -81,7 +81,7 @@ int main(void)
 	if (*r != 0xee19ccff)
 		err();
 
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_pi_b(p, t);
@@ -90,7 +90,7 @@ int main(void)
 	if (*(uint16_t*)r != 0xff22)
 		err();
 
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_b(p, r);
@@ -100,7 +100,7 @@ int main(void)
 	if (*r != 0x4455aa77)
 		err();
 
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_w(p, r);
@@ -110,7 +110,7 @@ int main(void)
 	if (*r != 0xff224455)
 		err();
 
-	mb(); /* dont reorder anything beyond here.  */
+	mb(); /* don't reorder anything beyond here.  */
 	cris_tst_cc_init();
 	asm volatile ("setf\tzvnc\n");
 	cris_addo_pi_d(p, t);
diff --git a/trace/simple.c b/trace/simple.c
index 3fdcc82..2f09daf 100644
--- a/trace/simple.c
+++ b/trace/simple.c
@@ -108,7 +108,7 @@ static bool get_trace_record(unsigned int idx, TraceRecord **recordptr)
     smp_rmb(); /* read memory barrier before accessing record */
     /* read the record header to know record length */
     read_from_buffer(idx, &record, sizeof(TraceRecord));
-    *recordptr = malloc(record.length); /* dont use g_malloc, can deadlock when traced */
+    *recordptr = malloc(record.length); /* don't use g_malloc, can deadlock when traced */
     /* make a copy of record to avoid being overwritten */
     read_from_buffer(idx, *recordptr, record.length);
     smp_rmb(); /* memory barrier before clearing valid flag */
@@ -180,7 +180,7 @@ static gpointer writeout_thread(gpointer opaque)
         while (get_trace_record(idx, &recordptr)) {
             unused = fwrite(recordptr, recordptr->length, 1, trace_fp);
             writeout_idx += recordptr->length;
-            free(recordptr); /* dont use g_free, can deadlock when traced */
+            free(recordptr); /* don't use g_free, can deadlock when traced */
             idx = writeout_idx % TRACE_BUF_LEN;
         }
 
diff --git a/ui/cocoa.m b/ui/cocoa.m
index 60a7c07..36c6bf0 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -1394,7 +1394,7 @@ static void addRemovableDevicesMenuItems(void)
     [menuItem setEnabled: NO];
     [menu addItem: menuItem];
 
-    /* Loop thru all the block devices in the emulator */
+    /* Loop through all the block devices in the emulator */
     while (currentDevice) {
         deviceName = [[NSString stringWithFormat: @"%s", currentDevice->value->device] retain];
 
diff --git a/util/timed-average.c b/util/timed-average.c
index 2eef9cb..2b49d53 100644
--- a/util/timed-average.c
+++ b/util/timed-average.c
@@ -8,9 +8,9 @@
  *   Benoît Canet <benoit.canet@nodalink.com>
  *   Alberto Garcia <berto@igalia.com>
  *
- * This program is free sofware: you can redistribute it and/or modify
+ * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Sofware Foundation, either version 2 of the License, or
+ * the Free Software Foundation, either version 2 of the License, or
  * (at your option) version 3 or any later version.
  *
  * This program is distributed in the hope that it will be useful,
-- 
1.9.1

[Qemu-devel] [PATCH 50/56] nbd: More debug typo fixes, use correct formats

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Clean up some debug message oddities missed earlier; this includes
some typos, and recognizing that %d is not necessarily compatible
with uint32_t. Also add a couple messages that I found useful
while debugging things.

Signed-off-by: Eric Blake <eblake@redhat.com>

Message-Id: <1463006384-7734-3-git-send-email-eblake@redhat.com>
[Do not use PRIx16, clang complains. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

(cherry picked from commit 2cb347493c5a0c3634dc13942ba65fdcefbcd34b)
* context prereq for 7423f41
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 nbd/client.c | 41 ++++++++++++++++++++++-------------------
 nbd/server.c | 48 +++++++++++++++++++++++++++---------------------
 2 files changed, 49 insertions(+), 40 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 31b88f3..42e4e52 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -109,25 +109,27 @@ static int nbd_handle_reply_err(QIOChannel *ioc, uint32_t opt, uint32_t type,
 
     switch (type) {
     case NBD_REP_ERR_UNSUP:
-        TRACE("server doesn't understand request %d, attempting fallback",
-              opt);
+        TRACE("server doesn't understand request %" PRIx32
+              ", attempting fallback", opt);
         result = 0;
         goto cleanup;
 
     case NBD_REP_ERR_POLICY:
-        error_setg(errp, "Denied by server for option %x", opt);
+        error_setg(errp, "Denied by server for option %" PRIx32, opt);
         break;
 
     case NBD_REP_ERR_INVALID:
-        error_setg(errp, "Invalid data length for option %x", opt);
+        error_setg(errp, "Invalid data length for option %" PRIx32, opt);
         break;
 
     case NBD_REP_ERR_TLS_REQD:
-        error_setg(errp, "TLS negotiation required before option %x", opt);
+        error_setg(errp, "TLS negotiation required before option %" PRIx32,
+                   opt);
         break;
 
     default:
-        error_setg(errp, "Unknown error code when asking for option %x", opt);
+        error_setg(errp, "Unknown error code when asking for option %" PRIx32,
+                   opt);
         break;
     }
 
@@ -165,7 +167,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
     }
     opt = be32_to_cpu(opt);
     if (opt != NBD_OPT_LIST) {
-        error_setg(errp, "Unexpected option type %x expected %x",
+        error_setg(errp, "Unexpected option type %" PRIx32 " expected %x",
                    opt, NBD_OPT_LIST);
         return -1;
     }
@@ -207,7 +209,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
             return -1;
         }
         if (namelen > 255) {
-            error_setg(errp, "export name length too long %d", namelen);
+            error_setg(errp, "export name length too long %" PRIu32, namelen);
             return -1;
         }
 
