qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 8bb90e: qdev: Use NULL instead of local_err f


From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 8bb90e: qdev: Use NULL instead of local_err for qbus_child...
Date: Wed, 21 Jan 2015 20:30:12 -0800

  Branch: refs/heads/stable-2.1
  Home:   https://github.com/qemu/qemu
  Commit: 8bb90ee80acea0b5f5ef174edd0033816b927290
      
https://github.com/qemu/qemu/commit/8bb90ee80acea0b5f5ef174edd0033816b927290
  Author: Gonglei <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/core/qdev.c

  Log Message:
  -----------
  qdev: Use NULL instead of local_err for qbus_child unrealize

Forcefully unrealize all children regardless of errors in earlier
iterations (if any). We should keep going with cleanup operation
rather than report an error immediately. Therefore store the first
child unrealization failure and propagate it at the end. We also
forcefully unregister vmsd and unrealize actual object, too.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit cd4520adcab70dbac8db3fe4d41836dca63715a4)
Signed-off-by: Michael Roth <address@hidden>


  Commit: d6af26d6ce544ef50d4114d573a59e54db31fa62
      
https://github.com/qemu/qemu/commit/d6af26d6ce544ef50d4114d573a59e54db31fa62
  Author: Gonglei <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/core/qdev.c

  Log Message:
  -----------
  qdev: Add cleanup logic in device_set_realized() to avoid resource leak

At present, this function doesn't have partial cleanup implemented,
which will cause resource leaks in some scenarios.

Example:

1. Assume that "dc->realize(dev, &local_err)" executes successful
   and local_err == NULL;
2. device hotplug in hotplug_handler_plug() executes but fails
   (it is prone to occur). Then local_err != NULL;
3. error_propagate(errp, local_err) and return. But the resources
   which have been allocated in dc->realize() will be leaked.
Simple backtrace:
  dc->realize()
   |->device_realize
      |->pci_qdev_init()
          |->do_pci_register_device()
          |->etc.

Add fuller cleanup logic which assures that function can
goto appropriate error label as local_err population is
detected at each relevant point.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit 1d45a705fc007a13f20d18473290082eae6d1725)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ff3bd5e4bbebe49e5e719bc83d894ff0990bc842
      
https://github.com/qemu/qemu/commit/ff3bd5e4bbebe49e5e719bc83d894ff0990bc842
  Author: Luiz Capitulino <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M exec.c

  Log Message:
  -----------
  exec: file_ram_alloc(): print error when prealloc fails

If memory allocation fails when using the -mem-prealloc command-line
option, QEMU exits without printing any error information to
the user:

 # qemu [...] -m 1G -mem-prealloc -mem-path /dev/hugepages
 # echo $?
 1

This commit adds an error message, so that we print instead:

 # qemu [...] -m 1G -mem-prealloc -mem-path /dev/hugepages
 qemu: unable to map backing store for hugepages: Cannot allocate memory

Signed-off-by: Luiz Capitulino <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit e4d9df4fb16861f413374b69fcdb12c8c7a4a17e)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 3807aeb1d4eed3eb7092bbb743fd444f7ef24ba5
      
https://github.com/qemu/qemu/commit/3807aeb1d4eed3eb7092bbb743fd444f7ef24ba5
  Author: Dr. David Alan Gilbert <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/usb/hcd-xhci.c
    M include/hw/i386/pc.h

  Log Message:
  -----------
  xhci PCIe endpoint migration compatibility fix

Add back the PCIe config capabilities on XHCI cards in non-PCIe slots,
but only for machine types before 2.1.

This fixes a migration incompatibility in the XHCI PCI devices
caused by:
   058fdcf52cdbf57b67e7 - xhci: add endpoint cap on express bus only

Note that in fixing it for compatibility with older QEMUs, it breaks
compatibility with existing QEMU 2.1's on older machine types.

The status before this patch was (if it used an XHCI adapter):
   machine type | source qemu
     any           pre-2.1     - FAIL
     any           2.1...      - PASS

With this patch:
   machine type | source qemu
     any           pre-2.1    - PASS
     pre-2.1       2.1...     - FAIL
     2.1           2.1...     - PASS

A test to trigger it is to add '-device nec-usb-xhci,id=xhci,addr=0x12'
to the command line.

Cc: address@hidden
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Acked-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit e6043e92c2812a56b8f6cf35d5512067c746ce21)
Signed-off-by: Michael Roth <address@hidden>


  Commit: a9ed61533f0590a3d024145d59dddc031ee86396
      
https://github.com/qemu/qemu/commit/a9ed61533f0590a3d024145d59dddc031ee86396
  Author: Marcelo Tosatti <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M cpus.c
    M include/sysemu/cpus.h
    M include/sysemu/kvm.h
    M kvm-all.c

  Log Message:
  -----------
  Introduce cpu_clean_all_dirty

Introduce cpu_clean_all_dirty, to force subsequent cpu_synchronize_all_states
to read in-kernel register state.

Cc: address@hidden
Signed-off-by: Marcelo Tosatti <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit de9d61e83d43be9069e6646fa9d57a3f47779d28)
Conflicts:
        kvm-all.c

*removed context dependency on kvm_cpu_synchronize_post_init

Signed-off-by: Michael Roth <address@hidden>


  Commit: 61048e194227847e3b3d59a7cee210755cecbabc
      
https://github.com/qemu/qemu/commit/61048e194227847e3b3d59a7cee210755cecbabc
  Author: Marcelo Tosatti <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/i386/kvm/clock.c

  Log Message:
  -----------
  kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation

Ensure proper env->tsc value for kvmclock_current_nsec calculation.

Reported-by: Marcin Gibuła <address@hidden>
Analyzed-by: Marcin Gibuła <address@hidden>
Cc: address@hidden
Signed-off-by: Marcelo Tosatti <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 317b0a6d8ba44e9bf8f9c3dbd776c4536843d82c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c35ba0d9e44271d62272671b4e5044ed7fabb7d1
      
https://github.com/qemu/qemu/commit/c35ba0d9e44271d62272671b4e5044ed7fabb7d1
  Author: Alexander Graf <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/i386/kvm/clock.c

  Log Message:
  -----------
  kvmclock: Ensure time in migration never goes backward

When we migrate we ask the kernel about its current belief on what the guest
time would be. However, I've seen cases where the kvmclock guest structure
indicates a time more recent than the kvm returned time.

To make sure we never go backwards, calculate what the guest would have seen as 
time at the point of migration and use that value instead of the kernel 
returned one when it's more recent.
This bases the view of the kvmclock after migration on the
same foundation in host as well as guest.

Signed-off-by: Alexander Graf <address@hidden>
Cc: address@hidden
Reviewed-by: Marcelo Tosatti <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 9a48bcd1b82494671c111109b0eefdb882581499)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 2151206778b62848d3ef15475dee175ad1c3dd78
      
https://github.com/qemu/qemu/commit/2151206778b62848d3ef15475dee175ad1c3dd78
  Author: Eduardo Habkost <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/i386/kvm/clock.c

  Log Message:
  -----------
  kvmclock: Add comment explaining why we need cpu_clean_all_dirty()

Try to explain why commit 317b0a6d8ba44e9bf8f9c3dbd776c4536843d82c
needed a cpu_clean_all_dirty() call just after calling
cpu_synchronize_all_states().

Signed-off-by: Eduardo Habkost <address@hidden>
Cc: Andrey Korolyov <address@hidden>
Cc: Marcin Gibuła <address@hidden>
Cc: Marcelo Tosatti <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 1154d84dcc5f46e83db94281d071775819dd8884)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 7fb768ea303dfe9e2cbf8206c9d570cbb04fb98f
      
https://github.com/qemu/qemu/commit/7fb768ea303dfe9e2cbf8206c9d570cbb04fb98f
  Author: Jan Kiszka <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/pci/msi.c
    M hw/pci/msix.c

  Log Message:
  -----------
  pci: Use bus master address space for delivering MSI/MSI-X messages

The spec says (and real HW confirms this) that, if the bus master bit
is 0, the device will not generate any PCI accesses. MSI and MSI-X
messages fall among these, so we should use the corresponding address
space to deliver them. This will prevent delivery if bus master support
is disabled.

Cc: address@hidden
Signed-off-by: Jan Kiszka <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit cc943c36faa192cd4b32af8fe5edb31894017d35)
Signed-off-by: Michael Roth <address@hidden>


  Commit: e4fb3debc3b33387fe48aaad7cee2e06b09056b1
      
https://github.com/qemu/qemu/commit/e4fb3debc3b33387fe48aaad7cee2e06b09056b1
  Author: Michael S. Tsirkin <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-pci: enable bus master for old guests

commit cc943c36faa192cd4b32af8fe5edb31894017d35
    pci: Use bus master address space for delivering MSI/MSI-X messages
breaks virtio-net for rhel6.[56] x86 guests because they don't
enable bus mastering for virtio PCI devices. For the same reason,
rhel6.[56] ppc64 guests cannot boot on a virtio-blk disk anymore.

