qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 42f7a1: qmp: hide "hotplugged" device propert


From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 42f7a1: qmp: hide "hotplugged" device property from device...
Date: Wed, 10 Sep 2014 13:00:07 -0700

  Branch: refs/heads/stable-2.1
  Home:   https://github.com/qemu/qemu
  Commit: 42f7a13178c66ad19b6bca90b468b165c08429c7
      
https://github.com/qemu/qemu/commit/42f7a13178c66ad19b6bca90b468b165c08429c7
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2014-08-26 (Tue, 26 Aug 2014)

  Changed paths:
    M qmp.c

  Log Message:
  -----------
  qmp: hide "hotplugged" device property from device-list-properties

The "hotplugged" device property was not reported before commit
f4eb32b590bf58c1c67570775eb78beb09964fad ("qmp: show QOM properties in
device-list-properties").  Fix this difference.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit 4115dd6527fbdf49dbd1eba24ad68e0fae1e305a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5f26e63b17c03bac019c21f63a693c2d207ccacc
      
https://github.com/qemu/qemu/commit/5f26e63b17c03bac019c21f63a693c2d207ccacc
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2014-08-26 (Tue, 26 Aug 2014)

  Changed paths:
    M qdev-monitor.c

  Log Message:
  -----------
  qdev-monitor: include QOM properties in -device FOO, help output

Update -device FOO,help to include QOM properties in addition to qdev
properties.  Devices are gradually adding more QOM properties that are
not reflected as qdev properties.

It is important to report all device properties since management tools
like libvirt use this information (and device-list-properties QMP) to
detect the presence of QEMU features.

This patch reuses the device-list-properties QMP machinery to avoid code
duplication.

Reported-by: Cole Robinson <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Tested-by: Cole Robinson <address@hidden>
(cherry picked from commit ef523587da4f213ca17133a90402d0815ecf08ee)
Signed-off-by: Michael Roth <address@hidden>


  Commit: dfd480822234169ec3a5c3b0f78030de5c2cbb92
      
https://github.com/qemu/qemu/commit/dfd480822234169ec3a5c3b0f78030de5c2cbb92
  Author: Alex Williamson <address@hidden>
  Date:   2014-08-26 (Tue, 26 Aug 2014)

  Changed paths:
    M hw/misc/vfio.c

  Log Message:
  -----------
  vfio: Fix MSI-X vector expansion

When new MSI-X vectors are enabled we need to disable MSI-X and
re-enable it with the correct number of vectors.  That means we need
to reprogram the eventfd triggers for each vector.  Prior to f4d45d47
vector->use tracked whether a vector was masked or unmasked and we
could always pick the KVM path when available for unmasked vectors.
Now vfio doesn't track mask state itself and vector->use and virq
remains configured even for masked vectors.  Therefore we need to ask
the MSI-X code whether a vector is masked in order to select the
correct signaling path.  As noted in the comment, MSI relies on
hardware to handle masking.

Signed-off-by: Alex Williamson <address@hidden>
Cc: address@hidden # QEMU 2.1
(cherry picked from commit c048be5cc92ae201c339d46984476c4629275ed6)
Signed-off-by: Michael Roth <address@hidden>


  Commit: e22d5dc07350b81006ca6b9bf5fd7b517e2574ee
      
https://github.com/qemu/qemu/commit/e22d5dc07350b81006ca6b9bf5fd7b517e2574ee
  Author: Michael Tokarev <address@hidden>
  Date:   2014-08-26 (Tue, 26 Aug 2014)

  Changed paths:
    M configure

  Log Message:
  -----------
  l2tpv3 (configure): it is linux-specific

Some non-linux systems, for example a system with
FreeBSD kernel and glibc, may declare struct mmsghdr
(in glibc) but may not have linux-specific header
file linux/ip.h.  The actual implementation in qemu
includes this linux-specific header file unconditionally,
so compilation fails if it is not present.  Include
this header in the configure test too.

Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit bff6cb72961f1bd2c766efe85ff5850fd8d7e77d)
Signed-off-by: Michael Roth <address@hidden>


  Commit: bd4740621c016ed7f45cb6ab366e0d17c693bfc9
      
https://github.com/qemu/qemu/commit/bd4740621c016ed7f45cb6ab366e0d17c693bfc9
  Author: Michael Tokarev <address@hidden>
  Date:   2014-08-26 (Tue, 26 Aug 2014)

  Changed paths:
    M hw/ide/core.c

  Log Message:
  -----------
  ide: only constrain read/write requests to drive size, not other types

Commit 58ac321135a introduced a check to ide dma processing which
constrains all requests to drive size.  However, apparently, some
valid requests (like TRIM) does not fit in this constraint, and
fails in 2.1.  So check the range only for reads and writes.