@@ -234,7 +236,7 @@ static int nbd_receive_list(QIOChannel *ioc, char **name, Error **errp)
             g_free(buf);
         }
     } else {
-        error_setg(errp, "Unexpected reply type %x expected %x",
+        error_setg(errp, "Unexpected reply type %" PRIx32 " expected %x",
                    type, NBD_REP_SERVER);
         return -1;
     }
@@ -349,7 +351,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     opt = be32_to_cpu(opt);
     if (opt != NBD_OPT_STARTTLS) {
-        error_setg(errp, "Unexpected option type %x expected %x",
+        error_setg(errp, "Unexpected option type %" PRIx32 " expected %x",
                    opt, NBD_OPT_STARTTLS);
         return NULL;
     }
@@ -361,7 +363,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     type = be32_to_cpu(type);
     if (type != NBD_REP_ACK) {
-        error_setg(errp, "Server rejected request to start TLS %x",
+        error_setg(errp, "Server rejected request to start TLS %" PRIx32,
                    type);
         return NULL;
     }
@@ -373,7 +375,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
     }
     length = be32_to_cpu(length);
     if (length != 0) {
-        error_setg(errp, "Start TLS response was not zero %x",
+        error_setg(errp, "Start TLS response was not zero %" PRIu32,
                    length);
         return NULL;
     }
@@ -384,7 +386,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
         return NULL;
     }
     data.loop = g_main_loop_new(g_main_context_default(), FALSE);
-    TRACE("Starting TLS hanshake");
+    TRACE("Starting TLS handshake");
     qio_channel_tls_handshake(tioc,
                               nbd_tls_handshake,
                               &data,
@@ -474,7 +476,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
         }
         globalflags = be16_to_cpu(globalflags);
         *flags = globalflags << 16;
-        TRACE("Global flags are %x", globalflags);
+        TRACE("Global flags are %" PRIx32, globalflags);
         if (globalflags & NBD_FLAG_FIXED_NEWSTYLE) {
             fixedNewStyle = true;
             TRACE("Server supports fixed new style");
@@ -550,7 +552,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
         }
         exportflags = be16_to_cpu(exportflags);
         *flags |= exportflags;
-        TRACE("Export flags are %x", exportflags);
+        TRACE("Export flags are %" PRIx16, exportflags);
     } else if (magic == NBD_CLIENT_MAGIC) {
         if (name) {
             error_setg(errp, "Server does not support export names");
@@ -683,7 +685,8 @@ ssize_t nbd_send_request(QIOChannel *ioc, struct nbd_request *request)
     ssize_t ret;
 
     TRACE("Sending request to server: "
-          "{ .from = %" PRIu64", .len = %u, .handle = %" PRIu64", .type=%i}",
+          "{ .from = %" PRIu64", .len = %" PRIu32 ", .handle = %" PRIu64
+          ", .type=%" PRIu16 " }",
           request->from, request->len, request->handle, request->type);
 
     cpu_to_be32w((uint32_t*)buf, NBD_REQUEST_MAGIC);
@@ -732,12 +735,12 @@ ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply *reply)
 
     reply->error = nbd_errno_to_system_errno(reply->error);
 
-    TRACE("Got reply: "
-          "{ magic = 0x%x, .error = %d, handle = %" PRIu64" }",
+    TRACE("Got reply: { magic = 0x%" PRIx32 ", .error = % " PRId32
+          ", handle = %" PRIu64" }",
           magic, reply->error, reply->handle);
 
     if (magic != NBD_REPLY_MAGIC) {
-        LOG("invalid magic (got 0x%x)", magic);
+        LOG("invalid magic (got 0x%" PRIx32 ")", magic);
         return -EINVAL;
     }
     return 0;
diff --git a/nbd/server.c b/nbd/server.c
index cc4bda3..6d3773f 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -196,7 +196,7 @@ static int nbd_negotiate_send_rep(QIOChannel *ioc, uint32_t type, uint32_t opt)
     uint64_t magic;
     uint32_t len;
 
-    TRACE("Reply opt=%x type=%x", type, opt);
+    TRACE("Reply opt=%" PRIx32 " type=%" PRIx32, type, opt);
 
     magic = cpu_to_be64(NBD_REP_MAGIC);
     if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) {
@@ -226,7 +226,7 @@ static int nbd_negotiate_send_rep_list(QIOChannel *ioc, NBDExport *exp)
     uint64_t magic, name_len;
     uint32_t opt, type, len;
 
-    TRACE("Advertizing export name '%s'", exp->name ? exp->name : "");
+    TRACE("Advertising export name '%s'", exp->name ? exp->name : "");
     name_len = strlen(exp->name);
     magic = cpu_to_be64(NBD_REP_MAGIC);
     if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) {
@@ -392,12 +392,12 @@ static int nbd_negotiate_options(NBDClient *client)
     TRACE("Checking client flags");
     be32_to_cpus(&flags);
     if (flags & NBD_FLAG_C_FIXED_NEWSTYLE) {
-        TRACE("Support supports fixed newstyle handshake");
+        TRACE("Client supports fixed newstyle handshake");
         fixedNewstyle = true;
         flags &= ~NBD_FLAG_C_FIXED_NEWSTYLE;
     }
     if (flags != 0) {
-        TRACE("Unknown client flags 0x%x received", flags);
+        TRACE("Unknown client flags 0x%" PRIx32 " received", flags);
         return -EIO;
     }
 
@@ -431,12 +431,12 @@ static int nbd_negotiate_options(NBDClient *client)
         }
         length = be32_to_cpu(length);
 
-        TRACE("Checking option 0x%x", clientflags);
+        TRACE("Checking option 0x%" PRIx32, clientflags);
         if (client->tlscreds &&
             client->ioc == (QIOChannel *)client->sioc) {
             QIOChannel *tioc;
             if (!fixedNewstyle) {
-                TRACE("Unsupported option 0x%x", clientflags);
+                TRACE("Unsupported option 0x%" PRIx32, clientflags);
                 return -EINVAL;
             }
             switch (clientflags) {
@@ -455,7 +455,8 @@ static int nbd_negotiate_options(NBDClient *client)
                 return -EINVAL;
 
             default:
-                TRACE("Option 0x%x not permitted before TLS", clientflags);
+                TRACE("Option 0x%" PRIx32 " not permitted before TLS",
+                      clientflags);
                 if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
                     return -EIO;
                 }
@@ -493,7 +494,7 @@ static int nbd_negotiate_options(NBDClient *client)
                 }
                 break;
             default:
-                TRACE("Unsupported option 0x%x", clientflags);
+                TRACE("Unsupported option 0x%" PRIx32, clientflags);
                 if (nbd_negotiate_drop_sync(client->ioc, length) != length) {
                     return -EIO;
                 }
@@ -511,7 +512,7 @@ static int nbd_negotiate_options(NBDClient *client)
                 return nbd_negotiate_handle_export_name(client, length);
 
             default:
-                TRACE("Unsupported option 0x%x", clientflags);
+                TRACE("Unsupported option 0x%" PRIx32, clientflags);
                 return -EINVAL;
             }
         }
@@ -560,6 +561,8 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
     oldStyle = client->exp != NULL && !client->tlscreds;
     if (oldStyle) {
         assert ((client->exp->nbdflags & ~65535) == 0);
+        TRACE("advertising size %" PRIu64 " and flags %x",
+              client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 8, NBD_CLIENT_MAGIC);
         stq_be_p(buf + 16, client->exp->size);
         stw_be_p(buf + 26, client->exp->nbdflags | myflags);
@@ -589,6 +592,8 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
         }
 
         assert ((client->exp->nbdflags & ~65535) == 0);
+        TRACE("advertising size %" PRIu64 " and flags %x",
+              client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 18, client->exp->size);
         stw_be_p(buf + 26, client->exp->nbdflags | myflags);
         if (nbd_negotiate_write(client->ioc, buf + 18, sizeof(buf) - 18) !=
@@ -652,12 +657,12 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, struct nbd_request *request)
     request->from  = be64_to_cpup((uint64_t*)(buf + 16));
     request->len   = be32_to_cpup((uint32_t*)(buf + 24));
 