Old guests forgot to enable bus mastering, enable it automatically on
DRIVER (guests use some devices before DRIVER_OK).

Reported-by: Greg Kurz <address@hidden>
Reviewed-by: Greg Kurz <address@hidden>
Tested-by: Greg Kurz <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit e43c0b2ea5574efb0bedebf6a7d05916eefeba52)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 490a0f887e108c4c5bd06cfb5e698129f84e89dd
      
https://github.com/qemu/qemu/commit/490a0f887e108c4c5bd06cfb5e698129f84e89dd
  Author: Greg Kurz <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/ppc/spapr.c
    M hw/ppc/spapr_pci.c
    M include/hw/pci-host/spapr.h
    M include/hw/ppc/spapr.h

  Log Message:
  -----------
  spapr_pci: map the MSI window in each PHB

On sPAPR, virtio devices are connected to the PCI bus and use MSI-X.
Commit cc943c36faa192cd4b32af8fe5edb31894017d35 has modified MSI-X
so that writes are made using the bus master address space and follow
the IOMMU path.

Unfortunately, the IOMMU address space address space does not have an
MSI window: the notification is silently dropped in unassigned_mem_write
instead of reaching the guest... The most visible effect is that all
virtio devices are non-functional on sPAPR since then. :(

This patch does the following:
1) map the MSI window into the IOMMU address space for each PHB
   - since each PHB instantiates its own IOMMU address space, we
     can safely map the window at a fixed address (SPAPR_PCI_MSI_WINDOW)
   - no real need to keep the MSI window setup in a separate function,
     the spapr_pci_msi_init() code moves to spapr_phb_realize().

2) kill the global MSI window as it is not needed in the end

Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit 8c46f7ec85a4dd9663489b2fa2b425cd7b3653e1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: e1cf5a23d10d623fda59c1c6c810a9f56776a5e5
      
https://github.com/qemu/qemu/commit/e1cf5a23d10d623fda59c1c6c810a9f56776a5e5
  Author: Peter Maydell <address@hidden>
  Date:   2014-12-24 (Wed, 24 Dec 2014)

  Changed paths:
    M hw/arm/virt.c

  Log Message:
  -----------
  hw/arm/virt: fix pl011 and pl031 irq flags

The pl011 and pl031 devices both use level triggered interrupts,
but the device tree we construct was incorrectly telling the
kernel to configure the GIC to treat them as edge triggered.
This meant that output from the pl011 would hang after a while.

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Acked-by: Christoffer Dall <address@hidden>
Cc: address@hidden
(cherry picked from commit 0be969a2d974971628fc4ed95834d22ecf0fd497)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b5fc105016ce378cd2545c1f3dda9f0f5ead55f8
      
https://github.com/qemu/qemu/commit/b5fc105016ce378cd2545c1f3dda9f0f5ead55f8
  Author: Pavel Dovgalyuk <address@hidden>
  Date:   2015-01-04 (Sun, 04 Jan 2015)

  Changed paths:
    M gdbstub.c

  Log Message:
  -----------
  gdbstub: init mon_chr through qemu_chr_alloc

This patch initializes monitor for gdbstub with the qemu_chr_alloc function
instead of just allocating the memory. Initialization function call
is required, because it also creates chr_write_lock mutex, which is used
when writing to this character device.

Signed-off-by: Pavel Dovgalyuk <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 462efe9e530e22b1b60aaf01716e1423cd94302c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 96c6cf6d30444aa6d68737949dccac03676d1a34
      
https://github.com/qemu/qemu/commit/96c6cf6d30444aa6d68737949dccac03676d1a34
  Author: Michael Roth <address@hidden>
  Date:   2015-01-04 (Sun, 04 Jan 2015)

  Changed paths:
    M include/qapi/visitor-impl.h
    M include/qapi/visitor.h
    M qapi/qapi-visit-core.c
    M scripts/qapi-visit.py

  Log Message:
  -----------
  qapi: add visit_start_union and visit_end_union

In some cases an input visitor might bail out on filling out a
struct for various reasons, such as missing fields when running
in strict mode. In the case of a QAPI Union type, this may lead
to cases where the .kind field which encodes the union type
is uninitialized. Subsequently, other visitors, such as the
dealloc visitor, may use this .kind value as if it were
initialized, leading to assumptions about the union type which
in this case may lead to segfaults. For example, freeing an
integer value.

However, we can generally rely on the fact that the always-present
.data void * field that we generate for these union types will
always be NULL in cases where .kind is uninitialized (at least,
there shouldn't be a reason where we'd do this purposefully).

So pass this information on to Visitor implementation via these
optional start_union/end_union interfaces so this information
can be used to guard against the situation above. We will make
use of this information in a subsequent patch for the dealloc
visitor.

Cc: address@hidden
Reported-by: Fam Zheng <address@hidden>
Suggested-by: Paolo Bonzini <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit cee2dedb85b97e4976c83bea84064c3921b8b7ac)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 4a58f3c2d8acceaefeeffe5a9d3a9acd5cbe08b6
      
https://github.com/qemu/qemu/commit/4a58f3c2d8acceaefeeffe5a9d3a9acd5cbe08b6
  Author: Michael Roth <address@hidden>
  Date:   2015-01-04 (Sun, 04 Jan 2015)

  Changed paths:
    M qapi/qapi-dealloc-visitor.c

  Log Message:
  -----------
  qapi: dealloc visitor, implement visit_start_union

If the .data field of a QAPI Union is NULL, we don't need to free
any of the union fields.

Make use of the new visit_start_union interface to access this
information and instruct the generated code to not visit these
fields when this occurs.

Cc: address@hidden
Reported-by: Fam Zheng <address@hidden>
Suggested-by: Paolo Bonzini <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit 146db9f91979db89a123ea10d2b825d3670d2b36)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 0b2d2e094a8cc13c8924bcf577da7a5fd077033a
      
https://github.com/qemu/qemu/commit/0b2d2e094a8cc13c8924bcf577da7a5fd077033a
  Author: Michael Roth <address@hidden>
  Date:   2015-01-04 (Sun, 04 Jan 2015)

  Changed paths:
    M tests/qapi-schema/qapi-schema-test.json
    M tests/qapi-schema/qapi-schema-test.out
    M tests/test-qmp-input-strict.c

  Log Message:
  -----------
  tests: add QMP input visitor test for unions with no discriminator

This is more of an exercise of the dealloc visitor, where it may
erroneously use an uninitialized discriminator field as indication
that union fields corresponding to that discriminator field/type are
present, which can lead to attempts to free random chunks of heap
memory.

Cc: address@hidden
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit cb55111b4e425fa3279302fa7306b9a3d5164ff4)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ff1f973003848dbb02582f7a8f3694b7c89dcb5e
      
https://github.com/qemu/qemu/commit/ff1f973003848dbb02582f7a8f3694b7c89dcb5e
  Author: Fam Zheng <address@hidden>
  Date:   2015-01-04 (Sun, 04 Jan 2015)

  Changed paths:
    M tests/qemu-iotests/087
    M tests/qemu-iotests/087.out

  Log Message:
  -----------
  qemu-iotests: Test missing "driver" key for blockdev-add

Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Cc: address@hidden
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit fe509ee2373078435fb8c4f68eebd2740c4e388f)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5d350980f6d6747adfbac4005044e75623c510af
      
https://github.com/qemu/qemu/commit/5d350980f6d6747adfbac4005044e75623c510af
  Author: Stratos Psomadakis <address@hidden>
  Date:   2015-01-05 (Mon, 05 Jan 2015)

  Changed paths:
    M monitor.c

  Log Message:
  -----------
  monitor: Reset HMP mon->rs in CHR_EVENT_OPEN

Commit cdaa86a54 ("Add G_IO_HUP handler for socket chardev") exposed a bug in
the way the HMP monitor handles its command buffer. When a client closes the
connection to the monitor, tcp_chr_read() will detect the G_IO_HUP condition
and call tcp_chr_disconnect() to close the server-side connection too. Due to
the fact that monitor reads 1 byte at a time (for each tcp_chr_read()), the
monitor readline state / buffers might contain junk (i.e. a half-finished
command). Thus, without calling readline_restart() on mon->rs in
CHR_EVENT_OPEN, future HMP commands will fail.

Signed-off-by: Stratos Psomadakis <address@hidden>
Signed-off-by: Dimitris Aragiorgis <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit e5554e2015f8fb452135f7b1ce1976536266379c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: d754428b9bf9aba4b040aca89e95eb30e5d59faa
      
https://github.com/qemu/qemu/commit/d754428b9bf9aba4b040aca89e95eb30e5d59faa
  Author: Luiz Capitulino <address@hidden>
  Date:   2015-01-05 (Mon, 05 Jan 2015)

  Changed paths:
    M hw/virtio/virtio-balloon.c

  Log Message:
  -----------
  virtio-balloon: fix integer overflow in memory stats feature

When a QMP client changes the polling interval time by setting
the guest-stats-polling-interval property, the interval value
is stored and manipulated as an int64_t variable.