Cc: address@hidden
Signed-off-by: Michael Tokarev <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d66168ed687325aa6d338ce3a3cff18ce3098ed6)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 7c68c5402a1e1b91566694af0e33ee333d07e767
      
https://github.com/qemu/qemu/commit/7c68c5402a1e1b91566694af0e33ee333d07e767
  Author: Hu Tao <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/i386/acpi-dsdt.dsl
    M hw/i386/acpi-dsdt.hex.generated
    M hw/i386/q35-acpi-dsdt.dsl
    M hw/i386/ssdt-mem.dsl
    M hw/i386/ssdt-misc.dsl
    M include/hw/acpi/pc-hotplug.h

  Log Message:
  -----------
  hw:i386: typo fix: MEMORY_HOPTLUG_DEVICE -> MEMORY_HOTPLUG_DEVICE

Cc: address@hidden
Signed-off-by: Hu Tao <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 41d2f71376fe401a1fdb7deda023769207511790)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 044af98ea8d5c2e36a18a123659e1f032a8cb75f
      
https://github.com/qemu/qemu/commit/044af98ea8d5c2e36a18a123659e1f032a8cb75f
  Author: Hu Tao <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/mem/pc-dimm.c

  Log Message:
  -----------
  pc-dimm: validate node property

If user specifies a node number that exceeds the available numa nodes in
emulated system for pc-dimm device, the device will report an invalid _PXM
to OSPM. Fix this by checking the node property value.

Cc: address@hidden
Signed-off-by: Hu Tao <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit cfe0ffd0272f1a6d34d27ac1a7072d1c42d33ad3)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 948574e0d251e56e338f26a19c16ccf3b581472f
      
https://github.com/qemu/qemu/commit/948574e0d251e56e338f26a19c16ccf3b581472f
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/mem/pc-dimm.c

  Log Message:
  -----------
  pc-dimm: fix up error message

- int should be printed using %d
- print actual wrong value for property

Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 988eba0f681bd4f82e9e02998da8106f165ed82c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ba1bc81991cd0fd6390ad31becdcb5ec028106bc
      
https://github.com/qemu/qemu/commit/ba1bc81991cd0fd6390ad31becdcb5ec028106bc
  Author: Hu Tao <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M numa.c

  Log Message:
  -----------
  numa: show hex number in error message for consistency and prefix them with 0x

The error messages before and after patch are:

before:
qemu-system-x86_64: total memory for NUMA nodes (134217728) should equal RAM 
size (20000000)

after:
qemu-system-x86_64: total memory for NUMA nodes (0x8000000) should equal RAM 
size (0x20000000)

Cc: address@hidden
Signed-off-by: Hu Tao <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit c68233aee8ef47861b65f0d079c5b0b3816447e5)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 1ad9dcec4777790b3a567888916c5aef55b512bf
      
https://github.com/qemu/qemu/commit/1ad9dcec4777790b3a567888916c5aef55b512bf
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/i386/acpi-build.c

  Log Message:
  -----------
  acpi: align RSDP

RSDP should be aligned at a 16-byte boundary.
This would by chance at the moment, fix up acpi build
to make it robust.

Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit d67aadccfa0bd3330a7b8e7e0a1726117ba75cf1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 2a575c450e1f1e82fb040632e3608e376c4212c2
      
https://github.com/qemu/qemu/commit/2a575c450e1f1e82fb040632e3608e376c4212c2
  Author: zhanghailiang <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/block/virtio-blk.c

  Log Message:
  -----------
  virtio-blk: fix reference a pointer which might be freed

In function virtio_blk_handle_request, it may freed memory pointed by req,
So do not access member of req after calling this function.

Cc: address@hidden
Reviewed-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: zhanghailiang <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 1bdb176ac5add5dc9d54a230da7511b66851f1e7)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 20463dc874bb24a847e6003678d740270bf479d1
      
https://github.com/qemu/qemu/commit/20463dc874bb24a847e6003678d740270bf479d1
  Author: Peter Maydell <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M target-arm/translate-a64.c

  Log Message:
  -----------
  target-arm: Fix return address for A64 BRK instructions

When we take an exception resulting from a BRK instruction,
the architecture requires that the "preferred return address"
reported to the exception handler is the address of the BRK
itself, not the following instruction (like undefined
insns, and in contrast with SVC, HVC and SMC). Follow this,
rather than incorrectly reporting the address of the following
insn.

(We do get this correct for the A32/T32 BKPT insns.)

Signed-off-by: Peter Maydell <address@hidden>
Cc: address@hidden
(cherry picked from commit 229a138d740142885dd4e7063e25147d7f71fdef)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 2f6d5e1c9c42b6fd7ef6045d9101c0af131f444a
      
https://github.com/qemu/qemu/commit/2f6d5e1c9c42b6fd7ef6045d9101c0af131f444a
  Author: Christoffer Dall <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/arm/virt.c
    M target-arm/kvm-consts.h

  Log Message:
  -----------
  target-arm: Rename QEMU PSCI v0.1 definitions

The function IDs for PSCI v0.1 are exported by KVM and defined as
KVM_PSCI_FN_<something>.  To build using these defines in non-KVM code,
QEMU defines these IDs locally and check their correctness against the
KVM headers when those are available.

However, the naming scheme used for QEMU (almost) clashes with the PSCI
v0.2 definitions from Linux so to avoid unfortunate naming when we
introduce local PSCI v0.2 defines, rename the current local defines with
QEMU_ prependend and clearly identify the PSCI version as v0.1 in the
defines.

Cc: address@hidden
Signed-off-by: Christoffer Dall <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit a65c9c17cef16bcb98ec6cf4feb8676c1a2d1168)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 504e2a7139d4790517ebdf2772f7daec27dc3f69
      
https://github.com/qemu/qemu/commit/504e2a7139d4790517ebdf2772f7daec27dc3f69
  Author: Christoffer Dall <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/arm/virt.c
    M target-arm/kvm-consts.h

  Log Message:
  -----------
  arm/virt: Use PSCI v0.2 function IDs in the DT when KVM uses PSCI v0.2

The current code supplies the PSCI v0.1 function IDs in the DT even when
KVM uses PSCI v0.2.

