[Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v1.4.2:

https://github.com/mdroth/qemu/commits/stable-1.4-staging

The release is planned for 05-24-2013:

http://wiki.qemu.org/Planning/1.4

Please CC qemu-stable@nongnu.org on any patches you think should be
included in the release. The cut-off date is 05-20-2013 for new patches.

Testing/feedback is greatly appreciated.

Thanks!

Amit Shah (1):
      rng random backend: check for -EAGAIN errors on read

Andreas Färber (2):
      qdev: Fix QOM unrealize behavior
      configure: Pick up libseccomp include path

Aurelien Jarno (1):
      tcg/optimize: fix setcond2 optimization

Cornelia Huck (1):
      virtio-ccw: Check indicators location.

Jason Wang (1):
      tap: properly initialize vhostfds

Laszlo Ersek (3):
      qga: set umask 0077 when daemonizing (CVE-2013-2007)
      qga: distinguish binary modes in "guest_file_open_modes" map
      qga: unlink just created guest-file if fchmod() or fdopen() fails on it

Peter Maydell (4):
      tcg: Document tcg_qemu_tb_exec() and provide constants for low bit uses
      cpu-exec: wrap tcg_qemu_tb_exec() in a fn to restore the PC
      Handle CPU interrupts by inline checking of a flag
      translate-all.c: Remove cpu_unlink_tb()

Richard Sandiford (1):
      target-mips: Fix accumulator arguments to gen_helper_dmult(u)

Stefan Hajnoczi (1):
      nbd: unlock mutex in nbd_co_send_request() error path

 backends/rng-random.c     |    3 +
 block/nbd.c               |    2 +-
 configure                 |    1 +
 cpu-exec.c                |   58 +++++++++++++++-----
 exec.c                    |    2 +-
 hw/qdev-core.h            |    2 +-
 hw/qdev.c                 |   25 ++++++---
 hw/s390x/virtio-ccw.c     |    6 ++
 include/exec/cpu-defs.h   |    1 +
 include/exec/gen-icount.h |   13 ++++-
 net/tap.c                 |    2 +-
 qga/commands-posix.c      |  133 +++++++++++++++++++++++++++++++++++++++++++--
 qga/main.c                |    2 +-
 target-mips/helper.h      |    4 +-
 target-mips/op_helper.c   |    8 +--
 target-mips/translate.c   |    4 +-
 tcg/optimize.c            |    1 +
 tcg/tcg.h                 |   49 ++++++++++++++++-
 translate-all.c           |   73 +------------------------
 19 files changed, 278 insertions(+), 111 deletions(-)

[Qemu-devel] [PATCH 01/15] nbd: unlock mutex in nbd_co_send_request() error path

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 6760c47aa42ce30efdd12c132f73c8749c575995)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/nbd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/nbd.c b/block/nbd.c
index 6562fd3..d80c9a5 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -274,7 +274,7 @@ static int nbd_co_send_request(BDRVNBDState *s, struct nbd_request *request,
         ret = qemu_co_sendv(s->sock, qiov->iov, qiov->niov,
                             offset, request->len);
         if (ret != request->len) {
-            return -EIO;
+            rc = -EIO;
         }
     }
     qemu_aio_set_fd_handler(s->sock, nbd_reply_ready, NULL,
-- 
1.7.9.5

[Qemu-devel] [PATCH 02/15] qdev: Fix QOM unrealize behavior

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Since commit 249d41720b7dfbb5951b430b9eefdbee7464f515 (qdev: Prepare
"realized" property) setting realized = true would register the device's
VMStateDescription, but realized = false would not unregister it. Fix that.

Moving the code from unparenting also revealed that we were calling
DeviceClass::init through DeviceClass::realize as interim solution but
DeviceClass::exit still at unparenting time with a realized check.
Make this symmetrical by implementing DeviceClass::unrealize to call it,
while we're setting realized = false in the unparenting path.
The only other unrealize user is mac_nvram, which can safely override it.

Thus, mark DeviceClass::exit as obsolete, new devices should implement
DeviceClass::unrealize instead.

Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Message-id: 1366043650-9719-1-git-send-email-afaerber@suse.de
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit fe6c211781f80ef4fc246269cecbbc21981089f0)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/qdev-core.h |    2 +-
 hw/qdev.c      |   25 ++++++++++++++++++-------
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/hw/qdev-core.h b/hw/qdev-core.h
index 2486f36..cc5bb2a 100644
--- a/hw/qdev-core.h
+++ b/hw/qdev-core.h
@@ -96,7 +96,7 @@ typedef struct DeviceClass {
     /* Private to qdev / bus.  */
     qdev_initfn init; /* TODO remove, once users are converted to realize */
     qdev_event unplug;
-    qdev_event exit;
+    qdev_event exit; /* TODO remove, once users are converted to unrealize */
     const char *bus_type;
 } DeviceClass;
 
diff --git a/hw/qdev.c b/hw/qdev.c
index 689cd54..1cbd910 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -180,6 +180,19 @@ static void device_realize(DeviceState *dev, Error **err)
     }
 }
 
+static void device_unrealize(DeviceState *dev, Error **errp)
+{
+    DeviceClass *dc = DEVICE_GET_CLASS(dev);
+
+    if (dc->exit) {
+        int rc = dc->exit(dev);
+        if (rc < 0) {
+            error_setg(errp, "Device exit failed.");
+            return;
+        }
+    }
+}
+
 void qdev_set_legacy_instance_id(DeviceState *dev, int alias_id,
                                  int required_for_version)
 {
@@ -692,6 +705,9 @@ static void device_set_realized(Object *obj, bool value, Error **err)
             device_reset(dev);
         }
     } else if (!value && dev->realized) {
+        if (qdev_get_vmsd(dev)) {
+            vmstate_unregister(dev, qdev_get_vmsd(dev), dev);
+        }
         if (dc->unrealize) {
             dc->unrealize(dev, &local_err);
         }
@@ -758,7 +774,6 @@ static void device_class_base_init(ObjectClass *class, void *data)
 static void device_unparent(Object *obj)
 {
     DeviceState *dev = DEVICE(obj);
-    DeviceClass *dc = DEVICE_GET_CLASS(dev);
     BusState *bus;
 
     while (dev->num_child_bus) {
@@ -766,12 +781,7 @@ static void device_unparent(Object *obj)
         qbus_free(bus);
     }
     if (dev->realized) {
-        if (qdev_get_vmsd(dev)) {
-            vmstate_unregister(dev, qdev_get_vmsd(dev), dev);
-        }
-        if (dc->exit) {
-            dc->exit(dev);
-        }
+        object_property_set_bool(obj, false, "realized", NULL);
     }
     if (dev->parent_bus) {
         bus_remove_child(dev->parent_bus, dev);
@@ -786,6 +796,7 @@ static void device_class_init(ObjectClass *class, void *data)
 
     class->unparent = device_unparent;
     dc->realize = device_realize;
+    dc->unrealize = device_unrealize;
 }
 
 void device_reset(DeviceState *dev)
-- 
1.7.9.5

[Qemu-devel] [PATCH 03/15] rng random backend: check for -EAGAIN errors on read

[Michael Roth]

From: Amit Shah <amit.shah@redhat.com>

Not handling EAGAIN triggers the assert

qemu/backends/rng-random.c:44:entropy_available: assertion failed: (len != -1)
Aborted (core dumped)

This happens when starting a guest with '-device virtio-rng-pci',
issuing a 'cat /dev/hwrng' in the guest, while also doing 'cat
/dev/random' on the host.