-    TRACE("Got request: "
-          "{ magic = 0x%x, .type = %d, from = %" PRIu64" , len = %u }",
+    TRACE("Got request: { magic = 0x%" PRIx32 ", .type = %" PRIx32
+          ", from = %" PRIu64 " , len = %" PRIu32 " }",
           magic, request->type, request->from, request->len);
 
     if (magic != NBD_REQUEST_MAGIC) {
-        LOG("invalid magic (got 0x%x)", magic);
+        LOG("invalid magic (got 0x%" PRIx32 ")", magic);
         return -EINVAL;
     }
     return 0;
@@ -670,7 +675,8 @@ static ssize_t nbd_send_reply(QIOChannel *ioc, struct nbd_reply *reply)
 
     reply->error = system_errno_to_nbd_errno(reply->error);
 
-    TRACE("Sending response to client: { .error = %d, handle = %" PRIu64 " }",
+    TRACE("Sending response to client: { .error = %" PRId32
+          ", handle = %" PRIu64 " }",
           reply->error, reply->handle);
 
     /* Reply
@@ -999,7 +1005,7 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
     command = request->type & NBD_CMD_MASK_COMMAND;
     if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) {
         if (request->len > NBD_MAX_BUFFER_SIZE) {
-            LOG("len (%u) is larger than max len (%u)",
+            LOG("len (%" PRIu32" ) is larger than max len (%u)",
                 request->len, NBD_MAX_BUFFER_SIZE);
             rc = -EINVAL;
             goto out;
@@ -1012,7 +1018,7 @@ static ssize_t nbd_co_receive_request(NBDRequest *req, struct nbd_request *reque
         }
     }
     if (command == NBD_CMD_WRITE) {
-        TRACE("Reading %u byte(s)", request->len);
+        TRACE("Reading %" PRIu32 " byte(s)", request->len);
 
         if (read_sync(client->ioc, req->data, request->len) != request->len) {
             LOG("reading from socket failed");
@@ -1062,10 +1068,10 @@ static void nbd_trip(void *opaque)
     }
     command = request.type & NBD_CMD_MASK_COMMAND;
     if (command != NBD_CMD_DISC && (request.from + request.len) > exp->size) {
-            LOG("From: %" PRIu64 ", Len: %u, Size: %" PRIu64
-            ", Offset: %" PRIu64 "\n",
-                    request.from, request.len,
-                    (uint64_t)exp->size, (uint64_t)exp->dev_offset);
+            LOG("From: %" PRIu64 ", Len: %" PRIu32", Size: %" PRIu64
+                ", Offset: %" PRIu64 "\n",
+                request.from, request.len,
+                (uint64_t)exp->size, (uint64_t)exp->dev_offset);
         LOG("requested operation past EOF--bad client?");
         goto invalid_request;
     }
@@ -1099,7 +1105,7 @@ static void nbd_trip(void *opaque)
             goto error_reply;
         }
 
-        TRACE("Read %u byte(s)", request.len);
+        TRACE("Read %" PRIu32" byte(s)", request.len);
         if (nbd_co_send_reply(req, &reply, request.len) < 0)
             goto out;
         break;
@@ -1173,7 +1179,7 @@ static void nbd_trip(void *opaque)
         }
         break;
     default:
-        LOG("invalid request type (%u) received", request.type);
+        LOG("invalid request type (%" PRIu32 ") received", request.type);
     invalid_request:
         reply.error = EINVAL;
     error_reply:
-- 
1.9.1

[Qemu-devel] [PATCH 51/56] nbd: Don't use *_to_cpup() functions

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The *_to_cpup() functions are not very useful, as they simply do
a pointer dereference and then a *_to_cpu(). Instead use either:
 * ld*_*_p(), if the data is at an address that might not be
   correctly aligned for the load
 * a local dereference and *_to_cpu(), if the pointer is
   the correct type and known to be correctly aligned

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <1465570836-22211-1-git-send-email-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 773dce3c7286a66c37f7b07994177faf7046bfa8)
* context prereq for 7423f417
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 nbd/client.c |  8 ++++----
 nbd/server.c | 10 +++++-----
 qemu-nbd.c   |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 42e4e52..e72befd 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -574,7 +574,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
             error_setg(errp, "Failed to read export flags");
             goto fail;
         }
-        *flags = be32_to_cpup(flags);
+        *flags = be32_to_cpu(*flags);
     } else {
         error_setg(errp, "Bad magic received");
         goto fail;
@@ -729,9 +729,9 @@ ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply *reply)
        [ 7 .. 15]    handle
      */
 
-    magic = be32_to_cpup((uint32_t*)buf);
-    reply->error  = be32_to_cpup((uint32_t*)(buf + 4));
-    reply->handle = be64_to_cpup((uint64_t*)(buf + 8));
+    magic = ldl_be_p(buf);
+    reply->error  = ldl_be_p(buf + 4);
+    reply->handle = ldq_be_p(buf + 8);
 
     reply->error = nbd_errno_to_system_errno(reply->error);
 
diff --git a/nbd/server.c b/nbd/server.c
index 6d3773f..2fc6d74 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -651,11 +651,11 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, struct nbd_request *request)
        [24 .. 27]   len
      */
 
-    magic = be32_to_cpup((uint32_t*)buf);
-    request->type  = be32_to_cpup((uint32_t*)(buf + 4));
-    request->handle = be64_to_cpup((uint64_t*)(buf + 8));
-    request->from  = be64_to_cpup((uint64_t*)(buf + 16));
-    request->len   = be32_to_cpup((uint32_t*)(buf + 24));
+    magic = ldl_be_p(buf);
+    request->type   = ldl_be_p(buf + 4);
+    request->handle = ldq_be_p(buf + 8);
+    request->from   = ldq_be_p(buf + 16);
+    request->len    = ldl_be_p(buf + 24);
 
     TRACE("Got request: { magic = 0x%" PRIx32 ", .type = %" PRIx32
           ", from = %" PRIu64 " , len = %" PRIu32 " }",
diff --git a/qemu-nbd.c b/qemu-nbd.c
index c55b40f..114d82f 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -151,8 +151,8 @@ static void read_partition(uint8_t *p, struct partition_record *r)
     r->end_cylinder = p[7] | ((p[6] << 2) & 0x300);
     r->end_sector = p[6] & 0x3f;
 
-    r->start_sector_abs = le32_to_cpup((uint32_t *)(p +  8));
-    r->nb_sectors_abs   = le32_to_cpup((uint32_t *)(p + 12));
+    r->start_sector_abs = ldl_le_p(p + 8);
+    r->nb_sectors_abs   = ldl_le_p(p + 12);
 }
 
 static int find_partition(BlockBackend *blk, int partition,
-- 
1.9.1

[Qemu-devel] [PATCH 52/56] nbd: Limit nbdflags to 16 bits

[Michael Roth]

From: Eric Blake <eblake@redhat.com>

Rather than asserting that nbdflags is within range, just give
it the correct type to begin with :)  nbdflags corresponds to
the per-export portion of NBD Protocol "transmission flags", which
is 16 bits in response to NBD_OPT_EXPORT_NAME and NBD_OPT_GO.