This will break guest kernels that only support PSCI v0.1 as they will
use the IDs provided in the DT.  Guest kernels with PSCI v0.2 support
are not affected by this patch, because they ignore the function IDs in
the device tree and rely on the architecture definition.

Define QEMU versions of the constants and check that they correspond to
the Linux defines on Linux build hosts.  After this patch, both guest
kernels with PSCI v0.1 support and guest kernels with PSCI v0.2 should
work.

Tested on TC2 for 32-bit and APM Mustang for 64-bit (aarch64 guest
only).  Both cases tested with 3.14 and linus/master and verified I
could bring up 2 cpus with both guest kernels.  Also tested 32-bit with
a 3.14 host kernel with only PSCI v0.1 and both guests booted here as
well.

Cc: address@hidden
Signed-off-by: Christoffer Dall <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 863714ba6cdc09d1a84069815dc67c8da66b0a29)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 8c4edd743c819813b3f409754f525309d72be53d
      
https://github.com/qemu/qemu/commit/8c4edd743c819813b3f409754f525309d72be53d
  Author: Peter Lieven <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M block/iscsi.c

  Log Message:
  -----------
  block/iscsi: fix memory corruption on iscsi resize

bs->total_sectors is not yet updated at this point. resulting
in memory corruption if the volume has grown and data is written
to the newly availble areas.

CC: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit d832fb4d66ead62da4af7e44cce34cd939e865e1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: dea6efe88362a55f3f8208d12ef7159e23b9236c
      
https://github.com/qemu/qemu/commit/dea6efe88362a55f3f8208d12ef7159e23b9236c
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M block/raw-posix.c

  Log Message:
  -----------
  raw-posix: fix O_DIRECT short reads

The following O_DIRECT read from a <512 byte file fails:

  $ truncate -s 320 test.img
  $ qemu-io -n -c 'read -P 0 0 512' test.img
  qemu-io: can't open device test.img: Could not read image for determining its 
format: Invalid argument

Note that qemu-io completes successfully without the -n (O_DIRECT)
option.

This patch fixes qemu-iotests ./check -nocache -vmdk 059.

Cc: address@hidden
Suggested-by: Kevin Wolf <address@hidden>
Reported-by: Markus Armbruster <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 61ed73cff427206b3a959b18a4877952f566279b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 16c92cd629f2069c25a8d21ee049f8748adb8a7a
      
https://github.com/qemu/qemu/commit/16c92cd629f2069c25a8d21ee049f8748adb8a7a
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    A tests/qemu-iotests/101
    A tests/qemu-iotests/101.out
    M tests/qemu-iotests/group

  Log Message:
  -----------
  qemu-iotests: add test case 101 for short file I/O

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 8d9eb33ca0bbb8bca0f1775623ed3cf5f39760cd)

Conflicts:
        tests/qemu-iotests/group

*fix up context mismatches due to lack of 099 and 103 tests

Signed-off-by: Michael Roth <address@hidden>


  Commit: fab7560c352475ebf5ab50be9e327e0eabff1a3b
      
https://github.com/qemu/qemu/commit/fab7560c352475ebf5ab50be9e327e0eabff1a3b
  Author: Fam Zheng <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M block/blkdebug.c

  Log Message:
  -----------
  blkdebug: Delete BH in bdrv_aio_cancel

Otherwise error_callback_bh will access the already released acb.

Cc: address@hidden
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit cbf95a0b117461473f05ab3cce4d01ba2b29e60a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 4b59161253e26b74e86c63dc7992b7aec9bdeeb0
      
https://github.com/qemu/qemu/commit/4b59161253e26b74e86c63dc7992b7aec9bdeeb0
  Author: Ben Draper <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/net/vmxnet3.c

  Log Message:
  -----------
  vmxnet3: Pad short frames to minimum size (60 bytes)

When running VMware ESXi under qemu-kvm the guest discards frames
that are too short. Short ARP Requests will be dropped, this prevents
guests on the same bridge as VMware ESXi from communicating. This patch
simply adds the padding on the network device itself.

Signed-off-by: Ben Draper <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Cc: address@hidden
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 40a87c6c9b11ef9c14e0301f76abf0eb2582f08e)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cd4acff8d0eaa721a83b8b1253abb826bba53632
      
https://github.com/qemu/qemu/commit/cd4acff8d0eaa721a83b8b1253abb826bba53632
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M backends/hostmem.c

  Log Message:
  -----------
  hostmem: set MPOL_MF_MOVE

When memory is allocated on a wrong node, MPOL_MF_STRICT
doesn't move it - it just fails the allocation.
A simple way to reproduce the failure is with mlock=on
realtime feature.

The code comment actually says: "ensure policy won't be ignored"
so setting MPOL_MF_MOVE seems like a better way to do this.

Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>

(cherry picked from commit 288d3322022d6ad646407f3ca6f1a6a746565b9a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: bfe3e6f5e3f23cc73dc83b0f4badecd5db175575
      
https://github.com/qemu/qemu/commit/bfe3e6f5e3f23cc73dc83b0f4badecd5db175575
  Author: Gonglei <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/acpi/pcihp.c

  Log Message:
  -----------
  pcihp: fix possible array out of bounds

Prevent out-of-bounds array access on
acpi_pcihp_pci_status.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: address@hidden
Reviewed-by: Marcel Apfelbaum <address@hidden>
(cherry picked from commit fa365d7cd11185237471823a5a33d36765454e16)
Signed-off-by: Michael Roth <address@hidden>


  Commit: be3af755ac1f5bd13a555ca75908b9e9b90aaa31
      
https://github.com/qemu/qemu/commit/be3af755ac1f5bd13a555ca75908b9e9b90aaa31
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M hw/i386/pc.c
    M hw/i386/pc_piix.c
    M hw/i386/pc_q35.c
    M include/hw/i386/pc.h

  Log Message:
  -----------
  pc: reserve more memory for ACPI for new machine types

commit 868270f23d8db2cce83e4f082fe75e8625a5fbf9
    acpi-build: tweak acpi migration limits
broke kernel loading with -kernel/-initrd: it doubled
the size of ACPI tables but did not reserve
enough memory.

As a result, issues on boot and halt are observed.

Fix this up by doubling reserved memory for new machine types.

Cc: address@hidden
Reported-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 927766c7d34275ecf586020cc5305e377cc4af10)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 75ada6b7631bdf5d9f56af845c5096f5d75d33bf
      
https://github.com/qemu/qemu/commit/75ada6b7631bdf5d9f56af845c5096f5d75d33bf
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M thread-pool.c

  Log Message:
  -----------
  thread-pool: avoid per-thread-pool EventNotifier

EventNotifier is implemented using an eventfd or pipe.  It therefore
consumes file descriptors, which can be limited by rlimits and should
therefore be used sparingly.

Switch from EventNotifier to QEMUBH in thread-pool.c.  Originally
EventNotifier was used because qemu_bh_schedule() was not thread-safe
yet.

Reported-by: Christian Borntraeger <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c2e50e3d11a0bf4c973cc30478c1af0f2d5f8e81)
Signed-off-by: Michael Roth <address@hidden>


  Commit: feb633411f808f0c876b27ff4bff00a3eceb2073
      
https://github.com/qemu/qemu/commit/feb633411f808f0c876b27ff4bff00a3eceb2073
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M thread-pool.c

  Log Message:
  -----------
  thread-pool: avoid deadlock in nested aio_poll() calls

The thread pool has a race condition if two elements complete before
thread_pool_completion_bh() runs:

  If element A's callback waits for element B using aio_poll() it will
  deadlock since pool->completion_bh is not marked scheduled when the
  nested aio_poll() runs.

Fix this by marking the BH scheduled while thread_pool_completion_bh()
is executing.  This way any nested aio_poll() loops will enter
thread_pool_completion_bh() and complete the remaining elements.

Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 3c80ca158c96ff902a30883a8933e755988948b1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 0824ca6bd126b97fac18d12d514823463f415bec
      
https://github.com/qemu/qemu/commit/0824ca6bd126b97fac18d12d514823463f415bec
  Author: Greg Kurz <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/ppc/spapr.c
    M hw/ppc/spapr_pci.c
    M include/hw/pci-host/spapr.h
    M include/hw/ppc/spapr.h

  Log Message:
  -----------
  spapr_pci: map the MSI window in each PHB

On sPAPR, virtio devices are connected to the PCI bus and use MSI-X.
Commit cc943c36faa192cd4b32af8fe5edb31894017d35 has modified MSI-X
so that writes are made using the bus master address space and follow
the IOMMU path.

Unfortunately, the IOMMU address space address space does not have an
MSI window: the notification is silently dropped in unassigned_mem_write
instead of reaching the guest... The most visible effect is that all
virtio devices are non-functional on sPAPR since then. :(

This patch does the following:
1) map the MSI window into the IOMMU address space for each PHB
   - since each PHB instantiates its own IOMMU address space, we
     can safely map the window at a fixed address (SPAPR_PCI_MSI_WINDOW)
   - no real need to keep the MSI window setup in a separate function,
     the spapr_pci_msi_init() code moves to spapr_phb_realize().

2) kill the global MSI window as it is not needed in the end

Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit 8c46f7ec85a4dd9663489b2fa2b425cd7b3653e1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 3d8cc86e4f3e1c8fb52a5f7132bf343e3d3b7775
      
https://github.com/qemu/qemu/commit/3d8cc86e4f3e1c8fb52a5f7132bf343e3d3b7775
  Author: Paolo Bonzini <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M vl.c

  Log Message:
  -----------
  vl: process -object after other backend options

QOM backends can refer to chardevs, but not vice versa.  So
process -chardev and -fsdev options before -object

This fixes the rng-egd backend to virtio-rng.

Reported-by: Amos Kong <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7b71758d79106a63a0b8aba02df752d9995ea50c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 72c9c9a05e79d4638bb248bc1cc903839b8f676f
      
https://github.com/qemu/qemu/commit/72c9c9a05e79d4638bb248bc1cc903839b8f676f
  Author: William Grant <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-i386/helper.c

  Log Message:
  -----------
  target-i386: Don't forbid NX bit on PAE PDEs and PTEs

Commit e8f6d00c30ed88910d0d985f4b2bf41654172ceb ("target-i386: raise
page fault for reserved physical address bits") added a check that the
NX bit is not set on PAE PDPEs, but it also added it to rsvd_mask for
the rest of the function. This caused any PDEs or PTEs with NX set to be
erroneously rejected, making PAE guests with NX support unusable.