Reported-by: yunpingzheng <yunzheng@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Message-id: eacda84dfaf2d99cf6d250b678be4e4d6c2088fb.1366108096.git.amit.shah@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit acbbc036619092fcd2c882222e1be168bd972b3e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 backends/rng-random.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/backends/rng-random.c b/backends/rng-random.c
index 0d11088..813388b 100644
--- a/backends/rng-random.c
+++ b/backends/rng-random.c
@@ -41,6 +41,9 @@ static void entropy_available(void *opaque)
     ssize_t len;
 
     len = read(s->fd, buffer, s->size);
+    if (len < 0 && errno == EAGAIN) {
+        return;
+    }
     g_assert(len != -1);
 
     s->receive_func(s->opaque, buffer, len);
-- 
1.7.9.5

[Qemu-devel] [PATCH 04/15] tap: properly initialize vhostfds

[Michael Roth]

From: Jason Wang <jasowang@redhat.com>

Only tap->vhostfd were checked net_init_tap_one(), but tap->vhostfds were
forgot, this will lead qemu to ignore all fds passed by management through
vhostfds, and tries to create vhost_net device itself. Fix by adding this check
also.

Reportyed-by: Michal Privoznik <mprivozn@redhat.com>
Cc: Michal Privoznik <mprivozn@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 7873df408dd44eb92840b108211d5aa5db7db526)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 net/tap.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tap.c b/net/tap.c
index daab350..0da48b1 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -628,7 +628,7 @@ static int net_init_tap_one(const NetdevTapOptions *tap, NetClientState *peer,
         vhostfdname || (tap->has_vhostforce && tap->vhostforce)) {
         int vhostfd;
 
-        if (tap->has_vhostfd) {
+        if (tap->has_vhostfd || tap->has_vhostfds) {
             vhostfd = monitor_handle_fd_param(cur_mon, vhostfdname);
             if (vhostfd == -1) {
                 return -1;
-- 
1.7.9.5

[Qemu-devel] [PATCH 05/15] virtio-ccw: Check indicators location.

[Michael Roth]

From: Cornelia Huck <cornelia.huck@de.ibm.com>

If a guest neglected to register (secondary) indicators but still runs
with notifications enabled, we might end up writing to guest zero;
avoid this by checking for valid indicators and only writing to the
guest and generating an interrupt if indicators have been setup.

Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit 7c4869761d7f2e0a3f806a5359eea5d2473ec5d5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/virtio-ccw.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index d92e427..627d11d 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -662,10 +662,16 @@ static void virtio_ccw_notify(DeviceState *d, uint16_t vector)
     }
 
     if (vector < VIRTIO_PCI_QUEUE_MAX) {
+        if (!dev->indicators) {
+            return;
+        }
         indicators = ldq_phys(dev->indicators);
         indicators |= 1ULL << vector;
         stq_phys(dev->indicators, indicators);
     } else {
+        if (!dev->indicators2) {
+            return;
+        }
         vector = 0;
         indicators = ldq_phys(dev->indicators2);
         indicators |= 1ULL << vector;
-- 
1.7.9.5

[Qemu-devel] [PATCH 06/15] configure: Pick up libseccomp include path

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

openSUSE 12.3 has seccomp.h in /usr/include/libseccomp-1.0.1,
so add `pkg-config --cflags libseccomp` output to QEMU_CFLAGS.

Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 372e47e9b5e31c493823d7f512716644fb02d0fd)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 configure |    1 +
 1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index e7468a9..d7a39cc 100755
--- a/configure
+++ b/configure
@@ -1435,6 +1435,7 @@ fi
 if test "$seccomp" != "no" ; then
     if $pkg_config --atleast-version=1.0.0 libseccomp --modversion >/dev/null 2>&1; then
         libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
+        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
 	seccomp="yes"
     else
 	if test "$seccomp" = "yes"; then
-- 
1.7.9.5

[Qemu-devel] [PATCH 07/15] target-mips: Fix accumulator arguments to gen_helper_dmult(u)

[Michael Roth]

From: Richard Sandiford <rdsandiford@googlemail.com>

gen_muldiv was passing int accumulator arguments directly
to gen_helper_dmult(u).  This patch fixes it to use TCGs,
via the gen_helper_0e2i wrapper.

Fixes an --enable-debug-tcg build failure reported by Juergen Lock.

Signed-off-by: Richard Sandiford <rdsandiford@googlemail.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-mips/helper.h    |    4 ++--
 target-mips/op_helper.c |    8 ++++----
 target-mips/translate.c |    4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/target-mips/helper.h b/target-mips/helper.h
index cfe98f1..7aa5f79 100644
--- a/target-mips/helper.h
+++ b/target-mips/helper.h
@@ -24,8 +24,8 @@ DEF_HELPER_FLAGS_1(clz, TCG_CALL_NO_RWG_SE, tl, tl)
 #ifdef TARGET_MIPS64
 DEF_HELPER_FLAGS_1(dclo, TCG_CALL_NO_RWG_SE, tl, tl)
 DEF_HELPER_FLAGS_1(dclz, TCG_CALL_NO_RWG_SE, tl, tl)
-DEF_HELPER_4(dmult, void, env, int, tl, tl)
-DEF_HELPER_4(dmultu, void, env, int, tl, tl)
+DEF_HELPER_4(dmult, void, env, tl, tl, int)
+DEF_HELPER_4(dmultu, void, env, tl, tl, int)
 #endif
 
 DEF_HELPER_3(muls, tl, env, tl, tl)
diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index c054300..01df687 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -268,14 +268,14 @@ target_ulong helper_mulshiu(CPUMIPSState *env, target_ulong arg1,
 }
 
 #ifdef TARGET_MIPS64
-void helper_dmult(CPUMIPSState *env, int acc, target_ulong arg1,
-                  target_ulong arg2)
+void helper_dmult(CPUMIPSState *env, target_ulong arg1,
+                  target_ulong arg2, int acc)
 {
     muls64(&(env->active_tc.LO[acc]), &(env->active_tc.HI[acc]), arg1, arg2);
 }
 
-void helper_dmultu(CPUMIPSState *env, int acc, target_ulong arg1,
-                   target_ulong arg2)
+void helper_dmultu(CPUMIPSState *env, target_ulong arg1,
+                   target_ulong arg2, int acc)
 {
     mulu64(&(env->active_tc.LO[acc]), &(env->active_tc.HI[acc]), arg1, arg2);
 }
diff --git a/target-mips/translate.c b/target-mips/translate.c
index 9ed6477..8205456 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -2777,11 +2777,11 @@ static void gen_muldiv(DisasContext *ctx, uint32_t opc,
         opn = "ddivu";
         break;
     case OPC_DMULT:
-        gen_helper_dmult(cpu_env, acc, t0, t1);
+        gen_helper_0e2i(dmult, t0, t1, acc);
         opn = "dmult";
         break;
     case OPC_DMULTU:
-        gen_helper_dmultu(cpu_env, acc, t0, t1);
+        gen_helper_0e2i(dmultu, t0, t1, acc);
         opn = "dmultu";
         break;
 #endif
-- 
1.7.9.5

[Qemu-devel] [PATCH 08/15] tcg/optimize: fix setcond2 optimization

[Michael Roth]

From: Aurelien Jarno <aurelien@aurel32.net>

When setcond2 is rewritten into setcond, the state of the destination
temp should be reset, so that a copy of the previous value is not
used instead of the result.

Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 66e61b55f158ef5628e4c056dd2f233c9351a3f5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tcg/optimize.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/tcg/optimize.c b/tcg/optimize.c
index 973d2d6..be10033 100644
--- a/tcg/optimize.c
+++ b/tcg/optimize.c
@@ -1024,6 +1024,7 @@ static TCGArg *tcg_constant_folding(TCGContext *s, uint16_t *tcg_opc_ptr,
                 /* Simplify LT/GE comparisons vs zero to a single compare
                    vs the high word of the input.  */
                 s->gen_opc_buf[op_index] = INDEX_op_setcond_i32;
+                reset_temp(args[0]);
                 gen_args[0] = args[0];
                 gen_args[1] = args[2];
                 gen_args[2] = args[4];
-- 
1.7.9.5

[Qemu-devel] [PATCH 09/15] qga: set umask 0077 when daemonizing (CVE-2013-2007)

[Michael Roth]

From: Laszlo Ersek <lersek@redhat.com>

The qemu guest agent creates a bunch of files with insecure permissions
when started in daemon mode. For example:

  -rw-rw-rw- 1 root root /var/log/qemu-ga.log
  -rw-rw-rw- 1 root root /var/run/qga.state
  -rw-rw-rw- 1 root root /var/log/qga-fsfreeze-hook.log

In addition, at least all files created with the "guest-file-open" QMP
command, and all files created with shell output redirection (or
otherwise) by utilities invoked by the fsfreeze hook script are affected.