Furthermore, upstream NBD has never passed the global flags to
the kernel via ioctl(NBD_SET_FLAGS) (the ioctl was first
introduced in NBD 2.9.22; then a latent bug in NBD 3.1 actually
tried to OR the global flags with the transmission flags, with
the disaster that the addition of NBD_FLAG_NO_ZEROES in 3.9
caused all earlier NBD 3.x clients to treat every export as
read-only; NBD 3.10 and later intentionally clip things to 16
bits to pass only transmission flags).  Qemu should follow suit,
since the current two global flags (NBD_FLAG_FIXED_NEWSTYLE
and NBD_FLAG_NO_ZEROES) have no impact on the kernel's behavior
during transmission.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>

Message-Id: <1469129688-22848-3-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7423f417827146f956df820f172d0bf80a489495)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/nbd-client.h  |  2 +-
 include/block/nbd.h |  6 +++---
 nbd/client.c        | 28 +++++++++++++++-------------
 nbd/server.c        | 10 ++++------
 qemu-nbd.c          |  4 ++--
 5 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/block/nbd-client.h b/block/nbd-client.h
index bc7aec0..1243612 100644
--- a/block/nbd-client.h
+++ b/block/nbd-client.h
@@ -20,7 +20,7 @@
 typedef struct NbdClientSession {
     QIOChannelSocket *sioc; /* The master data channel */
     QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
-    uint32_t nbdflags;
+    uint16_t nbdflags;
     off_t size;
 
     CoMutex send_mutex;
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 36dde24..fde4421 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -84,11 +84,11 @@ ssize_t nbd_wr_syncv(QIOChannel *ioc,
                      size_t offset,
                      size_t length,
                      bool do_read);
-int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
+int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags,
                           QCryptoTLSCreds *tlscreds, const char *hostname,
                           QIOChannel **outioc,
                           off_t *size, Error **errp);
-int nbd_init(int fd, QIOChannelSocket *sioc, uint32_t flags, off_t size);
+int nbd_init(int fd, QIOChannelSocket *sioc, uint16_t flags, off_t size);
 ssize_t nbd_send_request(QIOChannel *ioc, struct nbd_request *request);
 ssize_t nbd_receive_reply(QIOChannel *ioc, struct nbd_reply *reply);
 int nbd_client(int fd);
@@ -98,7 +98,7 @@ typedef struct NBDExport NBDExport;
 typedef struct NBDClient NBDClient;
 
 NBDExport *nbd_export_new(BlockBackend *blk, off_t dev_offset, off_t size,
-                          uint32_t nbdflags, void (*close)(NBDExport *),
+                          uint16_t nbdflags, void (*close)(NBDExport *),
                           Error **errp);
 void nbd_export_close(NBDExport *exp);
 void nbd_export_get(NBDExport *exp);
diff --git a/nbd/client.c b/nbd/client.c
index e72befd..1a01b6c 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -406,7 +406,7 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
 }
 
 
-int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
+int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags,
                           QCryptoTLSCreds *tlscreds, const char *hostname,
                           QIOChannel **outioc,
                           off_t *size, Error **errp)
@@ -466,7 +466,6 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
         uint32_t opt;
         uint32_t namesize;
         uint16_t globalflags;
-        uint16_t exportflags;
         bool fixedNewStyle = false;
 
         if (read_sync(ioc, &globalflags, sizeof(globalflags)) !=
@@ -475,7 +474,6 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
             goto fail;
         }
         globalflags = be16_to_cpu(globalflags);
-        *flags = globalflags << 16;
         TRACE("Global flags are %" PRIx32, globalflags);
         if (globalflags & NBD_FLAG_FIXED_NEWSTYLE) {
             fixedNewStyle = true;
@@ -543,17 +541,15 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
             goto fail;
         }
         *size = be64_to_cpu(s);
-        TRACE("Size is %" PRIu64, *size);
 
-        if (read_sync(ioc, &exportflags, sizeof(exportflags)) !=
-            sizeof(exportflags)) {
+        if (read_sync(ioc, flags, sizeof(*flags)) != sizeof(*flags)) {
             error_setg(errp, "Failed to read export flags");
             goto fail;
         }
-        exportflags = be16_to_cpu(exportflags);
-        *flags |= exportflags;
-        TRACE("Export flags are %" PRIx16, exportflags);
+        be16_to_cpus(flags);
     } else if (magic == NBD_CLIENT_MAGIC) {
+        uint32_t oldflags;
+
         if (name) {
             error_setg(errp, "Server does not support export names");
             goto fail;
@@ -570,16 +566,22 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint32_t *flags,
         *size = be64_to_cpu(s);
         TRACE("Size is %" PRIu64, *size);
 
-        if (read_sync(ioc, flags, sizeof(*flags)) != sizeof(*flags)) {
+        if (read_sync(ioc, &oldflags, sizeof(oldflags)) != sizeof(oldflags)) {
             error_setg(errp, "Failed to read export flags");
             goto fail;
         }
-        *flags = be32_to_cpu(*flags);
+        be32_to_cpus(&oldflags);
+        if (oldflags & ~0xffff) {
+            error_setg(errp, "Unexpected export flags %0x" PRIx32, oldflags);
+            goto fail;
+        }
+        *flags = oldflags;
     } else {
         error_setg(errp, "Bad magic received");
         goto fail;
     }
 
+    TRACE("Size is %" PRIu64 ", export flags %" PRIx16, *size, *flags);
     if (read_sync(ioc, &buf, 124) != 124) {
         error_setg(errp, "Failed to read reserved block");
         goto fail;
@@ -591,7 +593,7 @@ fail:
 }
 
 #ifdef __linux__
-int nbd_init(int fd, QIOChannelSocket *sioc, uint32_t flags, off_t size)
+int nbd_init(int fd, QIOChannelSocket *sioc, uint16_t flags, off_t size)
 {
     TRACE("Setting NBD socket");
 