Signed-off-by: William Grant <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 1844e68ecabbdfdf0228774bcd5cf0f63ffc2e57)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 07f8c97f84a4cf4ac84f4374682194156525ede9
      
https://github.com/qemu/qemu/commit/07f8c97f84a4cf4ac84f4374682194156525ede9
  Author: Alex Williamson <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-i386/cpu.h
    M target-i386/machine.c

  Log Message:
  -----------
  x86: Use common variable range MTRR counts

We currently define the number of variable range MTRR registers as 8
in the CPUX86State structure and vmstate, but use MSR_MTRRcap_VCNT
(also 8) to report to guests the number available.  Change this to
use MSR_MTRRcap_VCNT consistently.

Signed-off-by: Alex Williamson <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d8b5c67b05420d966664664ff287af05b884bdd1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ba8576f338554004138a5a90d6563707336eb548
      
https://github.com/qemu/qemu/commit/ba8576f338554004138a5a90d6563707336eb548
  Author: Alex Williamson <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-i386/cpu.h
    M target-i386/kvm.c

  Log Message:
  -----------
  x86: kvm: Add MTRR support for kvm_get|put_msrs()

The MTRR state in KVM currently runs completely independent of the
QEMU state in CPUX86State.mtrr_*.  This means that on migration, the
target loses MTRR state from the source.  Generally that's ok though
because KVM ignores it and maps everything as write-back anyway.  The
exception to this rule is when we have an assigned device and an IOMMU
that doesn't promote NoSnoop transactions from that device to be cache
coherent.  In that case KVM trusts the guest mapping of memory as
configured in the MTRR.

This patch updates kvm_get|put_msrs() so that we retrieve the actual
vCPU MTRR settings and therefore keep CPUX86State synchronized for
migration.  kvm_put_msrs() is also used on vCPU reset and therefore
allows future modificaitons of MTRR state at reset to be realized.

Note that the entries array used by both functions was already
slightly undersized for holding every possible MSR, so this patch
increases it beyond the 28 new entries necessary for MTRR state.

Signed-off-by: Alex Williamson <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d1ae67f626c5ed5729e1d8212834291b409d26df)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 3e8966df025cf7e5ae1506c228879347054796ec
      
https://github.com/qemu/qemu/commit/3e8966df025cf7e5ae1506c228879347054796ec
  Author: Alex Williamson <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-i386/cpu.c

  Log Message:
  -----------
  x86: Clear MTRRs on vCPU reset

The SDM specifies (June 2014 Vol3 11.11.5):

    On a hardware reset, the P6 and more recent processors clear the
    valid flags in variable-range MTRRs and clear the E flag in the
    IA32_MTRR_DEF_TYPE MSR to disable all MTRRs. All other bits in the
    MTRRs are undefined.

We currently do none of that, so whatever MTRR settings you had prior
to reset is what you have after reset.  Usually this doesn't matter
because KVM often ignores the guest mappings and uses write-back
anyway.  However, if you have an assigned device and an IOMMU that
allows NoSnoop for that device, KVM defers to the guest memory
mappings which are now stale after reset.  The result is that OVMF
rebooting on such a configuration takes a full minute to LZMA
decompress the firmware volume, a process that is nearly instant on
the initial boot.

Signed-off-by: Alex Williamson <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 9db2efd95e13330075bff027cd682a063d725332)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ea774b8dd05cf3fb66af191343e25e33f9a8aa13
      
https://github.com/qemu/qemu/commit/ea774b8dd05cf3fb66af191343e25e33f9a8aa13
  Author: Peter Maydell <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-arm/cpu.h

  Log Message:
  -----------
  target-arm: Fix regression that disabled VFP for ARMv5 CPUs

Commit 2c7ffc414 added support for honouring the CPACR coprocessor
access control register bits which may disable access to VFP
and Neon instructions. However it failed to account for the
fact that the CPACR is only present starting from the ARMv6
architecture version, so it accidentally disabled VFP completely
for ARMv5 CPUs like the ARM926. Linux would detect this as
"no VFP present" and probably fall back to its own emulation,
but other guest OSes might crash or misbehave.

This fixes bug LP:1359930.

Reported-by: Jakub Jermar <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit ed1f13d607e2c64c66bea49d6f4edaf278d3d246)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 4fd144f8f52cdc99c0bdcfc2021219f483d997f8
      
https://github.com/qemu/qemu/commit/4fd144f8f52cdc99c0bdcfc2021219f483d997f8
  Author: Peter Maydell <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-arm/cpu64.c

  Log Message:
  -----------
  target-arm: Correct Cortex-A57 ISAR5 and AA64ISAR0 ID register values

We implement the crypto extensions but were incorrectly reporting
ID register values for the Cortex-A57 which did not advertise
crypto. Use the correct values as described in the TRM.
With this fix Linux correctly detects presence of the crypto
features and advertises them in /proc/cpuinfo.

Reported-by: Ard Biesheuvel <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit c379621451e64cad166a60f42e1d67f0438b8d1b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 67cfda87763775abbfcb5ec7381f506fea500735
      
https://github.com/qemu/qemu/commit/67cfda87763775abbfcb5ec7381f506fea500735
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/display/qxl-render.c

  Log Message:
  -----------
  qxl-render: add more sanity checks

Damn, the dirty rectangle values are signed integers.  So the checks
added by commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21 are not good
enough, we also have to make sure they are not negative.