For now mask all file mode bits for "group" and "others" in
become_daemon().

Temporarily, for compatibility reasons, stick with the 0666 file-mode in
case of files newly created by the "guest-file-open" QMP call. Do so
without changing the umask temporarily.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c689b4f1bac352dcfd6ecb9a1d45337de0f1de67)

Conflicts:

	qga/commands-posix.c

*update includes to match stable

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/commands-posix.c |  120 ++++++++++++++++++++++++++++++++++++++++++++++++--
 qga/main.c           |    2 +-
 2 files changed, 117 insertions(+), 5 deletions(-)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 1c2aff3..08f3473 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -162,9 +162,122 @@ static GuestFileHandle *guest_file_handle_find(int64_t id, Error **err)
     return NULL;
 }
 
+typedef const char * const ccpc;
+
+/* http://pubs.opengroup.org/onlinepubs/9699919799/functions/fopen.html */
+static const struct {
+    ccpc *forms;
+    int oflag_base;
+} guest_file_open_modes[] = {
+    { (ccpc[]){ "r",  "rb",         NULL }, O_RDONLY                      },
+    { (ccpc[]){ "w",  "wb",         NULL }, O_WRONLY | O_CREAT | O_TRUNC  },
+    { (ccpc[]){ "a",  "ab",         NULL }, O_WRONLY | O_CREAT | O_APPEND },
+    { (ccpc[]){ "r+", "rb+", "r+b", NULL }, O_RDWR                        },
+    { (ccpc[]){ "w+", "wb+", "w+b", NULL }, O_RDWR   | O_CREAT | O_TRUNC  },
+    { (ccpc[]){ "a+", "ab+", "a+b", NULL }, O_RDWR   | O_CREAT | O_APPEND }
+};
+
+static int
+find_open_flag(const char *mode_str, Error **err)
+{
+    unsigned mode;
+
+    for (mode = 0; mode < ARRAY_SIZE(guest_file_open_modes); ++mode) {
+        ccpc *form;
+
+        form = guest_file_open_modes[mode].forms;
+        while (*form != NULL && strcmp(*form, mode_str) != 0) {
+            ++form;
+        }
+        if (*form != NULL) {
+            break;
+        }
+    }
+
+    if (mode == ARRAY_SIZE(guest_file_open_modes)) {
+        error_setg(err, "invalid file open mode '%s'", mode_str);
+        return -1;
+    }
+    return guest_file_open_modes[mode].oflag_base | O_NOCTTY | O_NONBLOCK;
+}
+
+#define DEFAULT_NEW_FILE_MODE (S_IRUSR | S_IWUSR | \
+                               S_IRGRP | S_IWGRP | \
+                               S_IROTH | S_IWOTH)
+
+static FILE *
+safe_open_or_create(const char *path, const char *mode, Error **err)
+{
+    Error *local_err = NULL;
+    int oflag;
+
+    oflag = find_open_flag(mode, &local_err);
+    if (local_err == NULL) {
+        int fd;
+
+        /* If the caller wants / allows creation of a new file, we implement it
+         * with a two step process: open() + (open() / fchmod()).
+         *
+         * First we insist on creating the file exclusively as a new file. If
+         * that succeeds, we're free to set any file-mode bits on it. (The
+         * motivation is that we want to set those file-mode bits independently
+         * of the current umask.)
+         *
+         * If the exclusive creation fails because the file already exists
+         * (EEXIST is not possible for any other reason), we just attempt to
+         * open the file, but in this case we won't be allowed to change the
+         * file-mode bits on the preexistent file.
+         *
+         * The pathname should never disappear between the two open()s in
+         * practice. If it happens, then someone very likely tried to race us.
+         * In this case just go ahead and report the ENOENT from the second
+         * open() to the caller.
+         *
+         * If the caller wants to open a preexistent file, then the first
+         * open() is decisive and its third argument is ignored, and the second
+         * open() and the fchmod() are never called.
+         */
+        fd = open(path, oflag | ((oflag & O_CREAT) ? O_EXCL : 0), 0);
+        if (fd == -1 && errno == EEXIST) {
+            oflag &= ~(unsigned)O_CREAT;
+            fd = open(path, oflag);
+        }
+
+        if (fd == -1) {
+            error_setg_errno(&local_err, errno, "failed to open file '%s' "
+                             "(mode: '%s')", path, mode);
+        } else {
+            qemu_set_cloexec(fd);
+
+            if ((oflag & O_CREAT) && fchmod(fd, DEFAULT_NEW_FILE_MODE) == -1) {
+                error_setg_errno(&local_err, errno, "failed to set permission "
+                                 "0%03o on new file '%s' (mode: '%s')",
+                                 (unsigned)DEFAULT_NEW_FILE_MODE, path, mode);
+            } else {
+                FILE *f;
+
+                f = fdopen(fd, mode);
+                if (f == NULL) {
+                    error_setg_errno(&local_err, errno, "failed to associate "
+                                     "stdio stream with file descriptor %d, "
+                                     "file '%s' (mode: '%s')", fd, path, mode);
+                } else {
+                    return f;
+                }
+            }
+
+            close(fd);
+        }
+    }
+
+    error_propagate(err, local_err);
+    return NULL;
+}
+
 int64_t qmp_guest_file_open(const char *path, bool has_mode, const char *mode, Error **err)
 {
     FILE *fh;
+    Error *local_err = NULL;
     int fd;
     int64_t ret = -1, handle;
 
@@ -172,10 +285,9 @@ int64_t qmp_guest_file_open(const char *path, bool has_mode, const char *mode, E
         mode = "r";
     }
     slog("guest-file-open called, filepath: %s, mode: %s", path, mode);
-    fh = fopen(path, mode);
-    if (!fh) {
-        error_setg_errno(err, errno, "failed to open file '%s' (mode: '%s')",
-                         path, mode);
+    fh = safe_open_or_create(path, mode, &local_err);
+    if (local_err != NULL) {
+        error_propagate(err, local_err);
         return -1;
     }
 
diff --git a/qga/main.c b/qga/main.c
index 74ef788..028fceb 100644
--- a/qga/main.c
+++ b/qga/main.c
@@ -478,7 +478,7 @@ static void become_daemon(const char *pidfile)
         }
     }
 
-    umask(0);
+    umask(S_IRWXG | S_IRWXO);
     sid = setsid();
     if (sid < 0) {
         goto fail;
-- 
1.7.9.5

[Qemu-devel] [PATCH 10/15] tcg: Document tcg_qemu_tb_exec() and provide constants for low bit uses

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

Document tcg_qemu_tb_exec(). In particular, its return value is a
combination of a pointer to the next translation block and some
extra information in the low two bits. Provide some #defines for
the values passed in these bits to improve code clarity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

(cherry picked from commit 0980011b4f66482d2733ab2dd0f2f61747772c6b)

Conflicts:
	tcg/tcg.h

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cpu-exec.c                |    9 +++++----
 include/exec/gen-icount.h |    2 +-
 tcg/tcg.h                 |   44 +++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/cpu-exec.c b/cpu-exec.c
index 19ebb4a..797e11a 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -71,7 +71,7 @@ static void cpu_exec_nocache(CPUArchState *env, int max_cycles,
     next_tb = tcg_qemu_tb_exec(env, tb->tc_ptr);
     env->current_tb = NULL;
 