@@ -668,7 +670,7 @@ int nbd_client(int fd)
     return ret;
 }
 #else
-int nbd_init(int fd, QIOChannelSocket *ioc, uint32_t flags, off_t size)
+int nbd_init(int fd, QIOChannelSocket *ioc, uint16_t flags, off_t size)
 {
     return -ENOTSUP;
 }
diff --git a/nbd/server.c b/nbd/server.c
index 2fc6d74..6f83beb 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -62,7 +62,7 @@ struct NBDExport {
     char *name;
     off_t dev_offset;
     off_t size;
-    uint32_t nbdflags;
+    uint16_t nbdflags;
     QTAILQ_HEAD(, NBDClient) clients;
     QTAILQ_ENTRY(NBDExport) next;
 
@@ -529,8 +529,8 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
     NBDClient *client = data->client;
     char buf[8 + 8 + 8 + 128];
     int rc;
-    const int myflags = (NBD_FLAG_HAS_FLAGS | NBD_FLAG_SEND_TRIM |
-                         NBD_FLAG_SEND_FLUSH | NBD_FLAG_SEND_FUA);
+    const uint16_t myflags = (NBD_FLAG_HAS_FLAGS | NBD_FLAG_SEND_TRIM |
+                              NBD_FLAG_SEND_FLUSH | NBD_FLAG_SEND_FUA);
     bool oldStyle;
 
     /* Old style negotiation header without options
@@ -560,7 +560,6 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
 
     oldStyle = client->exp != NULL && !client->tlscreds;
     if (oldStyle) {
-        assert ((client->exp->nbdflags & ~65535) == 0);
         TRACE("advertising size %" PRIu64 " and flags %x",
               client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 8, NBD_CLIENT_MAGIC);
@@ -591,7 +590,6 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
             goto fail;
         }
 
-        assert ((client->exp->nbdflags & ~65535) == 0);
         TRACE("advertising size %" PRIu64 " and flags %x",
               client->exp->size, client->exp->nbdflags | myflags);
         stq_be_p(buf + 18, client->exp->size);
@@ -813,7 +811,7 @@ static void nbd_eject_notifier(Notifier *n, void *data)
 }
 
 NBDExport *nbd_export_new(BlockBackend *blk, off_t dev_offset, off_t size,
-                          uint32_t nbdflags, void (*close)(NBDExport *),
+                          uint16_t nbdflags, void (*close)(NBDExport *),
                           Error **errp)
 {
     NBDExport *exp = g_malloc0(sizeof(NBDExport));
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 114d82f..6dea6d6 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -241,7 +241,7 @@ static void *nbd_client_thread(void *arg)
 {
     char *device = arg;
     off_t size;
-    uint32_t nbdflags;
+    uint16_t nbdflags;
     QIOChannelSocket *sioc;
     int fd;
     int ret;
@@ -455,7 +455,7 @@ int main(int argc, char **argv)
     BlockBackend *blk;
     BlockDriverState *bs;
     off_t dev_offset = 0;
-    uint32_t nbdflags = 0;
+    uint16_t nbdflags = 0;
     bool disconnect = false;
     const char *bindto = "0.0.0.0";
     const char *port = NULL;
-- 
1.9.1

[Qemu-devel] [PATCH 53/56] pcie: fix link active status bit migration

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

We changed link status register in pci express endpoint capability
over time. Specifically,

commit b2101eae63ea57b571cee4a9075a4287d24ba4a4 ("pcie: Set the "link
active" in the link status register") set data link layer link active
bit in this register without adding compatibility to old machine types.

When migrating from qemu 2.3 and older this affects xhci devices which
under machine type 2.0 and older have a pci express endpoint capability
even if they are on a pci bus.

Add compatibility flags to make this bit value match what it was under
2.3.

Additionally, to avoid breaking migration from qemu 2.3 and up,
suppress checking link status during migration: this seems sane
since hardware can change link status at any time.

https://bugzilla.redhat.com/show_bug.cgi?id=1352860

Reported-by: Gerd Hoffmann <kraxel@redhat.com>
Fixes: b2101eae63ea57b571cee4a9075a4287d24ba4a4
    ("pcie: Set the "link active" in the link status register")
Cc: qemu-stable@nongnu.org
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

(cherry picked from commit 6b4495401bdf442457b713b7e3994b465c55af35)
Conflicts:
	hw/pci/pcie.c

* removed functional dependency on 6383292

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pci.c         |  2 ++
 hw/pci/pcie.c        | 15 ++++++++++++++-
 include/hw/compat.h  |  4 ++++
 include/hw/pci/pci.h |  3 +++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index bb605ef..616f04c 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -62,6 +62,8 @@ static Property pci_props[] = {
                     QEMU_PCI_CAP_MULTIFUNCTION_BITNR, false),
     DEFINE_PROP_BIT("command_serr_enable", PCIDevice, cap_present,
                     QEMU_PCI_CAP_SERR_BITNR, true),
+    DEFINE_PROP_BIT("x-pcie-lnksta-dllla", PCIDevice, cap_present,
+                    QEMU_PCIE_LNKSTA_DLLLA_BITNR, true),
     DEFINE_PROP_END_OF_LIST()
 };
 
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index 728386a..c85b4f7 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -47,6 +47,7 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t type, uint8_t port)
 {
     int pos;
     uint8_t *exp_cap;
+    uint8_t *cmask;
 
     assert(pci_is_express(dev));
 
@@ -57,6 +58,7 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t type, uint8_t port)
     }
     dev->exp.exp_cap = pos;
     exp_cap = dev->config + pos;
+    cmask = dev->cmask + pos;
 
     /* capability register
        interrupt message number defaults to 0 */
@@ -80,7 +82,18 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t type, uint8_t port)
                  PCI_EXP_LNK_LS_25);
 
     pci_set_word(exp_cap + PCI_EXP_LNKSTA,
-                 PCI_EXP_LNK_MLW_1 | PCI_EXP_LNK_LS_25 |PCI_EXP_LNKSTA_DLLLA);
+                 PCI_EXP_LNK_MLW_1 | PCI_EXP_LNK_LS_25);
+
+    if (dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
+        pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
+                                   PCI_EXP_LNKSTA_DLLLA);
+    }
+
+    /* We changed link status bits over time, and changing them across
+     * migrations is generally fine as hardware changes them too.
+     * Let's not bother checking.
+     */
+    pci_set_word(cmask + PCI_EXP_LNKSTA, 0);
 
     pci_set_long(exp_cap + PCI_EXP_DEVCAP2,
                  PCI_EXP_DEVCAP2_EFF | PCI_EXP_DEVCAP2_EETLPP);
diff --git a/include/hw/compat.h b/include/hw/compat.h
index a5dbbf8..81fc19b 100644
--- a/include/hw/compat.h
+++ b/include/hw/compat.h
@@ -73,6 +73,10 @@
         .driver   = "virtio-rng-pci",\
         .property = "any_layout",\
         .value    = "off",\
+    },{\
+        .driver   = TYPE_PCI_DEVICE,\
+        .property = "x-pcie-lnksta-dllla",\
+        .value    = "off",\
     },
 