However, the balloon_stats_change_timer() function, which is
used to set the actual timer with the interval value, takes
an int instead, causing an overflow for big interval values.

This commit fix this bug by changing balloon_stats_change_timer()
to take an int64_t and also it limits the polling interval value
to UINT_MAX to avoid other kinds of overflow.

Signed-off-by: Luiz Capitulino <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
(cherry picked from commit 1f9296b51a26650916a2c4191268bb64057bdc5f)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 09d552b40f79c53a7faa8c85a4ffc2dd52d7b94c
      
https://github.com/qemu/qemu/commit/09d552b40f79c53a7faa8c85a4ffc2dd52d7b94c
  Author: Damjan Marion <address@hidden>
  Date:   2015-01-05 (Mon, 05 Jan 2015)

  Changed paths:
    M hw/net/vhost_net.c

  Log Message:
  -----------
  vhost-user: fix VIRTIO_NET_F_MRG_RXBUF negotiation

Header length check should happen only if backend is kernel. For user
backend there is no reason to reset this bit.

vhost-user code does not define .has_vnet_hdr_len so
VIRTIO_NET_F_MRG_RXBUF cannot be negotiated even if both sides
support it.

Signed-off-by: Damjan Marion <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit d8e80ae37a7acfea416ad9abbe76b453a73d9cc0)
Signed-off-by: Michael Roth <address@hidden>


  Commit: f1a842948a20ea25fef1d0f842b115805b269c02
      
https://github.com/qemu/qemu/commit/f1a842948a20ea25fef1d0f842b115805b269c02
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/misc/ivshmem.c

  Log Message:
  -----------
  ivshmem: Check ivshmem_read() size argument

The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field.  Fix this and
check we received enough bytes before accessing the buffer pointer.

Cc: Cam Macdonell <address@hidden>
Reported-by: Sebastian Krahmer <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
[AF: Handle partial reads via FIFO]
Reported-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>

(cherry picked from commit a2e9011b4164894594bf0b2a2a59e9c55c58c17b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 15905fde7bd40bc15173e77661981d462e6ca62b
      
https://github.com/qemu/qemu/commit/15905fde7bd40bc15173e77661981d462e6ca62b
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/misc/ivshmem.c

  Log Message:
  -----------
  ivshmem: validate incoming_posn value from server

Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.

Cc: Cam Macdonell <address@hidden>
Reported-by: Sebastian Krahmer <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
[AF: Tighten upper bound check for posn in close_guest_eventfds()]
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>

(cherry picked from commit 363ba1c72fed4425e7917afc36722584aaeaad8a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: a95569d24f2462e1795a85aca17185ecd8856fc3
      
https://github.com/qemu/qemu/commit/a95569d24f2462e1795a85aca17185ecd8856fc3
  Author: Sebastian Krahmer <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/misc/ivshmem.c

  Log Message:
  -----------
  ivshmem: Fix potential OOB r/w access

Fix OOB access via malformed incoming_posn parameters
and check that requested memory is actually alloc'ed.

Signed-off-by: Sebastian Krahmer <address@hidden>
[AF: Rebased, cleanups, avoid fd leak]
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>

(cherry picked from commit 34bc07c5282a631c2663ae1ded0a186f46f64612)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c4379ce8efe091bdc0eb3789a2e4eb83d4a2f6ae
      
https://github.com/qemu/qemu/commit/c4379ce8efe091bdc0eb3789a2e4eb83d4a2f6ae
  Author: Andreas Färber <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/misc/ivshmem.c

  Log Message:
  -----------
  ivshmem: Fix fd leak on error

Reported-by: Stefan Hajnoczi <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 3a31cff11203bf62ebafa6d74b1fcf2aba345eed)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 45c46f20c62bd7be98f774f2740ec775654e2668
      
https://github.com/qemu/qemu/commit/45c46f20c62bd7be98f774f2740ec775654e2668
  Author: zhanghailiang <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/mem/pc-dimm.c

  Log Message:
  -----------
  pc-dimm: Don't check dimm->node when there is non-NUMA config

It should not break memory hotplug feature if there is non-NUMA option.

This patch would also allow to use pc-dimm as replacement for initial memory
for non-NUMA configs.

Note: After this patch, the memory hotplug can work normally for Linux guest OS
when there is non-NUMA option and NUMA option. But not support Windows guest OS
to hotplug memory with no-NUMA config, actully, it's Windows limitation.

Reviewed-By: Igor Mammedov <address@hidden>
Signed-off-by: zhanghailiang <address@hidden>
Acked-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit fc50ff0666315be5120c70ad00cd0b0097484b84)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 4d492e890925068e4e21b86fe14094ea054f74d9
      
https://github.com/qemu/qemu/commit/4d492e890925068e4e21b86fe14094ea054f74d9
  Author: Michael Roth <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M tests/Makefile

  Log Message:
  -----------
  tests: avoid running duplicate qom-tests

Since 3687d532 we've been unconditionally adding qom-test to our qtests
for every arch. However, some archs inherit their tests from Makefile
variables for other archs, such as i386/x86_64,
microblaze/microblazeel, and xtensa/xtensaeb. Since these are evaluated
in a lazy manner, we ultimately end up adding qom-test twice.

In the case x86_64, where we have a large number of machine types that
we rerun qom-test for, this has lead to a fairly noticeable increase
in the overall run-time of `make check` (78s vs. 42s on my machine).
Similar speed-ups are visible for other such archs, but not nearly as
significant.

Fix this by only adding qom-test to an arch's test list if it's not
already present.

Signed-off-by: Michael Roth <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Andreas Färber <address@hidden>
Cc: address@hidden
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 2b8419cb4911731db6c883fa7b0428ad4a355d9d)
Signed-off-by: Michael Roth <address@hidden>


  Commit: e2d402d0a115d3ceea649e72fe0d43c630e3fa22
      
https://github.com/qemu/qemu/commit/e2d402d0a115d3ceea649e72fe0d43c630e3fa22
  Author: Zhang Haoyu <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M savevm.c

  Log Message:
  -----------
  snapshot: fix referencing wrong variable in while loop in do_delvm

The while loop variabal is "bs1",
but "bs" is always passed to bdrv_snapshot_delete_by_id_or_name.
Broken in commit a89d89d, v1.7.0.

Signed-off-by: Zhang Haoyu <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit af957387547b05ed6dc4d84c10cca42700a7aeda)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c29bf825ee5ac20f64aba557b3d8e7e0cd6a8a00
      
https://github.com/qemu/qemu/commit/c29bf825ee5ac20f64aba557b3d8e7e0cd6a8a00
  Author: Eduardo Habkost <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/i386/smbios.c

  Log Message:
  -----------
  smbios: Fix assertion on socket count calculation

QEMU currently allows the number of VCPUs to not be a multiple of the
number of threads per socket, but the smbios socket count calculation
introduced by commit c97294ec1b9e36887e119589d456557d72ab37b5 doesn't
take that into account, triggering an assertion. e.g.:

  $ ./x86_64-softmmu/qemu-system-x86_64 -smp 4,sockets=2,cores=6,threads=1
  qemu-system-x86_64: /home/ehabkost/rh/proj/virt/qemu/hw/i386/smbios.c:825: 
smbios_get_tables: Assertion `smbios_smp_sockets >= 1' failed.
  Aborted (core dumped)

Socket count calculation doesn't belong to smbios.c and should
eventually be moved to the main SMP topology configuration code. But
while we don't move the code, at least make it correct by rounding up
the division.

Cc: Gabriel Somlo <address@hidden>
Cc: address@hidden
Signed-off-by: Eduardo Habkost <address@hidden>
Reviewed-By: Igor Mammedov <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>

(cherry picked from commit 7dfddd7f884b6dd2abf230d8fa6c7c83aab4f5ec)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 0369529b3764865874b5084139373c3e34c583bd
      
https://github.com/qemu/qemu/commit/0369529b3764865874b5084139373c3e34c583bd
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/scsi/vhost-scsi.c

  Log Message:
  -----------
  vhost-scsi: use virtio_ldl_p

This helps for cross-endian configurations.

Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7ce0425575745a40e94e75426607e0bec17899fa)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b6bd501d6af6094ddc2d665372471afb4a2e277d
      
https://github.com/qemu/qemu/commit/b6bd501d6af6094ddc2d665372471afb4a2e277d
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-net: use aliases instead of duplicate qdev properties

virtio-net-pci, virtio-net-s390, and virtio-net-ccw all duplicate the
qdev properties of their VirtIONet child. This approach does not work
well with string or pointer properties since we must be careful about
leaking or double-freeing them.

Use the QOM alias property to forward property accesses to the
VirtIONet child.  This way no duplication is necessary.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7779edfeb1822ff5f554a4c1f3e9798789a9352c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 83f81f344f5523f47dc3a5dd229a3b8b1433fa17
      
https://github.com/qemu/qemu/commit/83f81f344f5523f47dc3a5dd229a3b8b1433fa17
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-net: fix virtio-net child refcount in transports

object_initialize() leaves the object with a refcount of 1.
object_property_add_child() adds its own reference which is dropped
again when the property is deleted.