-    if ((next_tb & 3) == 2) {
+    if ((next_tb & TB_EXIT_MASK) == TB_EXIT_ICOUNT_EXPIRED) {
         /* Restore PC.  This may happen if async event occurs before
            the TB starts executing.  */
         cpu_pc_from_tb(env, tb);
@@ -583,7 +583,8 @@ int cpu_exec(CPUArchState *env)
                    spans two pages, we cannot safely do a direct
                    jump. */
                 if (next_tb != 0 && tb->page_addr[1] == -1) {
-                    tb_add_jump((TranslationBlock *)(next_tb & ~3), next_tb & 3, tb);
+                    tb_add_jump((TranslationBlock *)(next_tb & ~TB_EXIT_MASK),
+                                next_tb & TB_EXIT_MASK, tb);
                 }
                 spin_unlock(&tb_lock);
 
@@ -597,10 +598,10 @@ int cpu_exec(CPUArchState *env)
                     tc_ptr = tb->tc_ptr;
                     /* execute the generated code */
                     next_tb = tcg_qemu_tb_exec(env, tc_ptr);
-                    if ((next_tb & 3) == 2) {
+                    if ((next_tb & TB_EXIT_MASK) == TB_EXIT_ICOUNT_EXPIRED) {
                         /* Instruction counter expired.  */
                         int insns_left;
-                        tb = (TranslationBlock *)(next_tb & ~3);
+                        tb = (TranslationBlock *)(next_tb & ~TB_EXIT_MASK);
                         /* Restore PC.  */
                         cpu_pc_from_tb(env, tb);
                         insns_left = env->icount_decr.u32;
diff --git a/include/exec/gen-icount.h b/include/exec/gen-icount.h
index 8043b3b..c858a73 100644
--- a/include/exec/gen-icount.h
+++ b/include/exec/gen-icount.h
@@ -32,7 +32,7 @@ static void gen_icount_end(TranslationBlock *tb, int num_insns)
     if (use_icount) {
         *icount_arg = num_insns;
         gen_set_label(icount_label);
-        tcg_gen_exit_tb((tcg_target_long)tb + 2);
+        tcg_gen_exit_tb((tcg_target_long)tb + TB_EXIT_ICOUNT_EXPIRED);
     }
 }
 
diff --git a/tcg/tcg.h b/tcg/tcg.h
index a427972..10eb3f4 100644
--- a/tcg/tcg.h
+++ b/tcg/tcg.h
@@ -660,7 +660,49 @@ TCGv_i64 tcg_const_local_i64(int64_t val);
 
 extern uint8_t *code_gen_prologue;
 
-/* TCG targets may use a different definition of tcg_qemu_tb_exec. */
+/**
+ * tcg_qemu_tb_exec:
+ * @env: CPUArchState * for the CPU
+ * @tb_ptr: address of generated code for the TB to execute
+ *
+ * Start executing code from a given translation block.
+ * Where translation blocks have been linked, execution
+ * may proceed from the given TB into successive ones.
+ * Control eventually returns only when some action is needed
+ * from the top-level loop: either control must pass to a TB
+ * which has not yet been directly linked, or an asynchronous
+ * event such as an interrupt needs handling.
+ *
+ * The return value is a pointer to the next TB to execute
+ * (if known; otherwise zero). This pointer is assumed to be
+ * 4-aligned, and the bottom two bits are used to return further
+ * information:
+ *  0, 1: the link between this TB and the next is via the specified
+ *        TB index (0 or 1). That is, we left the TB via (the equivalent
+ *        of) "goto_tb <index>". The main loop uses this to determine
+ *        how to link the TB just executed to the next.
+ *  2:    we are using instruction counting code generation, and we
+ *        did not start executing this TB because the instruction counter
+ *        would hit zero midway through it. In this case the next-TB pointer
+ *        returned is the TB we were about to execute, and the caller must
+ *        arrange to execute the remaining count of instructions.
+ *
+ * If the bottom two bits indicate an exit-via-index then the CPU
+ * state is correctly synchronised and ready for execution of the next
+ * TB (and in particular the guest PC is the address to execute next).
+ * Otherwise, we gave up on execution of this TB before it started, and
+ * the caller must fix up the CPU state by calling cpu_pc_from_tb()
+ * with the next-TB pointer we return.
+ *
+ * Note that TCG targets may use a different definition of tcg_qemu_tb_exec
+ * to this default (which just calls the prologue.code emitted by
+ * tcg_target_qemu_prologue()).
+ */
+#define TB_EXIT_MASK 3
+#define TB_EXIT_IDX0 0
+#define TB_EXIT_IDX1 1
+#define TB_EXIT_ICOUNT_EXPIRED 2
+
 #if !defined(tcg_qemu_tb_exec)
 # define tcg_qemu_tb_exec(env, tb_ptr) \
     ((tcg_target_ulong (*)(void *, void *))code_gen_prologue)(env, tb_ptr)
-- 
1.7.9.5

[Qemu-devel] [PATCH 11/15] cpu-exec: wrap tcg_qemu_tb_exec() in a fn to restore the PC

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

If tcg_qemu_tb_exec() returns a value whose low bits don't indicate a
link to an indexed next TB, this means that the TB execution never
started (eg because the instruction counter hit zero).  In this case the
guest PC has to be reset to the address of the start of the TB.
Refactor the cpu-exec code to make all tcg_qemu_tb_exec() calls pass
through a wrapper function which does this restoration if necessary.

Note that the apparent change in cpu_exec_nocache() from calling
cpu_pc_from_tb() with the old TB to calling it with the TB returned by
do_tcg_qemu_tb_exec() is safe, because in the nocache case we can
guarantee that the TB we try to execute is not linked to any others,
so the only possible returned TB is the one we started at. That is,
we should arguably previously have included in cpu_exec_nocache() an
assert(next_tb & ~TB_EXIT_MASK) == tb), since the API requires restore
from next_tb but we were using tb.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

(cherry picked from commit 77211379d73ea0c89c0b5bb6eee74b17cb06f9a8)

Conflicts:
	cpu-exec.c

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cpu-exec.c |   28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/cpu-exec.c b/cpu-exec.c
index 797e11a..4ffae22 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -51,12 +51,26 @@ void cpu_resume_from_signal(CPUArchState *env, void *puc)
 }
 #endif
 
+/* Execute a TB, and fix up the CPU state afterwards if necessary */
+static inline tcg_target_ulong cpu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
+{
+    tcg_target_ulong next_tb = tcg_qemu_tb_exec(env, tb_ptr);
+    if ((next_tb & TB_EXIT_MASK) > TB_EXIT_IDX1) {
+        /* We didn't start executing this TB (eg because the instruction
+         * counter hit zero); we must restore the guest PC to the address
+         * of the start of the TB.
+         */
+        TranslationBlock *tb = (TranslationBlock *)(next_tb & ~TB_EXIT_MASK);
+        cpu_pc_from_tb(env, tb);
+    }
+    return next_tb;
+}
+
 /* Execute the code without caching the generated code. An interpreter
    could be used if available. */
 static void cpu_exec_nocache(CPUArchState *env, int max_cycles,
                              TranslationBlock *orig_tb)
 {
-    tcg_target_ulong next_tb;
     TranslationBlock *tb;
 
     /* Should never happen.
@@ -68,14 +82,8 @@ static void cpu_exec_nocache(CPUArchState *env, int max_cycles,
                      max_cycles);
     env->current_tb = tb;
     /* execute the generated code */
-    next_tb = tcg_qemu_tb_exec(env, tb->tc_ptr);
+    cpu_tb_exec(env, tb->tc_ptr);
     env->current_tb = NULL;
-
-    if ((next_tb & TB_EXIT_MASK) == TB_EXIT_ICOUNT_EXPIRED) {
-        /* Restore PC.  This may happen if async event occurs before
-           the TB starts executing.  */
-        cpu_pc_from_tb(env, tb);
-    }
     tb_phys_invalidate(tb, -1);
     tb_free(tb);
 }
@@ -597,13 +605,11 @@ int cpu_exec(CPUArchState *env)
                 if (likely(!env->exit_request)) {
                     tc_ptr = tb->tc_ptr;
                     /* execute the generated code */
-                    next_tb = tcg_qemu_tb_exec(env, tc_ptr);
+                    next_tb = cpu_tb_exec(env, tc_ptr);
                     if ((next_tb & TB_EXIT_MASK) == TB_EXIT_ICOUNT_EXPIRED) {
                         /* Instruction counter expired.  */
                         int insns_left;
                         tb = (TranslationBlock *)(next_tb & ~TB_EXIT_MASK);
-                        /* Restore PC.  */
-                        cpu_pc_from_tb(env, tb);
                         insns_left = env->icount_decr.u32;
                         if (env->icount_extra && insns_left >= 0) {
                             /* Refill decrementer and continue execution.  */
-- 
1.7.9.5

[Qemu-devel] [PATCH 12/15] Handle CPU interrupts by inline checking of a flag

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

Fix some of the nasty TCG race conditions and crashes by implementing
cpu_exit() as setting a flag which is checked at the start of each TB.
This avoids crashes if a thread or signal handler calls cpu_exit()
while the execution thread is itself modifying the TB graph (which
may happen in system emulation mode as well as in linux-user mode
with a multithreaded guest binary).