 #define HW_COMPAT_2_2 \
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index ef6ba51..e7f2df5 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -173,6 +173,9 @@ enum {
     /* PCI Express capability - Power Controller Present */
 #define QEMU_PCIE_SLTCAP_PCP_BITNR 7
     QEMU_PCIE_SLTCAP_PCP = (1 << QEMU_PCIE_SLTCAP_PCP_BITNR),
+    /* Link active status in endpoint capability is always set */
+#define QEMU_PCIE_LNKSTA_DLLLA_BITNR 8
+    QEMU_PCIE_LNKSTA_DLLLA = (1 << QEMU_PCIE_LNKSTA_DLLLA_BITNR),
 };
 
 #define TYPE_PCI_DEVICE "pci-device"
-- 
1.9.1

[Qemu-devel] [PATCH 54/56] target-i386: fix typo in xsetbv implementation

[Michael Roth]

From: Dave Hansen <dave.hansen@linux.intel.com>

QEMU 2.6 added support for the XSAVE family of instructions, which
includes the XSETBV instruction which allows setting the XCR0
register.

But, when booting Linux kernels with XSAVE support enabled, I was
getting very early crashes where the instruction pointer was set
to 0x3.  I tracked it down to a jump instruction generated by this:

        gen_jmp_im(s->pc - pc_start);

where s->pc is pointing to the instruction after XSETBV and pc_start
is pointing _at_ XSETBV.  Subtract the two and you get 0x3.  Whoops.

The fix is to replace this typo with the pattern found everywhere
else in the file when folks want to end the translation buffer.

Richard Henderson confirmed that this is a bug and that this is the
correct fix.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: qemu-stable@nongnu.org
Cc: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ba03584f4f88082368b2562e515c3d60421b68ce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index 69760b4..922347c 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -7170,7 +7170,7 @@ static target_ulong disas_insn(CPUX86State *env, DisasContext *s,
             tcg_gen_trunc_tl_i32(cpu_tmp2_i32, cpu_regs[R_ECX]);
             gen_helper_xsetbv(cpu_env, cpu_tmp2_i32, cpu_tmp1_i64);
             /* End TB because translation flags may change.  */
-            gen_jmp_im(s->pc - pc_start);
+            gen_jmp_im(s->pc - s->cs_base);
             gen_eob(s);
             break;
 
-- 
1.9.1

[Qemu-devel] [PATCH 55/56] virtio: error out if guest exceeds virtqueue size

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.

In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:

  1. The driver places the buffer into free descriptor(s) in the
     descriptor table, chaining as necessary

and

  Note that the above code does not take precautions against the
  available ring buffer wrapping around: this is not possible since the
  ring buffer is the same size as the descriptor table, so step (1) will
  prevent such a condition.

This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.

QEMU is missing the check to prevent this case.  Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.

Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 90f86cf..8ed260a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
 
     max = vq->vring.num;
 
+    if (vq->inuse >= vq->vring.num) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
+
     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
         vring_set_avail_event(vq, vq->last_avail_idx);
-- 
1.9.1

[Qemu-devel] [PATCH 56/56] ide: fix halted IO segfault at reset

[Michael Roth]

From: John Snow <jsnow@redhat.com>

If one attempts to perform a system_reset after a failed IO request
that causes the VM to enter a paused state, QEMU will segfault trying
to free up the pending IO requests.

These requests have already been completed and freed, though, so all
we need to do is NULL them before we enter the paused state.

Existing AHCI tests verify that halted requests are still resumed
successfully after a STOP event.

Analyzed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1469635201-11918-2-git-send-email-jsnow@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
(cherry picked from commit 87ac25fd1fed05a30a93d27dbeb2a4c4b83ec95f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ide/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 41e6a2d..e87dc57 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -806,6 +806,7 @@ static void ide_dma_cb(void *opaque, int ret)
     }
     if (ret < 0) {
         if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
+            s->bus->dma->aiocb = NULL;
             return;
         }
     }
-- 
1.9.1

Re: [Qemu-devel] [Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

[Cole Robinson]

On 08/08/2016 05:03 PM, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.6.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.6-staging
> 
> The release is planned for 2016-08-17:
> 
>   http://wiki.qemu.org/Planning/2.6
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.
> 
> Testing/feedback is greatly appreciated.
> 

Here are the additional patches I'm carrying in Fedora 24. You can see my tree
at https://github.com/crobinso/qemu/tree/fedora-24

commit 4fd811a6bd0b8f24f4761fc281454494c336d310
Author: Cole Robinson <crobinso@redhat.com>
Date:   Fri May 6 14:03:05 2016 -0400

    ui: gtk: fix crash when terminal inner-border is NULL

commit 56f289f383a871e871f944c7226920b35794efe6
Author: Cole Robinson <crobinso@redhat.com>
Date:   Fri May 6 14:03:06 2016 -0400

    ui: sdl2: Release grab before opening console window

commit e059bcdaed2b7b8a16f693309001674982393ab9
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Wed Jun 1 16:08:36 2016 +0200

    sdl2: skip init without outputs

commit daafc661cc1a1de5a2e8ea0a7c0f396b827ebc3b
Author: Cole Robinson <crobinso@redhat.com>
Date:   Wed May 18 12:40:50 2016 -0400

    ui: spice: Exit if gl=on EGL init fails

commit 0bf8039dca6bfecec243a13ebcd224d3941d9242
Author: Cole Robinson <crobinso@redhat.com>
Date:   Mon Jun 6 16:59:29 2016 +0100

    hw/arm/virt: Reject gic-version=host for non-KVM


Stuff flagged as security issues:

commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Thu Apr 7 15:56:02 2016 +0530

    net: mipsnet: check packet length against buffer

commit 1b85898025c4cd95dce673d15e67e60e98e91731
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Wed May 25 16:01:29 2016 +0530

    scsi: megasas: use appropriate property buffer size

commit cf5d698ed73203333b017fd15df95bc42dfdb137
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Wed May 25 17:41:44 2016 +0530

    scsi: megasas: initialise local configuration data buffer

commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Wed May 25 17:55:10 2016 +0530

    scsi: megasas: check 'read_queue_head' index value

commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Tue May 31 23:23:27 2016 +0530

    scsi: esp: check buffer length before reading scsi command

commit d020aa504cec8f525b55ba2ef982c09dc847c72e
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Tue Jun 14 15:10:24 2016 +0200

    scsi: esp: respect FIFO invariant after message phase

commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Wed Jun 15 14:29:33 2016 +0200

    scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd

commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Thu Jun 16 00:22:35 2016 +0200

    scsi: esp: make cmdbuf big enough for maximum CDB size

commit 844864fbae66935951529408831c2f22367a57b6
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Tue Jun 7 16:44:03 2016 +0530

    scsi: megasas: null terminate bios version buffer

Re: [Qemu-devel] [PATCH 56/56] ide: fix halted IO segfault at reset

[John Snow]