[ Note: There must be something broken in spice-server so we get
  negative values in the first place.  Bug opened:
  https://bugzilla.redhat.com/show_bug.cgi?id=1135372 ]

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
(cherry picked from commit 503b3b33feca818baa4459aba286e54a528e5567)
Signed-off-by: Michael Roth <address@hidden>


  Commit: e685d2abf7ad55fcea10c27888073cca21ec3568
      
https://github.com/qemu/qemu/commit/e685d2abf7ad55fcea10c27888073cca21ec3568
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/net/virtio-net.c

  Log Message:
  -----------
  virtio-net: don't run bh on vm stopped

commit 783e7706937fe15523b609b545587a028a2bdd03
    virtio-net: stop/start bh when appropriate

is incomplete: BH might execute within the same main loop iteration but
after vmstop, so in theory, we might trigger an assertion.
I was unable to reproduce this in practice,
but it seems clear enough that the potential is there, so worth fixing.

Cc: address@hidden
Reported-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e8bcf842001739765b8dcc1996d86a0ffd2054d5)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ff34ca00fd6380c8d82283849a369db96a732c2d
      
https://github.com/qemu/qemu/commit/ff34ca00fd6380c8d82283849a369db96a732c2d
  Author: Knut Omang <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/pci/pci.c

  Log Message:
  -----------
  pci: avoid losing config updates to MSI/MSIX cap regs

Since
commit 95d658002401e2e47a5404298ebe9508846e8a39
    msi: Invoke msi/msix_write_config from PCI core
msix config writes are lost, the value written is always 0.

Fix pci_default_write_config to avoid this.

Cc: address@hidden
Signed-off-by: Knut Omang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit d7efb7e08e5edaac23b0dc824f72c3f353447c39)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5e83dae44ee121a6c5a388486db8d8e51511cab7
      
https://github.com/qemu/qemu/commit/5e83dae44ee121a6c5a388486db8d8e51511cab7
  Author: Jason Wang <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/net/vhost_net.c
    M hw/virtio/vhost.c

  Log Message:
  -----------
  vhost_net: start/stop guest notifiers properly

commit a9f98bb5ebe6fb1869321dcc58e72041ae626ad8 "vhost: multiqueue
support" changed the order of stopping the device. Previously
vhost_dev_stop would disable backend and only afterwards, unset guest
notifiers. We now unset guest notifiers while vhost is still
active. This can lose interrupts causing guest networking to fail. In
particular, this has been observed during migration.

To fix this, several other changes are needed:
- remove the hdev->started assertion in vhost.c since we may want to
start the guest notifiers before vhost starts and stop the guest
notifiers after vhost is stopped.
- introduce the vhost_net_set_vq_index() and call it before setting
guest notifiers. This is to guarantee vhost_net has the correct
virtqueue index when setting guest notifiers.

MST: fix up error handling.

Cc: address@hidden
Cc: Jason Wang <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Tested-by: Andrey Korolyov <address@hidden>
Reported-by: "Zhangjie (HZ)" <address@hidden>
Tested-by: William Dauchy <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit cd7d1d26b0a333bf2fca715e332690bbd738c097)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 6f8d05a8f801e09c9cdf9e2146225e826e5d7cc5
      
https://github.com/qemu/qemu/commit/6f8d05a8f801e09c9cdf9e2146225e826e5d7cc5
  Author: Jason Wang <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/net/vhost_net.c

  Log Message:
  -----------
  vhost_net: init acked_features to backend_features

commit 2e6d46d77ed328d34a94688da8371bcbe243479b (vhost: add
vhost_get_features and vhost_ack_features) removes the step that
initializes the acked_features to backend_features.

As this field is now uninitialized, vhost initialization will sometimes
fail.

To fix, initialize acked_features on each ack.

Tested-by: Andrey Korolyov <address@hidden>
Cc: Nikolay Nikolaev <address@hidden>
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit b49ae9138d5cadb47fb868297fbcdac8292fb666)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 34d41c1a20b8763f250543c1e4609c01bed6c427
      
https://github.com/qemu/qemu/commit/34d41c1a20b8763f250543c1e4609c01bed6c427
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/scsi/vhost-scsi.c

  Log Message:
  -----------
  vhost-scsi: init backend features earlier

As vhost core can use backend_features during init, clear it earlier to
avoid using uninitialized memory.
This use would be harmless since vhost scsi ignores the result
anyway, but initializing earlier will help prevent valgrind errors,
and make scsi and net behave similarly.

Cc: address@hidden
Acked-by: Paolo Bonzini <address@hidden>
Acked-by: Jason Wang <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 3a1655fc53a2d0375dc0b8cd358405c2cae288e3)
Signed-off-by: Michael Roth <address@hidden>


  Commit: eb36f79d59c65fd934c7f12e6adff239f69f0e09
      
https://github.com/qemu/qemu/commit/eb36f79d59c65fd934c7f12e6adff239f69f0e09
  Author: zhanghailiang <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/i386/acpi-build.c

  Log Message:
  -----------
  acpi-build: Set FORCE_APIC_CLUSTER_MODEL bit for FADT flags

If we start Windows 2008 R2 DataCenter with number of cpu less than 8,
The system will use APIC Flat Logical destination mode as default configuration,
Which has an upper limit of 8 CPUs.