This fixes the crashes seen in LP:668799; however there are another
class of crashes described in LP:1098729 which stem from the fact
that in linux-user with a multithreaded guest all threads will
use and modify the same global TCG date structures (including the
generated code buffer) without any kind of locking. This means that
multithreaded guest binaries are still in the "unsupported"
category.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

(cherry picked from commit 378df4b23753a11be650af7664ca76bc75cb9f01)

Conflicts:
	exec.c
	include/qom/cpu.h
	translate-all.c
	include/exec/gen-icount.h

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Conflicts:
	cpu-exec.c

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cpu-exec.c                |   25 ++++++++++++++++++++++++-
 exec.c                    |    2 +-
 include/exec/cpu-defs.h   |    1 +
 include/exec/gen-icount.h |   11 +++++++++++
 tcg/tcg.h                 |    5 +++++
 translate-all.c           |    4 ++--
 6 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/cpu-exec.c b/cpu-exec.c
index 4ffae22..1c6af24 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -63,6 +63,12 @@ static inline tcg_target_ulong cpu_tb_exec(CPUArchState *env, uint8_t *tb_ptr)
         TranslationBlock *tb = (TranslationBlock *)(next_tb & ~TB_EXIT_MASK);
         cpu_pc_from_tb(env, tb);
     }
+    if ((next_tb & TB_EXIT_MASK) == TB_EXIT_REQUESTED) {
+        /* We were asked to stop executing TBs (probably a pending
+         * interrupt. We've now stopped, so clear the flag.
+         */
+        env->tcg_exit_req = 0;
+    }
     return next_tb;
 }
 
@@ -606,7 +612,20 @@ int cpu_exec(CPUArchState *env)
                     tc_ptr = tb->tc_ptr;
                     /* execute the generated code */
                     next_tb = cpu_tb_exec(env, tc_ptr);
-                    if ((next_tb & TB_EXIT_MASK) == TB_EXIT_ICOUNT_EXPIRED) {
+                    switch (next_tb & TB_EXIT_MASK) {
+                    case TB_EXIT_REQUESTED:
+                        /* Something asked us to stop executing
+                         * chained TBs; just continue round the main
+                         * loop. Whatever requested the exit will also
+                         * have set something else (eg exit_request or
+                         * interrupt_request) which we will handle
+                         * next time around the loop.
+                         */
+                        tb = (TranslationBlock *)(next_tb & ~TB_EXIT_MASK);
+                        next_tb = 0;
+                        break;
+                    case TB_EXIT_ICOUNT_EXPIRED:
+                    {
                         /* Instruction counter expired.  */
                         int insns_left;
                         tb = (TranslationBlock *)(next_tb & ~TB_EXIT_MASK);
@@ -630,6 +649,10 @@ int cpu_exec(CPUArchState *env)
                             next_tb = 0;
                             cpu_loop_exit(env);
                         }
+                        break;
+                    }
+                    default:
+                        break;
                     }
                 }
                 env->current_tb = NULL;
diff --git a/exec.c b/exec.c
index b85508b..371713a 100644
--- a/exec.c
+++ b/exec.c
@@ -493,7 +493,7 @@ void cpu_reset_interrupt(CPUArchState *env, int mask)
 void cpu_exit(CPUArchState *env)
 {
     env->exit_request = 1;
-    cpu_unlink_tb(env);
+    env->tcg_exit_req = 1;
 }
 
 void cpu_abort(CPUArchState *env, const char *fmt, ...)
diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 2911b9f..07fce69 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -161,6 +161,7 @@ typedef struct CPUWatchpoint {
     uint32_t halted; /* Nonzero if the CPU is in suspend state */       \
     uint32_t interrupt_request;                                         \
     volatile sig_atomic_t exit_request;                                 \
+    volatile sig_atomic_t tcg_exit_req;                                 \
     CPU_COMMON_TLB                                                      \
     struct TranslationBlock *tb_jmp_cache[TB_JMP_CACHE_SIZE];           \
     /* buffer for temporaries in the code generator */                  \
diff --git a/include/exec/gen-icount.h b/include/exec/gen-icount.h
index c858a73..f45f975 100644
--- a/include/exec/gen-icount.h
+++ b/include/exec/gen-icount.h
@@ -7,10 +7,18 @@
 
 static TCGArg *icount_arg;
 static int icount_label;
+static int exitreq_label;
 
 static inline void gen_icount_start(void)
 {
     TCGv_i32 count;
+    TCGv_i32 flag;
+
+    exitreq_label = gen_new_label();
+    flag = tcg_temp_local_new_i32();
+    tcg_gen_ld_i32(flag, cpu_env, offsetof(CPUArchState, tcg_exit_req));
+    tcg_gen_brcondi_i32(TCG_COND_NE, flag, 0, exitreq_label);
+    tcg_temp_free_i32(flag);
 
     if (!use_icount)
         return;
@@ -29,6 +37,9 @@ static inline void gen_icount_start(void)
 
 static void gen_icount_end(TranslationBlock *tb, int num_insns)
 {
+    gen_set_label(exitreq_label);
+    tcg_gen_exit_tb((tcg_target_long)tb + TB_EXIT_REQUESTED);
+
     if (use_icount) {
         *icount_arg = num_insns;
         gen_set_label(icount_label);
diff --git a/tcg/tcg.h b/tcg/tcg.h
index 10eb3f4..34b2ca8 100644
--- a/tcg/tcg.h
+++ b/tcg/tcg.h
@@ -686,6 +686,10 @@ extern uint8_t *code_gen_prologue;
  *        would hit zero midway through it. In this case the next-TB pointer
  *        returned is the TB we were about to execute, and the caller must
  *        arrange to execute the remaining count of instructions.
+ *  3:    we stopped because the CPU's exit_request flag was set
+ *        (usually meaning that there is an interrupt that needs to be
+ *        handled). The next-TB pointer returned is the TB we were
+ *        about to execute when we noticed the pending exit request.
  *
  * If the bottom two bits indicate an exit-via-index then the CPU
  * state is correctly synchronised and ready for execution of the next
@@ -702,6 +706,7 @@ extern uint8_t *code_gen_prologue;
 #define TB_EXIT_IDX0 0
 #define TB_EXIT_IDX1 1
 #define TB_EXIT_ICOUNT_EXPIRED 2
+#define TB_EXIT_REQUESTED 3
 
 #if !defined(tcg_qemu_tb_exec)
 # define tcg_qemu_tb_exec(env, tb_ptr) \
diff --git a/translate-all.c b/translate-all.c
index bf1db09..1288b2a 100644
--- a/translate-all.c
+++ b/translate-all.c
@@ -1476,7 +1476,7 @@ static void tcg_handle_interrupt(CPUArchState *env, int mask)
             cpu_abort(env, "Raised interrupt while not in I/O function");
         }
     } else {
-        cpu_unlink_tb(env);
+        env->tcg_exit_req = 1;
     }
 }
 