Definitely add this one:

7f951b2d7765f68ae1e563c2fed44071ca774790 atapi: fix halted DMA reset

And maybe these:

16275edb342342625cd7e7ac2048436474465b50 macio: set res_count value to 0 
after non-block ATAPI DMA transfers
5839df7b71540a2af2580bb53ad1e2005bb175e6 ahci: fix sglist leak on retry
9d324b0e67c2b570df389c1361f591b95a4e4278 ahci: free irqs array


On 08/08/2016 05:04 PM, Michael Roth wrote:
> From: John Snow <jsnow@redhat.com>
>
> If one attempts to perform a system_reset after a failed IO request
> that causes the VM to enter a paused state, QEMU will segfault trying
> to free up the pending IO requests.
>
> These requests have already been completed and freed, though, so all
> we need to do is NULL them before we enter the paused state.
>
> Existing AHCI tests verify that halted requests are still resumed
> successfully after a STOP event.
>
> Analyzed-by: Laszlo Ersek <lersek@redhat.com>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> Signed-off-by: John Snow <jsnow@redhat.com>
> Message-id: 1469635201-11918-2-git-send-email-jsnow@redhat.com
> Signed-off-by: John Snow <jsnow@redhat.com>
> (cherry picked from commit 87ac25fd1fed05a30a93d27dbeb2a4c4b83ec95f)
> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> ---
>  hw/ide/core.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/ide/core.c b/hw/ide/core.c
> index 41e6a2d..e87dc57 100644
> --- a/hw/ide/core.c
> +++ b/hw/ide/core.c
> @@ -806,6 +806,7 @@ static void ide_dma_cb(void *opaque, int ret)
>      }
>      if (ret < 0) {
>          if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
> +            s->bus->dma->aiocb = NULL;
>              return;
>          }
>      }
>

Re: [Qemu-devel] [Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

[Michael Roth]

Quoting Michael Roth (2016-08-08 16:03:31)
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v2.6.1:
> 
>   https://github.com/mdroth/qemu/commits/stable-2.6-staging
> 
> The release is planned for 2016-08-17:
> 
>   http://wiki.qemu.org/Planning/2.6
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches you
> think should be included in the release.

Updated with the following additions:

scsi: megasas: null terminate bios version buffer (Prasad J Pandit)
scsi: esp: make cmdbuf big enough for maximum CDB size (Prasad J Pandit)
scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd (Paolo Bonzini)
scsi: esp: respect FIFO invariant after message phase (Paolo Bonzini)
scsi: esp: check buffer length before reading scsi command (Prasad J Pandit)
scsi: megasas: check 'read_queue_head' index value (Prasad J Pandit)
scsi: megasas: initialise local configuration data buffer (Prasad J Pandit)
scsi: megasas: use appropriate property buffer size (Prasad J Pandit)
net: mipsnet: check packet length against buffer (Prasad J Pandit)
hw/arm/virt: Reject gic-version=host for non-KVM (Cole Robinson)
ui: spice: Exit if gl=on EGL init fails (Cole Robinson)
sdl2: skip init without outputs (Gerd Hoffmann)
ui: sdl2: Release grab before opening console window (Cole Robinson)
ui: gtk: fix crash when terminal inner-border is NULL (Cole Robinson)
ahci: free irqs array (Marc-André Lureau)
ahci: fix sglist leak on retry (Marc-André Lureau)
macio: set res_count value to 0 after non-block ATAPI DMA transfers (Mark Cave-Ayland)
atapi: fix halted DMA reset (John Snow)

Thank you for the suggestions.

Re: [Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

[Bruce Rogers]

Michael, 

Please add 0968c91 Xen PCI passthrough: fix passthrough failure when no interrupt pin 

to the list for 2.6.1. 

Thanks! 

Bruce Rogers 

>>> Michael Roth <mdroth@linux.vnet.ibm.com> 8/8/2016 3:03 PM >>>
Hi everyone,

The following new patches are queued for QEMU stable v2.6.1:

  https://github.com/mdroth/qemu/commits/stable-2.6-staging

The release is planned for 2016-08-17:

  http://wiki.qemu.org/Planning/2.6

Please respond here or CC qemu-stable@nongnu.org on any patches you
think should be included in the release.

Testing/feedback is greatly appreciated.

Thanks!

----------------------------------------------------------------
Alberto Garcia (2):
      blockdev: Fix regression with the default naming of throttling groups
      qemu-iotests: Test naming of throttling groups

Alex Williamson (1):
      vfio/pci: Fix VGA quirks

Artyom Tarasenko (1):
      target-sparc: fix register corruption in ldstub if there is no write permission

Aurelien Jarno (1):
      target-mips: fix call to memset in soft reset code

Daniel P. Berrange (2):
      io: remove mistaken call to object_ref on QTask
      ui: fix regression in printing VNC host/port on startup

Dave Hansen (1):
      target-i386: fix typo in xsetbv implementation

David Hildenbrand (1):
      s390x/ipl: fix reboots for migration from different bios

Dominik Dingel (1):
      exec.c: Ensure right alignment also for file backed ram

Eric Blake (7):
      json-streamer: Don't leak tokens on incomplete parse
      nbd: Don't trim unrequested bytes
      qapi: Fix crash on missing alternate member of QAPI struct
      nbd: Allow larger requests
      scsi: Advertise limits by blocksize, not 512
      nbd: More debug typo fixes, use correct formats
      nbd: Limit nbdflags to 16 bits

Fam Zheng (3):
      block: Drop bdrv_ioctl_bh_cb
      scsi-generic: Merge block max xfer len in INQUIRY response
      util: Fix MIN_NON_ZERO

Gavin Shan (1):
      vfio: Fix broken EEH

Gerd Hoffmann (6):
      spice/gl: add & use qemu_spice_gl_monitor_config
      vga: add sr_vbe register set
      vmsvga: move fifo sanity checks to vmsvga_fifo_length
      vmsvga: add more fifo checks
      vmsvga: shadow fifo registers
      vmsvga: don't process more than 1024 fifo commands at once

Greg Kurz (2):
      migration: regain control of images when migration fails to complete
      savevm: fail if migration blockers are present

Hemant Kumar (1):
      tools: kvm_stat: Powerpc related fixes

John Snow (1):
      ide: fix halted IO segfault at reset

Kevin Wolf (1):
      backup: Don't leak BackupBlockJob in error path

Li Zhijian (1):
      vl: change runstate only if new state is different from current state