The upshot of this is that we always have a refcount >= 1.  Upon hot
unplug the virtio-net child is not finalized!

Drop our reference after the child property has been added to the
parent.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 6a0c6b59788627541faf70864464f1e155dc18d7)
Signed-off-by: Michael Roth <address@hidden>


  Commit: eb5388e2609e6e99352e8d9909f13f60d9d34fd0
      
https://github.com/qemu/qemu/commit/eb5388e2609e6e99352e8d9909f13f60d9d34fd0
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio/vhost-scsi: use aliases instead of duplicate qdev properties

{virtio, vhost}-scsi-{pci, s390, ccw} all duplicate the
qdev properties of their VirtIOSCSI/VHostSCSI child.
This approach does not work well with string or pointer
properties since we must be careful about leaking or
double-freeing them.

Use the QOM alias property to forward property accesses to the
VirtIOSCSI/VHostSCSI child. This way no duplication is necessary.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit c39343fd811a22c921fc08e9e6ca62c8e7539264)
Signed-off-by: Michael Roth <address@hidden>


  Commit: f06c87b11937ec797b59485d16c937538a82d7a8
      
https://github.com/qemu/qemu/commit/f06c87b11937ec797b59485d16c937538a82d7a8
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio/vhost-scsi: fix virtio-scsi/vhost-scsi child refcount in transports

object_initialize() leaves the object with a refcount of 1.
object_property_add_child() adds its own reference which is dropped
again when the property is deleted.

The upshot of this is that we always have a refcount >= 1.  Upon hot
unplug the virtio-scsi/vhost-scsi child is not finalized!

Drop our reference after the child property has been added to the
parent.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 1312f12bcc8911ed99b67227fb9d1607295f71ed)
Signed-off-by: Michael Roth <address@hidden>


  Commit: aa383e9a8307325a8dc8569f13cf11d083c8b008
      
https://github.com/qemu/qemu/commit/aa383e9a8307325a8dc8569f13cf11d083c8b008
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-serial: use aliases instead of duplicate qdev properties

virtio-serial-{pci, s390, ccw} all duplicate the
qdev properties of their VirtIOSerial child.
This approach does not work well with string or pointer
properties since we must be careful about leaking or
double-freeing them.

Use the QOM alias property to forward property accesses to the
VirtIOSerial child.  This way no duplication is necessary.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 4f456d8025c7259c66b2b2bcec99d5c6c94d99be)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 8c64b47eeb6488d579bfed311269e5b35960308b
      
https://github.com/qemu/qemu/commit/8c64b47eeb6488d579bfed311269e5b35960308b
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-serial: fix virtio-serial child refcount in transports

object_initialize() leaves the object with a refcount of 1.
object_property_add_child() adds its own reference which is dropped
again when the property is deleted.

The upshot of this is that we always have a refcount >= 1.  Upon hot
unplug the virtio-serial child is not finalized!

Drop our reference after the child property has been added to the
parent.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit e77ca8b92af8a5213897331d676089e8919f383d)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c4164eae39d65b6735724a181b027754970e08ea
      
https://github.com/qemu/qemu/commit/c4164eae39d65b6735724a181b027754970e08ea
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-rng: use aliases instead of duplicate qdev properties

virtio-rng-{pci, s390, ccw} all duplicate the
qdev properties of their VirtIORNG child.
This approach does not work well with string or pointer
properties since we must be careful about leaking or
double-freeing them.

Use the QOM alias property to forward property accesses to the
VirtIORNG child.  This way no duplication is necessary.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 8ee486ae339f0e5236f4a9ab988fc963edcc73b5)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 0077793a00a7ff4e44d6bdfe3469b61ba14962ec
      
https://github.com/qemu/qemu/commit/0077793a00a7ff4e44d6bdfe3469b61ba14962ec
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/s390-virtio-bus.c
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-rng: fix virtio-rng child refcount in transports

object_initialize() leaves the object with a refcount of 1.
object_property_add_child() adds its own reference which is dropped
again when the property is deleted.

The upshot of this is that we always have a refcount >= 1.  Upon hot
unplug the virtio-rng child is not finalized!

Drop our reference after the child property has been added to the
parent.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 352fa88dfb2e9c72fa2a1506acb39f349d4befbf)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 20dc758b7f350f67449dbcfe61584005d87ac4da
      
https://github.com/qemu/qemu/commit/20dc758b7f350f67449dbcfe61584005d87ac4da
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/s390x/virtio-ccw.c
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-balloon: fix virtio-balloon child refcount in transports

object_initialize() leaves the object with a refcount of 1.
object_property_add_child() adds its own reference which is dropped
again when the property is deleted.

The upshot of this is that we always have a refcount >= 1.  Upon hot
unplug the virtio-balloon child is not finalized!

Drop our reference after the child property has been added to the
parent.

Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 91ba21208839643603e7f7fa5864723c3f371ebe)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b5ad76a7094e73069a4a583e20d43eb6b5506500
      
https://github.com/qemu/qemu/commit/b5ad76a7094e73069a4a583e20d43eb6b5506500
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-9p: use aliases instead of duplicate qdev properties

virtio-9p-pci all duplicate the qdev properties of their
V9fsState child. This approach does not work well with
string or pointer properties since we must be careful
about leaking or double-freeing them.

Use the QOM alias property to forward property accesses to the
V9fsState child.  This way no duplication is necessary.

Signed-off-by: Gonglei <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 48833071d955406ebeddc365a8df8b5cb12b035f)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cf0276b7c02211773836920d8ebd9d582b32161f
      
https://github.com/qemu/qemu/commit/cf0276b7c02211773836920d8ebd9d582b32161f
  Author: Gonglei <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/virtio/virtio-pci.c

  Log Message:
  -----------
  virtio-9p: fix virtio-9p child refcount in transports

object_initialize() leaves the object with a refcount of 1.
object_property_add_child() adds its own reference which is
dropped again when the property is deleted.

The upshot of this is that we always have a refcount >= 1. Upon
unplug the virtio-9p child is not finalized!

Drop our reference after the child property has been added to the
parent.

Signed-off-by: Gonglei <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 8f3d60e568f53cb3ccdedd917f8e49cdb304973b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 8100812711ea480119f9796bd6c0895e6ac85d0f
      
https://github.com/qemu/qemu/commit/8100812711ea480119f9796bd6c0895e6ac85d0f
  Author: Jan Kiszka <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/i386/pc_piix.c

  Log Message:
  -----------
  pc: Fix disabling of vapic for compat PC models

We used to be able to address both the QEMU and the KVM APIC via "apic".
This doesn't work anymore. So we need to use their parent class to turn
off the vapic on machines that should not expose them.

Signed-off-by: Jan Kiszka <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>

(cherry picked from commit df1fd4b541b3ae0dc44843741363d00080775294)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 8bf7738ff2928f50c43f543554a0d08c0b132a74
      
https://github.com/qemu/qemu/commit/8bf7738ff2928f50c43f543554a0d08c0b132a74
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmware-vga: CVE-2014-3689: turn off hw accel

Quick & easy stopgap for CVE-2014-3689:  We just compile out the
hardware acceleration functions which lack sanity checks.  Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.

Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Don Koch <address@hidden>
(cherry picked from commit 83afa38eb20ca27e30683edc7729880e091387fc)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 4bcf40b28884c7eb583bad38ea3b4fca3081b33c
      
https://github.com/qemu/qemu/commit/4bcf40b28884c7eb583bad38ea3b4fca3081b33c
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmware-vga: add vmsvga_verify_rect

Add verification function for rectangles, returning
true if verification passes and false otherwise.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Don Koch <address@hidden>
(cherry picked from commit 07258900fd45b646f5b69048d64c4490b3243e1b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 38e6e1c6a342dd320be6fa153163b36ff85e17b8
      
https://github.com/qemu/qemu/commit/38e6e1c6a342dd320be6fa153163b36ff85e17b8
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect

Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
in behavior:  We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Don Koch <address@hidden>
(cherry picked from commit 1735fe1edba9cc86bc0f26937ed5a62d3cb47c9c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 82e89133415f4fac6459e949548c9ad96c0dec9a
      
https://github.com/qemu/qemu/commit/82e89133415f4fac6459e949548c9ad96c0dec9a
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect

Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Don Koch <address@hidden>
(cherry picked from commit 61b41b4c20eba08d2185297767e69153d7f3e09d)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ff830f9d8822f27fce8863b952207b586037f6a5
      
https://github.com/qemu/qemu/commit/ff830f9d8822f27fce8863b952207b586037f6a5
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect

Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Don Koch <address@hidden>
(cherry picked from commit bd9ccd8517e83b7c33a9167815dbfffb30d70b13)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 57248587af8090ca0bc7bd0cd672ff15e2ebf8b9
      
https://github.com/qemu/qemu/commit/57248587af8090ca0bc7bd0cd672ff15e2ebf8b9
  Author: Max Reitz <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M block/qcow2-cluster.c

  Log Message:
  -----------
  qcow2: Do not overflow when writing an L1 sector

While writing an L1 table sector, qcow2_write_l1_entry() copies the
respective range from s->l1_table to the local "buf" array. The size of
s->l1_table does not have to be a multiple of L1_ENTRIES_PER_SECTOR;
thus, limit the index which is used for copying all entries to the L1
size.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Peter Lieven <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit a1391444fe1cfef14976458f3293a2c6945e725c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 90de7a03bbc24d559971248c5530631d9bc27250
      
https://github.com/qemu/qemu/commit/90de7a03bbc24d559971248c5530631d9bc27250
  Author: Ray Strode <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M libcacard/cac.c

  Log Message:
  -----------
  libcacard: don't free sign buffer while sign op is pending

commit 57f97834efe0c208ffadc9d2959f3d3d55580e52 cleaned up
the cac_applet_pki_process_apdu function to have a single
exit point. Unfortunately, that commit introduced a bug
where the sign buffer can get free'd and nullified while
it's still being used.