@@ -1617,7 +1617,7 @@ void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
 void cpu_interrupt(CPUArchState *env, int mask)
 {
     env->interrupt_request |= mask;
-    cpu_unlink_tb(env);
+    env->tcg_exit_req = 1;
 }
 
 /*
-- 
1.7.9.5

[Qemu-devel] [PATCH 13/15] translate-all.c: Remove cpu_unlink_tb()

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The (unsafe) function cpu_unlink_tb() is now unused, so we can simply
remove it and any code that was only used by it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

(cherry picked from commit 3a808cc407744c30daa7470b5f191cde1fbc1aae)

Conflicts:
	translate-all.c

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 translate-all.c |   69 -------------------------------------------------------
 1 file changed, 69 deletions(-)

diff --git a/translate-all.c b/translate-all.c
index 1288b2a..ba4d3f6 100644
--- a/translate-all.c
+++ b/translate-all.c
@@ -1350,55 +1350,6 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
     return &tbs[m_max];
 }
 
-static void tb_reset_jump_recursive(TranslationBlock *tb);
-
-static inline void tb_reset_jump_recursive2(TranslationBlock *tb, int n)
-{
-    TranslationBlock *tb1, *tb_next, **ptb;
-    unsigned int n1;
-
-    tb1 = tb->jmp_next[n];
-    if (tb1 != NULL) {
-        /* find head of list */
-        for (;;) {
-            n1 = (uintptr_t)tb1 & 3;
-            tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
-            if (n1 == 2) {
-                break;
-            }
-            tb1 = tb1->jmp_next[n1];
-        }
-        /* we are now sure now that tb jumps to tb1 */
-        tb_next = tb1;
-
-        /* remove tb from the jmp_first list */
-        ptb = &tb_next->jmp_first;
-        for (;;) {
-            tb1 = *ptb;
-            n1 = (uintptr_t)tb1 & 3;
-            tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
-            if (n1 == n && tb1 == tb) {
-                break;
-            }
-            ptb = &tb1->jmp_next[n1];
-        }
-        *ptb = tb->jmp_next[n];
-        tb->jmp_next[n] = NULL;
-
-        /* suppress the jump to next tb in generated code */
-        tb_reset_jump(tb, n);
-
-        /* suppress jumps in the tb on which we could have jumped */
-        tb_reset_jump_recursive(tb_next);
-    }
-}
-
-static void tb_reset_jump_recursive(TranslationBlock *tb)
-{
-    tb_reset_jump_recursive2(tb, 0);
-    tb_reset_jump_recursive2(tb, 1);
-}
-
 #if defined(TARGET_HAS_ICE) && !defined(CONFIG_USER_ONLY)
 void tb_invalidate_phys_addr(hwaddr addr)
 {
@@ -1417,26 +1368,6 @@ void tb_invalidate_phys_addr(hwaddr addr)
 }
 #endif /* TARGET_HAS_ICE && !defined(CONFIG_USER_ONLY) */
 
-void cpu_unlink_tb(CPUArchState *env)
-{
-    /* FIXME: TB unchaining isn't SMP safe.  For now just ignore the
-       problem and hope the cpu will stop of its own accord.  For userspace
-       emulation this often isn't actually as bad as it sounds.  Often
-       signals are used primarily to interrupt blocking syscalls.  */
-    TranslationBlock *tb;
-    static spinlock_t interrupt_lock = SPIN_LOCK_UNLOCKED;
-
-    spin_lock(&interrupt_lock);
-    tb = env->current_tb;
-    /* if the cpu is currently executing code, we must unlink it and
-       all the potentially executing TB */
-    if (tb) {
-        env->current_tb = NULL;
-        tb_reset_jump_recursive(tb);
-    }
-    spin_unlock(&interrupt_lock);
-}
-
 void tb_check_watchpoint(CPUArchState *env)
 {
     TranslationBlock *tb;
-- 
1.7.9.5

[Qemu-devel] [PATCH 14/15] qga: distinguish binary modes in "guest_file_open_modes" map

[Michael Roth]

From: Laszlo Ersek <lersek@redhat.com>

In Windows guests this may make a difference.

Since the original patch (commit c689b4f1) sought to be pedantic and to
consider theoretical corner cases of portability, we should fix it up
where it failed to come through in that pursuit.

Suggested-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 8fe6bbca7176c9dfb35083a71bda95c1856e2ed5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/commands-posix.c |   22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 08f3473..933c700 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -164,17 +164,27 @@ static GuestFileHandle *guest_file_handle_find(int64_t id, Error **err)
 
 typedef const char * const ccpc;
 
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
 /* http://pubs.opengroup.org/onlinepubs/9699919799/functions/fopen.html */
 static const struct {
     ccpc *forms;
     int oflag_base;
 } guest_file_open_modes[] = {
-    { (ccpc[]){ "r",  "rb",         NULL }, O_RDONLY                      },
-    { (ccpc[]){ "w",  "wb",         NULL }, O_WRONLY | O_CREAT | O_TRUNC  },
-    { (ccpc[]){ "a",  "ab",         NULL }, O_WRONLY | O_CREAT | O_APPEND },
-    { (ccpc[]){ "r+", "rb+", "r+b", NULL }, O_RDWR                        },
-    { (ccpc[]){ "w+", "wb+", "w+b", NULL }, O_RDWR   | O_CREAT | O_TRUNC  },
-    { (ccpc[]){ "a+", "ab+", "a+b", NULL }, O_RDWR   | O_CREAT | O_APPEND }
+    { (ccpc[]){ "r",          NULL }, O_RDONLY                                 },
+    { (ccpc[]){ "rb",         NULL }, O_RDONLY                      | O_BINARY },
+    { (ccpc[]){ "w",          NULL }, O_WRONLY | O_CREAT | O_TRUNC             },
+    { (ccpc[]){ "wb",         NULL }, O_WRONLY | O_CREAT | O_TRUNC  | O_BINARY },
+    { (ccpc[]){ "a",          NULL }, O_WRONLY | O_CREAT | O_APPEND            },
+    { (ccpc[]){ "ab",         NULL }, O_WRONLY | O_CREAT | O_APPEND | O_BINARY },
+    { (ccpc[]){ "r+",         NULL }, O_RDWR                                   },
+    { (ccpc[]){ "rb+", "r+b", NULL }, O_RDWR                        | O_BINARY },
+    { (ccpc[]){ "w+",         NULL }, O_RDWR   | O_CREAT | O_TRUNC             },
+    { (ccpc[]){ "wb+", "w+b", NULL }, O_RDWR   | O_CREAT | O_TRUNC  | O_BINARY },
+    { (ccpc[]){ "a+",         NULL }, O_RDWR   | O_CREAT | O_APPEND            },
+    { (ccpc[]){ "ab+", "a+b", NULL }, O_RDWR   | O_CREAT | O_APPEND | O_BINARY }
 };
 
 static int
-- 
1.7.9.5

[Qemu-devel] [PATCH 15/15] qga: unlink just created guest-file if fchmod() or fdopen() fails on it

[Michael Roth]

From: Laszlo Ersek <lersek@redhat.com>

We shouldn't allow guest filesystem pollution on error paths.

Suggested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 2b720018060179b394f8ce736983373ab80dd37c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/commands-posix.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 933c700..e439851 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -277,6 +277,9 @@ safe_open_or_create(const char *path, const char *mode, Error **err)
             }
 
             close(fd);
+            if (oflag & O_CREAT) {
+                unlink(path);
+            }
         }
     }
 
-- 
1.7.9.5

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Michael Tokarev]

15.05.2013 01:52, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.4.2:
[]
> Please CC qemu-stable@nongnu.org on any patches you think should be
> included in the release. The cut-off date is 05-20-2013 for new patches.