The fault is that VM can not show all processors within Task Manager if
we hot-add cpus when the number of cpus in VM extends the limit of 8.

If we use cluster destination model, the problem will be solved.

Note:
This flag was introduced later than ACPI v1.0 specification while QEMU
generates v1.0 tables only, but...

linux kernel ignores this flag, so patch has no influence on it.

Tested with Win[XPsp3|Srv2003EE|Srv2008DC|Srv2008R2|Srv2012R2], there
isn't BSODs and guests boot just fine. In cases guest doesn't support
cpu-hotplug, cpu becomes visible after reboot and in case the guest
supports cpu-hotplug, it works as expected with this patch.

Cc: address@hidden
Signed-off-by: huangzhichao <address@hidden>
Signed-off-by: zhanghailiang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-By: Igor Mammedov <address@hidden>
(cherry picked from commit 07b81ed937b37e4c1974626c38e2f192ce08f8f5)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ec48bfd57b95c7902a1a24050a698df1ed37e8f0
      
https://github.com/qemu/qemu/commit/ec48bfd57b95c7902a1a24050a698df1ed37e8f0
  Author: zhanghailiang <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M net/net.c

  Log Message:
  -----------
  net: Forbid dealing with packets when VM is not running

For all NICs(except virtio-net) emulated by qemu,
Such as e1000, rtl8139, pcnet and ne2k_pci,
Qemu can still receive packets when VM is not running.

If this happened in *migration's* last PAUSE VM stage, but
before the end of the migration, the new receiving packets will possibly dirty
parts of RAM which has been cached in *iovec*(will be sent asynchronously) and
dirty parts of new RAM which will be missed.
This will lead serious network fault in VM.

To avoid this, we forbid receiving packets in generic net code when
VM is not running.

Bug reproduction steps:
(1) Start a VM which configured at least one NIC
(2) In VM, open several Terminal and do *Ping IP -i 0.1*
(3) Migrate the VM repeatedly between two Hosts
And the *PING* command in VM will very likely fail with message:
'Destination HOST Unreachable', the NIC in VM will stay unavailable unless you
run 'service network restart'

Signed-off-by: zhanghailiang <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e1d64c084b2cc7e907b4e64026d8c8dba59116f8)
Signed-off-by: Michael Roth <address@hidden>


  Commit: f321710cd48a7623e25bc10049b5fa166bf7dd68
      
https://github.com/qemu/qemu/commit/f321710cd48a7623e25bc10049b5fa166bf7dd68
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/virtio/virtio.c

  Log Message:
  -----------
  virtio: don't call device on !vm_running

On vm stop, virtio changes vm_running state
too soon, so callbacks can get envoked with
vm_running = false;

Cc: address@hidden
Cc: Jason Wang <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 269bd822e7f5ab80048b05fb7076236ed66ffbce)
Signed-off-by: Michael Roth <address@hidden>


  Commit: d9c06c0d794a3729be7f9772b0ee654ddfc7f5a7
      
https://github.com/qemu/qemu/commit/d9c06c0d794a3729be7f9772b0ee654ddfc7f5a7
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M net/queue.c

  Log Message:
  -----------
  net: invoke callback when purging queue

devices rely on packet callbacks eventually running,
but we violate this rule whenever we purge the queue.
To fix, invoke callbacks on all packets on purge.
Set length to 0, this way callers can detect that
this happened and re-queue if necessary.

Cc: address@hidden
Cc: Jason Wang <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 07d8084624b3f5cbde7777849147a6a3a862e90a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 08743db463e52a2d1d789200dba5bfaa3221adc2
      
https://github.com/qemu/qemu/commit/08743db463e52a2d1d789200dba5bfaa3221adc2
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M net/net.c

  Log Message:
  -----------
  net: complete all queued packets on VM stop

This completes all packets, ensuring that callbacks
will not run when VM is stopped.

Cc: address@hidden
Cc: Jason Wang <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ca77d85e1dbf929ae677a0bac96e9b3edd1704da)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cf29a8839115c99eb4050cea31d71ee1cb96ad2a
      
https://github.com/qemu/qemu/commit/cf29a8839115c99eb4050cea31d71ee1cb96ad2a
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/net/virtio-net.c

  Log Message:
  -----------
  virtio-net: purge outstanding packets when starting vhost

whenever we start vhost, virtio could have outstanding packets
queued, when they complete later we'll modify the ring
while vhost is processing it.

To prevent this, purge outstanding packets on vhost start.

Cc: address@hidden
Cc: Jason Wang <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 086abc1ccd0fa5103345adda819e6c6436949579)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c5042f04f74f8ca129a718702eab6f1168539d09
      
https://github.com/qemu/qemu/commit/c5042f04f74f8ca129a718702eab6f1168539d09
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/display/qxl.c
    M hw/display/vga.c
    M hw/display/vga_int.h

  Log Message:
  -----------
  vbe: make bochs dispi interface return the correct memory size with qxl

VgaState->vram_size is the size of the pci bar.  In case of qxl not the
whole pci bar can be used as vga framebuffer.  Add a new variable
vbe_size to handle that case.  By default (if unset) it equals
vram_size, but qxl can set vbe_size to something else.