Lin Ma (1):
      pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c

Max Reitz (1):
      qcow2: Avoid making the L1 table too big

Michael S. Tsirkin (3):
      virtio: set low features early on load
      Revert "virtio-net: unbreak self announcement and guest offloads after migration"
      pcie: fix link active status bit migration

Paolo Bonzini (2):
      target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
      json-streamer: fix double-free on exiting during a parse

Peter Lieven (4):
      block/nfs: refuse readahead if cache.direct is on
      block/iscsi: avoid potential overflow of acb->task->cdb
      net: fix qemu_announce_self not emitting packets
      block/iscsi: fix rounding in iscsi_allocationmap_set

Peter Maydell (1):
      nbd: Don't use *_to_cpup() functions

Prasad J Pandit (5):
      i386: kvmvapic: initialise imm32 variable
      esp: check command buffer length before write(CVE-2016-4439)
      esp: check dma length before reading scsi command(CVE-2016-4441)
      scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
      scsi: mptsas: infinite loop while fetching requests

Roman Kagan (1):
      usb:xhci: no DMA on HC reset

Stefan Hajnoczi (1):
      virtio: error out if guest exceeds virtqueue size

Stefan Weil (2):
      configure: Allow builds with extra warnings
      Fix some typos found by codespell

Steven Luo (1):
      Fix configure test for PBKDF2 in nettle

Thomas Huth (1):
      usb/ohci: Fix crash with when specifying too many num-ports

audio/mixeng.c                          |  2 +-
audio/ossaudio.c                        |  2 +-
block/backup.c                          |  7 ++-
block/io.c                              | 20 +------
block/iscsi.c                           | 15 ++++-
block/nbd-client.c                      |  4 --
block/nbd-client.h                      |  2 +-
block/nfs.c                             | 20 +++++--
block/qcow2-cluster.c                   |  3 +-
blockdev.c                              |  9 ++-
configure                               |  3 +-
contrib/ivshmem-server/ivshmem-server.h |  2 +-
docs/specs/rocker.txt                   |  2 +-
docs/throttle.txt                       |  2 +-
exec.c                                  |  5 +-
hw/display/vga.c                        | 50 +++++++++--------
hw/display/vga_int.h                    |  1 +
hw/display/vmware_vga.c                 | 78 +++++++++++++-------------
hw/i2c/imx_i2c.c                        |  2 +-
hw/i386/kvm/pci-assign.c                |  4 --
hw/i386/kvmvapic.c                      |  2 +-
hw/i386/pci-assign-load-rom.c           |  3 +
hw/ide/core.c                           |  1 +
hw/net/virtio-net.c                     | 40 ++++++--------
hw/net/vmxnet3.c                        |  4 +-
hw/pci/msi.c                            |  2 +-
hw/pci/pci.c                            |  2 +
hw/pci/pci_bridge.c                     |  2 +-
hw/pci/pcie.c                           | 15 ++++-
hw/s390x/ipl.c                          | 11 +++-
hw/s390x/ipl.h                          |  2 +
hw/scsi/esp.c                           | 17 ++++--
hw/scsi/mptsas.c                        |  9 ++-
hw/scsi/scsi-generic.c                  | 13 +++++
hw/scsi/spapr_vscsi.c                   |  2 +-
hw/scsi/vmw_pvscsi.c                    | 26 +++++++--
hw/timer/a9gtimer.c                     |  2 +-
hw/timer/aspeed_timer.c                 |  4 +-
hw/usb/hcd-ohci.c                       |  6 ++
hw/usb/hcd-xhci.c                       |  5 +-
hw/vfio/common.c                        |  2 +-
hw/vfio/pci-quirks.c                    |  8 +--
hw/vfio/pci.h                           |  1 -
hw/virtio/virtio.c                      | 15 +++++
include/block/nbd.h                     |  7 ++-
include/crypto/random.h                 |  2 +-
include/hw/compat.h                     |  4 ++
include/hw/pci/pci.h                    |  3 +
include/hw/xen/xen_common.h             |  2 +-
include/io/task.h                       |  2 +-
include/migration/migration.h           |  1 +
include/qemu/osdep.h                    | 18 +++++-
include/ui/spice-display.h              |  1 +
io/channel-websock.c                    |  3 +-
kvm-all.c                               |  2 +-
migration/migration.c                   | 40 +++++++++++---
migration/ram.c                         |  2 +-
migration/savevm.c                      |  2 +-
nbd/client.c                            | 73 ++++++++++++------------
nbd/server.c                            | 88 ++++++++++++++++-------------
net/net.c                               |  2 +-
qemu-nbd.c                              |  8 +--
qga/channel-win32.c                     |  2 +-
qga/commands.c                          |  4 +-
qobject/json-streamer.c                 | 14 ++++-
scripts/checkpatch.pl                   |  2 +-
scripts/kvm/kvm_stat                    |  2 +
scripts/qapi-visit.py                   |  6 ++
slirp/socket.c                          |  2 +-
target-cris/translate.c                 |  4 +-
target-cris/translate_v10.c             |  2 +-
target-i386/cpu.c                       |  2 +-
target-i386/cpu.h                       |  2 +-
target-i386/translate.c                 |  7 ++-
target-mips/helper.c                    |  2 +-
target-mips/op_helper.c                 |  2 +-
target-sparc/translate.c                |  5 +-
target-tricore/translate.c              |  2 +-
tcg/README                              |  2 +-
tests/qemu-iotests/093                  | 98 +++++++++++++++++++++++++++++++++
tests/qemu-iotests/093.out              |  4 +-
tests/tcg/cris/check_addo.c             | 14 ++---
tests/test-qmp-input-visitor.c          | 14 +++++
trace/simple.c                          |  4 +-
ui/cocoa.m                              |  2 +-
ui/spice-display.c                      | 30 ++++++++++
ui/vnc.c                                |  2 +-
util/oslib-posix.c                      | 13 -----
util/timed-average.c                    |  4 +-
vl.c                                    |  4 ++
90 files changed, 628 insertions(+), 310 deletions(-)

Re: [Qemu-devel] [Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12

[Gonglei]

Hi Michael,

On 2016/8/10 4:04, Michael Roth wrote:
> Quoting Michael Roth (2016-08-08 16:03:31)
>> > Hi everyone,
>> > 
>> > The following new patches are queued for QEMU stable v2.6.1:
>> > 
>> >   https://github.com/mdroth/qemu/commits/stable-2.6-staging
>> > 
>> > The release is planned for 2016-08-17:
>> > 
>> >   http://wiki.qemu.org/Planning/2.6
>> > 
>> > Please respond here or CC qemu-stable@nongnu.org on any patches you
>> > think should be included in the release.

I thinks this below patch should be included in v2.6.1:

commit 3fdd0ee393e26178a4892e101e60b011bbfaa9ea 
"timer: set vm_clock disabled default"

Regards,
-Gonglei