FWIW, I've CC'ed the "cpu_unlink_tb" series to -stable - more,
did a backport especially for 1.4 version, about a week ago,
there:

 https://lists.gnu.org/archive/html/qemu-devel/2013-05/msg01300.html

Thanks,

/mjt

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Michael Tokarev]

15.05.2013 08:49, Michael Tokarev wrote:
> 15.05.2013 01:52, Michael Roth wrote:
>> Hi everyone,
>>
>> The following new patches are queued for QEMU stable v1.4.2:
> []
>> Please CC qemu-stable@nongnu.org on any patches you think should be
>> included in the release. The cut-off date is 05-20-2013 for new patches.
> 
> FWIW, I've CC'ed the "cpu_unlink_tb" series to -stable - more,
> did a backport especially for 1.4 version, about a week ago,
> there:
> 
>  https://lists.gnu.org/archive/html/qemu-devel/2013-05/msg01300.html

Blah.  -ENOCOFFEE (it's 08:50 here now).  Nevermind. ;)

/mjt

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Brad Smith]

On Tue, May 14, 2013 at 04:52:57PM -0500, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.4.2:
> 
> https://github.com/mdroth/qemu/commits/stable-1.4-staging
> 
> The release is planned for 05-24-2013:
> 
> http://wiki.qemu.org/Planning/1.4
> 
> Please CC qemu-stable@nongnu.org on any patches you think should be
> included in the release. The cut-off date is 05-20-2013 for new patches.
> 
> Testing/feedback is greatly appreciated.

This patch is missing from the 1.4 branch..

http://lists.nongnu.org/archive/html/qemu-stable/2013-04/msg00069.html

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[mdroth]

On Wed, May 15, 2013 at 10:09:32AM -0400, Brad Smith wrote:
> On Tue, May 14, 2013 at 04:52:57PM -0500, Michael Roth wrote:
> > Hi everyone,
> > 
> > The following new patches are queued for QEMU stable v1.4.2:
> > 
> > https://github.com/mdroth/qemu/commits/stable-1.4-staging
> > 
> > The release is planned for 05-24-2013:
> > 
> > http://wiki.qemu.org/Planning/1.4
> > 
> > Please CC qemu-stable@nongnu.org on any patches you think should be
> > included in the release. The cut-off date is 05-20-2013 for new patches.
> > 
> > Testing/feedback is greatly appreciated.
> 
> This patch is missing from the 1.4 branch..
> 
> http://lists.nongnu.org/archive/html/qemu-stable/2013-04/msg00069.html

Sorry, didn't think to re-check for patches that came in during 1.4.1
freeze. I'm also missing:

"qemu-timer: move timeBeginPeriod/timeEndPeriod to os-win32"

but there are some conflicts I need to look at.

I have you patch queued locally, but can you respond to that thread with
your SoB before I push it?

> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Cole Robinson]

On 05/14/2013 05:52 PM, Michael Roth wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.4.2:
> 
> https://github.com/mdroth/qemu/commits/stable-1.4-staging
> 
> The release is planned for 05-24-2013:
> 
> http://wiki.qemu.org/Planning/1.4
> 
> Please CC qemu-stable@nongnu.org on any patches you think should be
> included in the release. The cut-off date is 05-20-2013 for new patches.
> 

I just added this patch to Fedora to fix a crash that gnome-boxes is hitting:

commit 3713e1485e6eace7d48b9c790602cfd92c616e5f
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Fri Mar 15 11:52:37 2013 +0100

    usb-redir: Fix crash on migration with no client connected


Also, building documentation is still broken with texinfo 5, I got the details
wrong about this for the 1.4.1 series. Master got the fix through

commit 5d6768e3b8908a60f0a3016b7fa24194f6b47c80
Author: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Date:   Fri Feb 22 12:39:51 2013 +0900

    sheepdog: accept URIs

But that's not appropriate for stable. I'll send a patch.

- Cole

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[mdroth]

On Wed, May 15, 2013 at 05:48:14PM -0400, Cole Robinson wrote:
> On 05/14/2013 05:52 PM, Michael Roth wrote:
> > Hi everyone,
> > 
> > The following new patches are queued for QEMU stable v1.4.2:
> > 
> > https://github.com/mdroth/qemu/commits/stable-1.4-staging
> > 
> > The release is planned for 05-24-2013:
> > 
> > http://wiki.qemu.org/Planning/1.4
> > 
> > Please CC qemu-stable@nongnu.org on any patches you think should be
> > included in the release. The cut-off date is 05-20-2013 for new patches.
> > 
> 
> I just added this patch to Fedora to fix a crash that gnome-boxes is hitting:
> 
> commit 3713e1485e6eace7d48b9c790602cfd92c616e5f
> Author: Hans de Goede <hdegoede@redhat.com>
> Date:   Fri Mar 15 11:52:37 2013 +0100
> 
>     usb-redir: Fix crash on migration with no client connected
> 
> 
> Also, building documentation is still broken with texinfo 5, I got the details
> wrong about this for the 1.4.1 series. Master got the fix through
> 
> commit 5d6768e3b8908a60f0a3016b7fa24194f6b47c80
> Author: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
> Date:   Fri Feb 22 12:39:51 2013 +0900
> 
>     sheepdog: accept URIs
> 
> But that's not appropriate for stable. I'll send a patch.

Thanks, just pushed both of these:

https://github.com/mdroth/qemu/commits/stable-1.4-staging

> 
> - Cole
> 

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Luiz Capitulino]

On Tue, 14 May 2013 16:52:57 -0500
Michael Roth <mdroth@linux.vnet.ibm.com> wrote:

> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.4.2:
> 
> https://github.com/mdroth/qemu/commits/stable-1.4-staging
> 
> The release is planned for 05-24-2013:
> 
> http://wiki.qemu.org/Planning/1.4
> 
> Please CC qemu-stable@nongnu.org on any patches you think should be
> included in the release. The cut-off date is 05-20-2013 for new patches.

Michael, can you cherry pick the following commit:

  commit dcc6ceffc066745777960a1f0d32f3a555924f65
  Author: Luiz Capitulino <lcapitulino@redhat.com>
  Date:   Thu Apr 18 11:53:32 2013 -0400
  
      virtio-balloon: fix integer overflow in BALLOON_CHANGE QMP event

It should apply cleanly.

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[Doug Goldstein]

[-- Attachment #1: Type: text/plain, Size: 1401 bytes --]

On Tue, May 14, 2013 at 4:52 PM, Michael Roth <mdroth@linux.vnet.ibm.com>wrote:

> Hi everyone,
>
> The following new patches are queued for QEMU stable v1.4.2:
>
> https://github.com/mdroth/qemu/commits/stable-1.4-staging
>
> The release is planned for 05-24-2013:
>
> http://wiki.qemu.org/Planning/1.4
>
> Please CC qemu-stable@nongnu.org on any patches you think should be
> included in the release. The cut-off date is 05-20-2013 for new patches.
>
> Testing/feedback is greatly appreciated.
>
> Thanks!
>
>
Michael,

I have one patch in my 1.4 stable queue.

From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 13 Mar 2013 14:58:13 +0000 (+0100)
Subject: qemu-iotests: add tests for rebasing zero clusters
X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=acbf30ec601b1f817febc4500025b7c4181312c4

qemu-iotests: add tests for rebasing zero clusters

If zero clusters are erroneously treated as unallocated, "qemu-img rebase"
will copy the backing file's contents onto the cluster.

The bug existed also in image streaming, but since the root cause was in
qcow2's is_allocated implementation it is enough to test it with qemu-img.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

---


It only adds a test for something that was fixed in 1.4.1 (maybe was fixed
by the final 1.4.0 release I can't recall).