This makes sure VBE_DISPI_INDEX_VIDEO_MEMORY_64K returns correct results
and sanity checks are done with the correct size too.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit 54a85d462447c1cb8a1638578a7fd086350b4d2d)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 7fe5418d9ff335f860a6a44aafae30445052db86
      
https://github.com/qemu/qemu/commit/7fe5418d9ff335f860a6a44aafae30445052db86
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vbe: rework sanity checks

Plug a bunch of holes in the bochs dispi interface parameter checking.
Add a function doing verification on all registers.  Call that
unconditionally on every register write.  That way we should catch
everything, even changing one register affecting the valid range of
another register.

Some of the holes have been added by commit
e9c6149f6ae6873f14a12eea554925b6aa4c4dec.  Before that commit the
maximum possible framebuffer (VBE_DISPI_MAX_XRES * VBE_DISPI_MAX_YRES *
32 bpp) has been smaller than the qemu vga memory (8MB) and the checking
for VBE_DISPI_MAX_XRES + VBE_DISPI_MAX_YRES + VBE_DISPI_MAX_BPP was ok.

Some of the holes have been there forever, such as
VBE_DISPI_INDEX_X_OFFSET and VBE_DISPI_INDEX_Y_OFFSET register writes
lacking any verification.

Security impact:

(1) Guest can make the ui (gtk/vnc/...) use memory rages outside the vga
frame buffer as source  ->  host memory leak.  Memory isn't leaked to
the guest but to the vnc client though.

(2) Qemu will segfault in case the memory range happens to include
unmapped areas  ->  Guest can DoS itself.

The guest can not modify host memory, so I don't think this can be used
by the guest to escape.

CVE-2014-3615

Cc: address@hidden
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit c1b886c45dc70f247300f549dce9833f3fa2def5)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 1aa87d3689cc2388a74c9db1dd728c6f4673836e
      
https://github.com/qemu/qemu/commit/1aa87d3689cc2388a74c9db1dd728c6f4673836e
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M ui/spice-display.c

  Log Message:
  -----------
  spice: make sure we don't overflow ssd->buf

Related spice-only bug.  We have a fixed 16 MB buffer here, being
presented to the spice-server as qxl video memory in case spice is
used with a non-qxl card.  It's also used with qxl in vga mode.

When using display resolutions requiring more than 16 MB of memory we
are going to overflow that buffer.  In theory the guest can write,
indirectly via spice-server.  The spice-server clears the memory after
setting a new video mode though, triggering a segfault in the overflow
case, so qemu crashes before the guest has a chance to do something
evil.

Fix that by switching to dynamic allocation for the buffer.

CVE-2014-3615

Cc: address@hidden
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit ab9509cceabef28071e41bdfa073083859c949a7)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 257e9cfce21e8f2f0db99992cfc2452fb83debe8
      
https://github.com/qemu/qemu/commit/257e9cfce21e8f2f0db99992cfc2452fb83debe8
  Author: Sebastian Tanase <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M qemu-char.c

  Log Message:
  -----------
  pty: Fix byte loss bug when connecting to pty

When trying to print data to the pty, we first check if it is connected.
If not, we try to reconnect, but we drop the pending data even if we
have successfully reconnected; this makes us lose the first byte of the very
first transmission.
This small fix addresses the issue by checking once more if the pty is connected
after having tried to reconnect.

Signed-off-by: Sebastian Tanase <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit cf7330c759345de2efe9c0df7921189ac5ff11d3)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5dd076a9f85139264b309aab023f6ce44af50af5
      
https://github.com/qemu/qemu/commit/5dd076a9f85139264b309aab023f6ce44af50af5
  Author: Pavel Dovgaluk <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M exec.c

  Log Message:
  -----------
  exec: Save CPUState::exception_index field

This patch adds a subsection with exception_index field to the VMState for
correct saving the CPU state.
Without this patch, simulator could miss the pending exception in the saved
virtual machine state.

Signed-off-by: Pavel Dovgalyuk <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit 6c3bff0ed8a40921464b9a07aa0fe079e860c978)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 82d80e1f0b234ea71452f3f7099988a51a0a7723
      
https://github.com/qemu/qemu/commit/82d80e1f0b234ea71452f3f7099988a51a0a7723
  Author: Eduardo Habkost <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M target-i386/cpu-qom.h
    M target-i386/cpu.c

  Log Message:
  -----------
  target-i386: Support migratable=no properly

When the "migratable" property was implemented, the behavior was tested
by changing the default on the code, but actually using the option on
the command-line (e.g. "-cpu host,migratable=false") doesn't work as
expected. This is a regression for a common use case of "-cpu host",
which is to enable features that are supported by the host CPU + kernel
before feature-specific code is added to QEMU.

Fix this by initializing the feature words for "-cpu host" on
x86_cpu_parse_featurestr(), right after parsing the CPU options.

Signed-off-by: Eduardo Habkost <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit 4d1b279b0675a8b483a5f101212d1dedfb1a3cec)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 3cb451edb23d2dda4226a861b6436ba3ce5ff4cb
      
https://github.com/qemu/qemu/commit/3cb451edb23d2dda4226a861b6436ba3ce5ff4cb
  Author: Michael Roth <address@hidden>
  Date:   2014-09-10 (Wed, 10 Sep 2014)

  Changed paths:
    M VERSION

  Log Message:
  -----------
  Update version for v2.1.1 release

Signed-off-by: Michael Roth <address@hidden>


Compare: https://github.com/qemu/qemu/compare/42f7a13178c6^...3cb451edb23d

reply via email to

[Prev in Thread] Current Thread [Next in Thread]