This commit corrects the bug by introducing a boolean to
track whether or not the sign buffer should be freed in
the function exit path.

Signed-off-by: Ray Strode <address@hidden>
Reviewed-by: Alon Levy <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 81b49e8f892a977f3821f3416ea51aa641d63ac4)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5a6af9724369b321f0ae4459403ef76e4a7bd507
      
https://github.com/qemu/qemu/commit/5a6af9724369b321f0ae4459403ef76e4a7bd507
  Author: Jan Kiszka <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M vl.c

  Log Message:
  -----------
  Make qemu_shutdown_requested signal-safe

qemu_shutdown_requested may be interrupted by qemu_system_killed. If the
latter sets shutdown_requested after qemu_shutdown_requested has read it
but before it was cleared, the shutdown event is lost. Fix this by using
atomic_xchg.

This provides a different fix for the problem which commit 15124e142
attempts to deal with. That commit breaks use of ^C to drop into gdb,
and so this approach is better (and 15124e142 can be reverted).

Signed-off-by: Jan Kiszka <address@hidden>
Reviewed-by: Gonglei <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
[PMM: commit message tweak]
Signed-off-by: Peter Maydell <address@hidden>

(cherry picked from commit 817ef04db2cfa2df04daffd6917f4ea7605f6403)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b2f1d90530301d7915dddc8a750063757675b21a
      
https://github.com/qemu/qemu/commit/b2f1d90530301d7915dddc8a750063757675b21a
  Author: Petr Matousek <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M ui/vnc.c

  Log Message:
  -----------
  vnc: sanitize bits_per_pixel from the client

bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.

To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.

This is CVE-2014-7815.

Signed-off-by: Petr Matousek <address@hidden>

[ kraxel: apply codestyle fix ]

Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cb91dce13e880189717b4b8e3d64c45d12a616f1
      
https://github.com/qemu/qemu/commit/cb91dce13e880189717b4b8e3d64c45d12a616f1
  Author: Ting Wang <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/scsi/virtio-scsi.c

  Log Message:
  -----------
  virtio-scsi: sense in virtio_scsi_command_complete

If req->resp.cmd.status is not GOOD, the address of sense for
qemu_iovec_from_buf should be modified from &req->resp to sense.

Cc: address@hidden
Signed-off-by: Ting Wang <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit b7890c40e557f4733b6fcd1eb79af79b70dc8c05)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 8239a583c15df4bf929429e7e3a856accc643c4e
      
https://github.com/qemu/qemu/commit/8239a583c15df4bf929429e7e3a856accc643c4e
  Author: Aurelien Jarno <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M tcg/mips/tcg-target.c

  Log Message:
  -----------
  tcg/mips: fix store softmmu slow path

Commit 9d8bf2d1 moved the softmmu slow path out of line and introduce a
regression at the same time by always calling tcg_out_tlb_load with
is_load=1. This makes impossible to run any significant code under
qemu-system-mips*.

Cc: Paolo Bonzini <address@hidden>
Cc: address@hidden
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Aurelien Jarno <address@hidden>
(cherry picked from commit 0a2923f8488498000eec54871456aa64a4391da4)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c448fb76516c2397e9d6f65ef8aa13c2236e56eb
      
https://github.com/qemu/qemu/commit/c448fb76516c2397e9d6f65ef8aa13c2236e56eb
  Author: Max Filippov <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/arm/boot.c
    M hw/core/loader.c
    M hw/m68k/an5206.c
    M hw/m68k/dummy_m68k.c
    M hw/m68k/mcf5208.c
    M hw/microblaze/boot.c
    M hw/openrisc/openrisc_sim.c
    M hw/ppc/e500.c
    M hw/ppc/ppc440_bamboo.c
    M hw/xtensa/xtfpga.c
    M include/hw/loader.h

  Log Message:
  -----------
  hw/core/loader: implement address translation in uimage loader

Such address translation is needed when load address recorded in uImage
is a virtual address. When the actual load address is requested, return
untranslated address: user that needs the translated address can always
apply translation function to it and those that need it untranslated
don't need to do the inverse translation.

Add translation function pointer and its parameter to uimage_load
prototype. Update all existing users.

No user-visible functional changes.

Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
Reviewed-by: Alexander Graf <address@hidden>
(cherry picked from commit 25bda50a0c7241dcb247483af2b7f961632020cc)
Signed-off-by: Michael Roth <address@hidden>


  Commit: f8c61ebdd2e59e14b6f07ee2fe3e8be011a067f1
      
https://github.com/qemu/qemu/commit/f8c61ebdd2e59e14b6f07ee2fe3e8be011a067f1
  Author: Max Filippov <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M hw/xtensa/xtfpga.c

  Log Message:
  -----------
  hw/xtensa/xtfpga: treat uImage load address as virtual

U-boot for xtensa always treats uImage load address as virtual address.
This is important when booting uImage on xtensa core with MMUv2, because
MMUv2 has fixed non-identity virtual-to-physical mapping after reset.

Always do virtual-to-physical translation of uImage load address and
load uImage at the translated address. This fixes booting uImage kernels
on dc232b and other MMUv2 cores.

Cc: address@hidden
Reported-by: Waldemar Brodkorb <address@hidden>
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 6d2e4530532ca1dbb5e68bdcca12e10931bc6503)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b57b7ec340c128df59337822043b878b6f08cc4a
      
https://github.com/qemu/qemu/commit/b57b7ec340c128df59337822043b878b6f08cc4a
  Author: Zhang Haoyu <address@hidden>
  Date:   2015-01-06 (Tue, 06 Jan 2015)

  Changed paths:
    M block/snapshot.c

  Log Message:
  -----------
  snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency 
problem

If there are still pending i/o while deleting snapshot,
because deleting snapshot is done in non-coroutine context, and
the pending i/o read/write (bdrv_co_do_rw) is done in coroutine context,
so it's possible to cause concurrency problem between above two operations.
Add bdrv_drain_all() to bdrv_snapshot_delete() to avoid this problem.

Signed-off-by: Zhang Haoyu <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 3432a1929ee18e08787ce35476abd74f2c93a17c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cfa86bcb7de0342b2d8c5ac590c4b36bcece263c
      
https://github.com/qemu/qemu/commit/cfa86bcb7de0342b2d8c5ac590c4b36bcece263c
  Author: Peter Maydell <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M hw/ppc/spapr_pci.c

  Log Message:
  -----------
  hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*)

The g_hash_table_iter_* functions for iterating through a hash table
are not present in glib 2.12, which is our current minimum requirement.
Rewrite the code to use g_hash_table_foreach() instead.

Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit f8833a37c0c6b22ddd57b45e48cfb0f97dbd5af4)
Signed-off-by: Michael Roth <address@hidden>


  Commit: aae114b7edd25c2c15bd126ffc6dbe4696f74f7f
      
https://github.com/qemu/qemu/commit/aae114b7edd25c2c15bd126ffc6dbe4696f74f7f
  Author: Hannes Reinecke <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M hw/scsi/esp-pci.c

  Log Message:
  -----------
  esp-pci: fixup deadlock with linux

A linux guest will be issuing messages:

[   32.124042] DC390: Deadlock in DataIn_0: DMA aborted unfinished: 000000 
bytes remain!!
[   32.126348] DC390: DataIn_0: DMA State: 0

and the HBA will fail to work properly.
Reason is the emulation is not setting the 'DMA transfer done'
status correctly.

Signed-off-by: Hannes Reinecke <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit c3543fb5fe4520f03dd4fef04fab7745eeca1c96)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ea227e222bacb16539128b6b201614847374453c
      
https://github.com/qemu/qemu/commit/ea227e222bacb16539128b6b201614847374453c
  Author: Max Filippov <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M target-xtensa/cpu.h
    M target-xtensa/op_helper.c

  Log Message:
  -----------
  target-xtensa: add missing window check for entry

Entry opcode needs to check if moving to new register frame would cause
register window overflow. Entry used in function prologue never
overflows because preceding windowed call* opcode writes return address
to the target register window frame, causing overflow exceptions at the
point of call. But when a sequence of entry opcodes is used for register
window spilling there may not be a call or other opcode that would cause
window check between entries and they would not raise overflow exception
themselves resulting in data corruption.

Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 1b3e71f8ee17ced609213d9b41758110f3c026e9)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 14b51b6718c304d3051aceeb11664736a38cd272
      
https://github.com/qemu/qemu/commit/14b51b6718c304d3051aceeb11664736a38cd272
  Author: Alexander Graf <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M kvm-all.c

  Log Message:
  -----------
  kvm: Fix memory slot page alignment logic

Memory slots have to be page aligned to get entered into KVM. There
is existing logic that tries to ensure that we pad memory slots that
are not page aligned to the biggest region that would still fit in the
alignment requirements.

Unfortunately, that logic is broken. It tries to calculate the start
offset based on the region size.

Fix up the logic to do the thing it was intended to do and document it
properly in the comment above it.

With this patch applied, I can successfully run an e500 guest with more
than 3GB RAM (at which point RAM starts overlapping subpage memory regions).

Cc: address@hidden
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit f2a64032a14c642d0ddc9a7a846fc3d737deede5)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 0c80570170eb9c489657df5b85e3d3104952ce0e
      
https://github.com/qemu/qemu/commit/0c80570170eb9c489657df5b85e3d3104952ce0e
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M hw/scsi/virtio-scsi.c

  Log Message:
  -----------
  virtio-scsi: work around bug in old BIOSes

Old BIOSes left some padding by mistake after the req_size/resp_size.
New QEMU does not like it, thinking it is a bidirectional command.

As a workaround, we can check if the ANY_LAYOUT bit is set; if not, we
always consider the first buffer as the virtio-scsi request/response,
because, back when QEMU did not support ANY_LAYOUT, it expected the
payload to start at the second element of the iovec.

This can show up during migration.

Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 55783a5521a3b1f93ee6a072e414a27c6cfa15f0)
Signed-off-by: Michael Roth <address@hidden>


  Commit: de98dc9539e31b8f986e5d7aad22988beecc2028
      
https://github.com/qemu/qemu/commit/de98dc9539e31b8f986e5d7aad22988beecc2028
  Author: zhanghailiang <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M libcacard/vscclient.c

  Log Message:
  -----------
  libcacard: fix resource leak

In function connect_to_qemu(), getaddrinfo() will allocate memory
that is stored into server, it should be freed by using freeaddrinfo()
before connect_to_qemu() return.

Cc: address@hidden
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: zhanghailiang <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 5bbebf622897a59db5da4c468e737bfec4d71280)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 05c5febf8cfe4e6f11a2c5147e13443ce3e9ba52
      
https://github.com/qemu/qemu/commit/05c5febf8cfe4e6f11a2c5147e13443ce3e9ba52
  Author: zhanghailiang <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M net/l2tpv3.c

  Log Message:
  -----------
  l2tpv3: fix possible double free

freeaddrinfo(result) does not assign result = NULL, after frees it.
There will be a double free when it goes error case.
It is reported by covertiy.

Reviewed-by: Gonglei <address@hidden>
Cc: address@hidden
Signed-off-by: zhanghailiang <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 77374582ab961af2c5e702f767f52179d5f7676c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 844470158c61645f6448fe2fd3963080cead44db
      
https://github.com/qemu/qemu/commit/844470158c61645f6448fe2fd3963080cead44db
  Author: Peter Maydell <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M exec.c
    M include/exec/ram_addr.h

  Log Message:
  -----------
  exec: Handle multipage ranges in invalidate_and_set_dirty()

The code in invalidate_and_set_dirty() needs to handle addr/length
combinations which cross guest physical page boundaries. This can happen,
for example, when disk I/O reads large blocks into guest RAM which previously
held code that we have cached translations for. Unfortunately we were only
checking the clean/dirty status of the first page in the range, and then
were calling a tb_invalidate function which only handles ranges that don't
cross page boundaries. Fix the function to deal with multipage ranges.

The symptoms of this bug were that guest code would misbehave (eg segfault),
in particular after a guest reboot but potentially any time the guest
reused a page of its physical RAM for new code.

Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Message-id: address@hidden
(cherry picked from commit f874bf905ff2f8dcc17acbfc61e49a92a6f4d04b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cd2f44cc3e75afd059d6a1b8a08ea6892bb8853b
      
https://github.com/qemu/qemu/commit/cd2f44cc3e75afd059d6a1b8a08ea6892bb8853b
  Author: Don Slutz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M hw/ide/core.c

  Log Message:
  -----------
  hw/ide/core.c: Prevent SIGSEGV during migration

The other callers to blk_set_enable_write_cache() in this file
already check for s->blk == NULL.

Signed-off-by: Don Slutz <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 6b896ab261942f441a16836e3fa3c83f3f4488b9)

Conflicts:
        hw/ide/core.c

*removed dependency on 4be746345

Signed-off-by: Michael Roth <address@hidden>


  Commit: b28d7b585a2f58b5eaee523aad1b15713b212031
      
https://github.com/qemu/qemu/commit/b28d7b585a2f58b5eaee523aad1b15713b212031
  Author: Jason Wang <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M hw/net/virtio-net.c

  Log Message:
  -----------
  virtio-net: fix unmap leak

virtio_net_handle_ctrl() and other functions that process control vq
request call iov_discard_front() which will shorten the iov. This will
lead unmapping in virtqueue_push() leaks mapping.

Fixes this by keeping the original iov untouched and using a temp variable
in those functions.

Cc: Wen Congyang <address@hidden>
Cc: Stefano Stabellini <address@hidden>
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 771b6ed37e3aa188a7485560b949a41c6cf174dc)
Signed-off-by: Michael Roth <address@hidden>


  Commit: cdeb85cf241fccd7995e5c62b8cee7bb23dcac86
      
https://github.com/qemu/qemu/commit/cdeb85cf241fccd7995e5c62b8cee7bb23dcac86
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M block/qcow2.c
    M block/raw-posix.c
    M block/raw-win32.c
    M block/raw_bsd.c
    M include/block/block_int.h

  Log Message:
  -----------
  block: Make essential BlockDriver objects public

There are some block drivers which are essential to QEMU and may not be
removed: These are raw, file and qcow2 (as the default non-raw format).
Make their BlockDriver objects public so they can be directly referenced
throughout the block layer without needing to call bdrv_find_format()
and having to deal with an error at runtime, while the real problem
occurred during linking (where raw, file or qcow2 were not linked into
qemu).

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 5f535a941e52229d81e55603eb69b2bd449b937a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 1b9ea8961a8787672e7c146c91ee33aa815eb0da
      
https://github.com/qemu/qemu/commit/1b9ea8961a8787672e7c146c91ee33aa815eb0da
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M block.c
    M block/qcow2.c

  Log Message:
  -----------
  block: Omit bdrv_find_format for essential drivers

We can always assume raw, file and qcow2 being available; so do not use
bdrv_find_format() to locate their BlockDriver objects but statically
reference the respective objects.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit ef8104378c4a0497be079e48ee5ac5a89c68f978)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b3729b2ec2c205b7a09a741c2484403b59e04b80
      
https://github.com/qemu/qemu/commit/b3729b2ec2c205b7a09a741c2484403b59e04b80
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M block/vvfat.c

  Log Message:
  -----------
  block/vvfat: qcow driver may not be found

Although virtually impossible right now, bdrv_find_format("qcow") may
fail. The vvfat block driver should heed that case.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 1bcb15cf776a57e8963072c1919a59a90aea8e94)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ad0983b5d1519b933983441530ecd34d1a614989
      
https://github.com/qemu/qemu/commit/ad0983b5d1519b933983441530ecd34d1a614989
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M block/nfs.c

  Log Message:
  -----------
  block/nfs: Add create_opts

The nfs protocol driver is capable of creating images, but did not
specify any creation options. Fix it.

A way to test this issue is the following:

$ qemu-img create -f nfs nfs://127.0.0.1/foo.qcow2 64M

Without this patch, it segfaults. With this patch, it does not. However,
this is not something that should really work; qemu-img should check
whether the parameter for the -f option (and -O for convert) is indeed a
format, and error out if it is not. Therefore, I am not making it an
iotest.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit fd752801ae1cc729359a37f29e32265de6948d37)
Signed-off-by: Michael Roth <address@hidden>


  Commit: dee284885a3a3f3afe8fdc587197706d4eb52e01
      
https://github.com/qemu/qemu/commit/dee284885a3a3f3afe8fdc587197706d4eb52e01
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M block.c

  Log Message:
  -----------
  block: Check create_opts before image creation

If a driver supports image creation, it needs to set the .create_opts
field. We can use that to make sure .create_opts for both drivers
involved is not NULL in bdrv_img_create(), which is important so that
the create_opts pointer in that function is not NULL after the
qemu_opts_append() calls and when going into qemu_opts_create().