-- 
Doug Goldstein

[-- Attachment #2: Type: text/html, Size: 2493 bytes --]

Re: [Qemu-devel] Patch Round-up for stable 1.4.2, freeze on Monday

[mdroth]

On Fri, May 17, 2013 at 10:46:15AM -0500, Doug Goldstein wrote:
> On Tue, May 14, 2013 at 4:52 PM, Michael Roth <mdroth@linux.vnet.ibm.com>wrote:
> 
> > Hi everyone,
> >
> > The following new patches are queued for QEMU stable v1.4.2:
> >
> > https://github.com/mdroth/qemu/commits/stable-1.4-staging
> >
> > The release is planned for 05-24-2013:
> >
> > http://wiki.qemu.org/Planning/1.4
> >
> > Please CC qemu-stable@nongnu.org on any patches you think should be
> > included in the release. The cut-off date is 05-20-2013 for new patches.
> >
> > Testing/feedback is greatly appreciated.
> >
> > Thanks!
> >
> >
> Michael,
> 
> I have one patch in my 1.4 stable queue.
> 
> From: Paolo Bonzini <pbonzini@redhat.com>
> Date: Wed, 13 Mar 2013 14:58:13 +0000 (+0100)
> Subject: qemu-iotests: add tests for rebasing zero clusters
> X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=acbf30ec601b1f817febc4500025b7c4181312c4
> 
> qemu-iotests: add tests for rebasing zero clusters
> 
> If zero clusters are erroneously treated as unallocated, "qemu-img rebase"
> will copy the backing file's contents onto the cluster.
> 
> The bug existed also in image streaming, but since the root cause was in
> qcow2's is_allocated implementation it is enough to test it with qemu-img.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> 
> ---
> 
> 
> It only adds a test for something that was fixed in 1.4.1 (maybe was fixed
> by the final 1.4.0 release I can't recall).

Thanks, pushed this to staging along with what should be all outstanding
patches noted so far.

> 
> -- 
> Doug Goldstein

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.4.2, freeze on Monday

[Josh Durgin]

On 05/17/2013 12:08 PM, mdroth wrote:
> On Fri, May 17, 2013 at 10:46:15AM -0500, Doug Goldstein wrote:
>> On Tue, May 14, 2013 at 4:52 PM, Michael Roth <mdroth@linux.vnet.ibm.com>wrote:
>>
>>> Hi everyone,
>>>
>>> The following new patches are queued for QEMU stable v1.4.2:
>>>
>>> https://github.com/mdroth/qemu/commits/stable-1.4-staging
>>>
>>> The release is planned for 05-24-2013:
>>>
>>> http://wiki.qemu.org/Planning/1.4
>>>
>>> Please CC qemu-stable@nongnu.org on any patches you think should be
>>> included in the release. The cut-off date is 05-20-2013 for new patches.
>>>
>>> Testing/feedback is greatly appreciated.
>>>
>>> Thanks!
>>>
>>>
>> Michael,
>>
>> I have one patch in my 1.4 stable queue.
>>
>> From: Paolo Bonzini <pbonzini@redhat.com>
>> Date: Wed, 13 Mar 2013 14:58:13 +0000 (+0100)
>> Subject: qemu-iotests: add tests for rebasing zero clusters
>> X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=acbf30ec601b1f817febc4500025b7c4181312c4
>>
>> qemu-iotests: add tests for rebasing zero clusters
>>
>> If zero clusters are erroneously treated as unallocated, "qemu-img rebase"
>> will copy the backing file's contents onto the cluster.
>>
>> The bug existed also in image streaming, but since the root cause was in
>> qcow2's is_allocated implementation it is enough to test it with qemu-img.
>>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
>>
>> ---
>>
>>
>> It only adds a test for something that was fixed in 1.4.1 (maybe was fixed
>> by the final 1.4.0 release I can't recall).
>
> Thanks, pushed this to staging along with what should be all outstanding
> patches noted so far.

Could you add the patch:

commit dc7588c1eb3008bda53dde1d6b890cd299758155
Author: Josh Durgin <josh.durgin@inktank.com>
Date:   Fri Mar 29 13:03:23 2013 -0700

rbd: add an asynchronous flush

The existing bdrv_co_flush_to_disk implementation uses rbd_flush(),
which is sychronous and causes the main qemu thread to block until it
is complete. This results in unresponsiveness and extra latency for
the guest.

Fix this by using an asynchronous version of flush.  This was added to
librbd with a special #define to indicate its presence, since it will
be backported to stable versions. Thus, there is no need to check the
version of librbd.

Implement this as bdrv_aio_flush, since it matches other aio functions
in the rbd block driver, and leave out bdrv_co_flush_to_disk when the
asynchronous version is available.

Reported-by: Oliver Francke <oliver@filoo.de>
Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

I sent a cherry-pick of it to qemu-stable a couple days ago, although
it applies to the stable-1.4 branch cleanly. It fixes a significant
interactivity and performance problem when rbd is used with caching
enabled.

Thanks,
Josh

Re: [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.4.2, freeze on Monday

[mdroth]

On Fri, May 17, 2013 at 01:43:28PM -0700, Josh Durgin wrote:
> On 05/17/2013 12:08 PM, mdroth wrote:
> >On Fri, May 17, 2013 at 10:46:15AM -0500, Doug Goldstein wrote:
> >>On Tue, May 14, 2013 at 4:52 PM, Michael Roth <mdroth@linux.vnet.ibm.com>wrote:
> >>
> >>>Hi everyone,
> >>>
> >>>The following new patches are queued for QEMU stable v1.4.2:
> >>>
> >>>https://github.com/mdroth/qemu/commits/stable-1.4-staging
> >>>
> >>>The release is planned for 05-24-2013:
> >>>
> >>>http://wiki.qemu.org/Planning/1.4
> >>>
> >>>Please CC qemu-stable@nongnu.org on any patches you think should be
> >>>included in the release. The cut-off date is 05-20-2013 for new patches.
> >>>
> >>>Testing/feedback is greatly appreciated.
> >>>
> >>>Thanks!
> >>>
> >>>
> >>Michael,
> >>
> >>I have one patch in my 1.4 stable queue.
> >>
> >>From: Paolo Bonzini <pbonzini@redhat.com>
> >>Date: Wed, 13 Mar 2013 14:58:13 +0000 (+0100)
> >>Subject: qemu-iotests: add tests for rebasing zero clusters
> >>X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=acbf30ec601b1f817febc4500025b7c4181312c4
> >>
> >>qemu-iotests: add tests for rebasing zero clusters
> >>
> >>If zero clusters are erroneously treated as unallocated, "qemu-img rebase"
> >>will copy the backing file's contents onto the cluster.
> >>
> >>The bug existed also in image streaming, but since the root cause was in
> >>qcow2's is_allocated implementation it is enough to test it with qemu-img.
> >>
> >>Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> >>Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> >>
> >>---
> >>
> >>
> >>It only adds a test for something that was fixed in 1.4.1 (maybe was fixed
> >>by the final 1.4.0 release I can't recall).
> >
> >Thanks, pushed this to staging along with what should be all outstanding
> >patches noted so far.
> 
> Could you add the patch:
> 
> commit dc7588c1eb3008bda53dde1d6b890cd299758155
> Author: Josh Durgin <josh.durgin@inktank.com>
> Date:   Fri Mar 29 13:03:23 2013 -0700
> 
> rbd: add an asynchronous flush
> 
> The existing bdrv_co_flush_to_disk implementation uses rbd_flush(),
> which is sychronous and causes the main qemu thread to block until it
> is complete. This results in unresponsiveness and extra latency for
> the guest.
> 
> Fix this by using an asynchronous version of flush.  This was added to
> librbd with a special #define to indicate its presence, since it will
> be backported to stable versions. Thus, there is no need to check the
> version of librbd.
> 
> Implement this as bdrv_aio_flush, since it matches other aio functions
> in the rbd block driver, and leave out bdrv_co_flush_to_disk when the
> asynchronous version is available.
> 
> Reported-by: Oliver Francke <oliver@filoo.de>
> Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> 
> I sent a cherry-pick of it to qemu-stable a couple days ago, although
> it applies to the stable-1.4 branch cleanly. It fixes a significant
> interactivity and performance problem when rbd is used with caching
> enabled.

Hmm, not sure how that slipped by me. Just applied it to staging tree:

https://github.com/mdroth/qemu/commits/stable-1.4-staging

> 
> Thanks,
> Josh
>