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit c6149724080af7b3d5d61eac8942655e6d212783)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 2fbad1f9445534fe9f920950bed510714d58e8c8
      
https://github.com/qemu/qemu/commit/2fbad1f9445534fe9f920950bed510714d58e8c8
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M qemu-img.c

  Log Message:
  -----------
  qemu-img: Check create_opts before image creation

If a driver supports image creation, it needs to set the .create_opts
field. We can use that to make sure .create_opts for both drivers
involved is not NULL for the target image in qemu-img convert, which is
important so that the create_opts pointer in img_convert() is not NULL
after the qemu_opts_append() calls and when going into
qemu_opts_create().

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit f75613cf2488a37fb8019bc32a06ddbcd477d0ce)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 07ede68671f8b14fd42b72a43bd95af7d45f3611
      
https://github.com/qemu/qemu/commit/07ede68671f8b14fd42b72a43bd95af7d45f3611
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M qemu-img.c

  Log Message:
  -----------
  qemu-img: Check create_opts before image amendment

The image options which can be amended are described by the .create_opts
field for every driver. This field must therefore be non-NULL so that
anything can be amended in the first place. Check that this holds true
before going into qemu_opts_create() (because if .create_opts is NULL,
the create_opts pointer in img_amend() will be NULL after
qemu_opts_append()).

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b2439d26f078c826e5e06b34d978a6f6d5c7c56f)
Signed-off-by: Michael Roth <address@hidden>


  Commit: e6c172ad9e220e9ee013078502808b90aad12302
      
https://github.com/qemu/qemu/commit/e6c172ad9e220e9ee013078502808b90aad12302
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M tests/qemu-iotests/common.rc

  Log Message:
  -----------
  iotests: Only kill NBD server if it runs

There may be NBD tests which do not create a sample image and simply
test whether wrong usage of the protocol is rejected as expected. In
this case, there will be no NBD server and trying to kill it during
clean-up will fail.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit f798068c565918ead63218d083ff814b7635be72)
Signed-off-by: Michael Roth <address@hidden>


  Commit: aa58eedb35793e03584523d2d064f83bc45b67d1
      
https://github.com/qemu/qemu/commit/aa58eedb35793e03584523d2d064f83bc45b67d1
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    A tests/qemu-iotests/113
    A tests/qemu-iotests/113.out
    M tests/qemu-iotests/group

  Log Message:
  -----------
  iotests: Add test for unsupported image creation

Add a test for creating and amending images (amendment uses the creation
options) with formats not supporting creation over protocols not
supporting creation.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2247798d13e5295a097da0a42f9d0d70d88690a4)

Conflicts:
        tests/qemu-iotests/group

*removed context dependencies from upstream iotest groups

Signed-off-by: Michael Roth <address@hidden>


  Commit: 175117c1592cdc9de8174b64e90e3dff22087d8e
      
https://github.com/qemu/qemu/commit/175117c1592cdc9de8174b64e90e3dff22087d8e
  Author: Max Reitz <address@hidden>
  Date:   2015-01-07 (Wed, 07 Jan 2015)

  Changed paths:
    M block/qcow2-cluster.c

  Log Message:
  -----------
  qcow2: Prevent numerical overflow

In qcow2_alloc_cluster_offset(), *num is limited to
INT_MAX >> BDRV_SECTOR_BITS by all callers. However, since remaining is
of type uint64_t, we might as well cast *num to that type before
performing the shift.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 11c89769dc3e638ef72915d97058411ddf79b64b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 0073781fea140c31928802a8a112bf0acc31bb2d
      
https://github.com/qemu/qemu/commit/0073781fea140c31928802a8a112bf0acc31bb2d
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block/blkdebug.c

  Log Message:
  -----------
  blkdebug: report errors on flush too

Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: John Snow <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 9e52c53b8c7821ce06e8b995b960e81b469e6847)

*included to maintain parity with unit tests which inject errors
 via blkdebug. needed for:
 "qcow2: Flushing the caches in qcow2_close may fail"

Signed-off-by: Michael Roth <address@hidden>


  Commit: 0505d48c83bf3722c0a3aaa13a65d5ab17f92b97
      
https://github.com/qemu/qemu/commit/0505d48c83bf3722c0a3aaa13a65d5ab17f92b97
  Author: Max Reitz <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block/qcow2.c
    M tests/qemu-iotests/026.out
    M tests/qemu-iotests/071.out
    M tests/qemu-iotests/089.out

  Log Message:
  -----------
  qcow2: Flushing the caches in qcow2_close may fail

qcow2_cache_flush() may fail; if one of the caches failed to be flushed
successfully to disk in qcow2_close() the image should not be marked
clean, and we should emit a warning.

This breaks the (qcow2-specific) iotests 026, 071 and 089; change their
output accordingly.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 3b5e14c76a6bb142bf250ddf99e24a0ac8c7bc12)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 178ed9aad3b189f010f506dfbc86a0ac1efd377e
      
https://github.com/qemu/qemu/commit/178ed9aad3b189f010f506dfbc86a0ac1efd377e
  Author: Max Reitz <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block/qcow2.c

  Log Message:
  -----------
  qcow2: Respect bdrv_truncate() error

bdrv_truncate() may fail and qcow2_write_compressed() should return the
error code in that case.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 6a69b9620ac1562a067990d87284a85552bfd61b)

Conflicts:
        block/qcow2.c

*removed context dependency on 75d3d21

Signed-off-by: Michael Roth <address@hidden>


  Commit: 6bbb939a8061d189bf29aa2b3ef1a5717380f41a
      
https://github.com/qemu/qemu/commit/6bbb939a8061d189bf29aa2b3ef1a5717380f41a
  Author: Max Reitz <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block/raw-posix.c

  Log Message:
  -----------
  block/raw-posix: Fix ret in raw_open_common()

The return value must be negative on error; there is one place in
raw_open_common() where errp is set, but ret remains 0. Fix it.

Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 01212d4ed68fc8daa29062a9a38650cf8febe392)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 21640bf6e08e4d69bab1bd1ea0bed562d1fc726c
      
https://github.com/qemu/qemu/commit/21640bf6e08e4d69bab1bd1ea0bed562d1fc726c
  Author: Gary R Hook <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block-migration.c

  Log Message:
  -----------
  block migration: fix return value

Modify block_save_iterate() to return positive/zero/negative
(success/not done/failure) return status. The computation of
the blocks transferred (an int64_t) exceeds the size of an
int return value.

Signed-off-by: Gary R Hook <address@hidden>
Reviewed-by: ChenLiang <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ebd9fbd7e102c533143c2c8372312b75c2b2678a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b495764ae801daeb4ec690b628301f75838352a1
      
https://github.com/qemu/qemu/commit/b495764ae801daeb4ec690b628301f75838352a1
  Author: Kevin Wolf <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block/qcow2.c
    M tests/qemu-iotests/080
    M tests/qemu-iotests/080.out

  Log Message:
  -----------
  qcow2: Fix header extension size check

After reading the extension header, offset is incremented, but not
checked against end_offset any more. This way an integer overflow could
happen when checking whether the extension end is within the allowed
range, effectively disabling the check.

This patch adds the missing check and a test case for it.

Cc: address@hidden
Reported-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2ebafc854d109ff09b66fb4dd62c2c53fc29754a)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 75eb0f5dbb3beaa718b2a6b6acd5b3cce565586a
      
https://github.com/qemu/qemu/commit/75eb0f5dbb3beaa718b2a6b6acd5b3cce565586a
  Author: Kevin Wolf <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M tests/qemu-iotests/qcow2.py

  Log Message:
  -----------
  qcow2.py: Add required padding for header extensions

The qcow2 specification requires that the header extension data be
padded to round up the extension size to the next multiple of 8 bytes.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 8884dd1bbc5ce42cd657ffcbef3a477443468974)
Signed-off-by: Michael Roth <address@hidden>
(cherry picked from commit a163ac3f57b5baa117158f7c0488d276ba3377e2)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5f0681e1c3f47c680ca31fea4c7627648aedabdf
      
https://github.com/qemu/qemu/commit/5f0681e1c3f47c680ca31fea4c7627648aedabdf
  Author: Kevin Wolf <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block.c
    A tests/qemu-iotests/114
    A tests/qemu-iotests/114.out
    M tests/qemu-iotests/group

  Log Message:
  -----------
  block: Don't probe for unknown backing file format

If a qcow2 image specifies a backing file format that doesn't correspond
to any format driver that qemu knows, we shouldn't fall back to probing,
but simply error out.

Not looking up the backing file driver in bdrv_open_backing_file(), but
just filling in the "driver" option if it isn't there moves us closer to
the goal of having everything in QDict options and gets us the error
handling of bdrv_open(), which correctly refuses unknown drivers.

Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit c5f6e493bb5339d244eae5d3f21c5b6d73996739)

Conflicts:
        tests/qemu-iotests/group

*removed context from upstream iotest groups

Signed-off-by: Michael Roth <address@hidden>


  Commit: 6a47ae2d411e79ab06bd4da233b480282f95f498
      
https://github.com/qemu/qemu/commit/6a47ae2d411e79ab06bd4da233b480282f95f498
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M pc-bios/linuxboot.bin
    M pc-bios/optionrom/linuxboot.S
    M pc-bios/optionrom/optionrom.h

  Log Message:
  -----------
  linuxboot: compute initrd loading address

Even though hw/i386/pc.c tries to compute a valid loading address for the
initrd, close to the top of RAM, this does not take into account other
data that is malloced into that memory by SeaBIOS.

Luckily we can easily look at the memory map to find out how much memory is
used up there.  This patch places the initrd in the first four gigabytes,
below the first hole (as returned by INT 15h, AX=e801h).

Without this patch:
[    0.000000] init_memory_mapping: [mem 0x07000000-0x07fdffff]
[    0.000000] RAMDISK: [mem 0x0710a000-0x07fd7fff]

With this patch:
[    0.000000] init_memory_mapping: [mem 0x07000000-0x07fdffff]
[    0.000000] RAMDISK: [mem 0x07112000-0x07fdffff]

So linuxboot is able to use the 64k that were added as padding for
QEMU <= 2.1.

Acked-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit cdebec5e40bd0af82da0659f37af85ee2aa2c9d1)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b466e1731be837483c7bbcf1770bbcf707477a77
      
https://github.com/qemu/qemu/commit/b466e1731be837483c7bbcf1770bbcf707477a77
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M pc-bios/linuxboot.bin
    M pc-bios/optionrom/linuxboot.S

  Log Message:
  -----------
  linuxboot: fix loading old kernels

Old kernels that used high memory only allowed the initrd to be in the
first 896MB of memory.  If you load the initrd above, they complain
that "initrd extends beyond end of memory".

In order to fix this, while not breaking machines with small amounts
of memory fixed by cdebec5 (linuxboot: compute initrd loading address,
2014-10-06), we need to distinguish two cases.  If pc.c placed the
initrd at end of memory, use the new algorithm based on the e801
memory map.  If instead pc.c placed the initrd at the maximum address
specified by the bzImage, leave it there.

The only interesting part is that the low-memory info block is now
loaded very early, in real mode, and thus the 32-bit address has
to be converted into a real mode segment.  The initrd address is
also patched in the info block before entering real mode, it is
simpler that way.

This fixes booting the RHEL4.8 32-bit installation image with 1GB
of RAM.

Cc: address@hidden
Cc: address@hidden
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 269e2358492b674c50160553d037702e916b9f1b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 73c1527f96193ce9f7c7485999cdf96eea885c2c
      
https://github.com/qemu/qemu/commit/73c1527f96193ce9f7c7485999cdf96eea885c2c
  Author: Peter Maydell <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M audio/audio_template.h

  Log Message:
  -----------
  audio: Don't free hw resources until after hw backend is stopped

When stopping an audio voice, call the audio backend's fini
method before calling audio_pcm_hw_free_resources_ rather than
afterwards. This allows backends which use helper threads (like
pulseaudio) to terminate those threads before the conv_buf or
mix_buf are freed and avoids race conditions where the helper
may access a NULL pointer or freed memory.

Cc: address@hidden
Reviewed-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
(cherry picked from commit b28fb27b5edf77f6fd0ac550a156fb20f2218db3)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 6e64c4e6f1653dbb154a740ad12bc99f6ca050ce
      
https://github.com/qemu/qemu/commit/6e64c4e6f1653dbb154a740ad12bc99f6ca050ce
  Author: Max Filippov <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M target-xtensa/translate.c

  Log Message:
  -----------
  target-xtensa: fix translation for opcodes crossing page boundary

If TB ends with an opcode that crosses page boundary and the following
page is not executable then EPC1 for the code fetch exception wrongly
points at the beginning of the TB. Always treat instruction that crosses
page boundary as a separate TB.

Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 01673a3401614b4199c9946ad47b97bedfc7a7c2)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 39639d81e3bd65857d080430da5fd66268a75ad2
      
https://github.com/qemu/qemu/commit/39639d81e3bd65857d080430da5fd66268a75ad2
  Author: Max Filippov <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M tests/tcg/xtensa/test_mmu.S

  Log Message:
  -----------
  target-xtensa: test cross-page opcode

Alter cross-page TB test to also test cross-page opcode.

Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 85d36377e4ff8b98119420099d445369bfd6b7bb)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 83a66746c09f7737da1c17423bc82457ac29680f
      
https://github.com/qemu/qemu/commit/83a66746c09f7737da1c17423bc82457ac29680f
  Author: Igor Mammedov <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M hw/i386/acpi-build.c

  Log Message:
  -----------
  pc: acpi: mark all possible CPUs as enabled in SRAT

If QEMU is started with  -numa ... Windows only notices that
CPU has been hot-added but it will not online such CPUs.

It's caused by the fact that possible CPUs are flagged as
not enabled in SRAT and Windows honoring that information
doesn't use corresponding CPU.

ACPI 5.0 Spec regarding to flag says:
"
Table 5-47 Local APIC Flags
...
Enabled: if zero, this processor is unusable, and the operating system
support will not attempt to use it.
"

Fix QEMU to adhere to spec and mark possible CPUs as enabled
in SRAT.

With that Windows onlines hot-added CPUs as expected.

Signed-off-by: Igor Mammedov <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit dd0247e09a542d2a7ba6e390c70b5616edb9ec56)
Signed-off-by: Michael Roth <address@hidden>


  Commit: ff2fff621187080a83f7685183592f152f724a9c
      
https://github.com/qemu/qemu/commit/ff2fff621187080a83f7685183592f152f724a9c
  Author: Vladimir Sementsov-Ogievskiy <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M block-migration.c

  Log Message:
  -----------
  migration/block: fix pending() return value

Because of wrong return value of .save_live_pending() in
migration/block.c, migration finishes before the whole disk is
transferred. Such situation occurs when the migration process is fast
enough, for example when source and dest are on the same host.

If in the bulk phase we return something < max_size, we will skip
transferring the tail of the device. Currently we have "set pending to
BLOCK_SIZE if it is zero" for bulk phase, but there no guarantee, that
it will be < max_size.

True approach is to return, for example, max_size+1 when we are in the
bulk phase.

Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 04636dc410b163c2243e66c3813dd4900a50a4ed)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 6df8cd2e275750b5ab2c13c8ed61cb7a223bb972
      
https://github.com/qemu/qemu/commit/6df8cd2e275750b5ab2c13c8ed61cb7a223bb972
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M include/qemu/atomic.h

  Log Message:
  -----------
  atomic: fix position of volatile qualifier

What needs to be volatile is not the pointer, but the pointed-to
value!

Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 2cbcfb281afa041a41f6e4c4da0f5c9314084604)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5b5c7bf8e5c0f1ba2ac15954a9d151f1c2e408ef
      
https://github.com/qemu/qemu/commit/5b5c7bf8e5c0f1ba2ac15954a9d151f1c2e408ef
  Author: David Gibson <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M hw/ppc/spapr_iommu.c

  Log Message:
  -----------
  PPC: Fix crash on spapr_tce_table_finalize()

spapr_tce_table_finalize() can SEGV if the object was not previously
realized.  In particular this can be triggered by running
   qemu-system-ppc -device spapr-tce-table,?

The basic problem is that we have mismatched initialization versus
finalization: spapr_tce_table_finalize() is attempting to undo things that
are done in spapr_tce_table_realize(), not an instance_init function.

Therefore, replace spapr_tce_table_finalize() with
spapr_tce_table_unrealize().

Signed-off-by: David Gibson <address@hidden>
Cc: address@hidden
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit 5f9490de566c5b092a6cfedc3c7a37a9c9dee917)
Signed-off-by: Michael Roth <address@hidden>


  Commit: b316937d3851566c9bb3f885b26d195d8856a6be
      
https://github.com/qemu/qemu/commit/b316937d3851566c9bb3f885b26d195d8856a6be
  Author: Marcel Apfelbaum <address@hidden>
  Date:   2015-01-14 (Wed, 14 Jan 2015)

  Changed paths:
    M vl.c

  Log Message:
  -----------
  vl.c: fix regression when reading machine type from config file

After 'Machine as QOM' series the machine type input triggers
the creation of the machine class.
If the machine type is set in the configuration file, the machine
class is not updated accordingly and remains the default.

Fixed that by querying the machine options after the configuration
file is loaded.

Cc: address@hidden
Reported-by: William Dauchy <address@hidden>
Signed-off-by: Marcel Apfelbaum <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 364c3e6b8dd7912e01d19122d791b8c8f6df4f6c)
Signed-off-by: Michael Roth <address@hidden>


  Commit: c2b0926634cda378f634be62c616afbf03ca5890
      
https://github.com/qemu/qemu/commit/c2b0926634cda378f634be62c616afbf03ca5890
  Author: Michael Roth <address@hidden>
  Date:   2015-01-21 (Wed, 21 Jan 2015)

  Changed paths:
    M VERSION

  Log Message:
  -----------
  Update version for v2.1.3 release

Signed-off-by: Michael Roth <address@hidden>


Compare: https://github.com/qemu/qemu/compare/562d6b4f7f7e...c2b0926634cd

reply via email to

[Prev in Thread] Current Thread [Next in Thread]