From: Stefan Hajnoczi <***@redhat.com>

Update -device FOO,help to include QOM properties in addition to qdev
properties. Devices are gradually adding more QOM properties that are
not reflected as qdev properties.

It is important to report all device properties since management tools
like libvirt use this information (and device-list-properties QMP) to
detect the presence of QEMU features.

This patch reuses the device-list-properties QMP machinery to avoid code
duplication.

Reported-by: Cole Robinson <***@redhat.com>
Signed-off-by: Stefan Hajnoczi <***@redhat.com>
Reviewed-by: Eric Blake <***@redhat.com>
Tested-by: Cole Robinson <***@redhat.com>
(cherry picked from commit ef523587da4f213ca17133a90402d0815ecf08ee)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
qdev-monitor.c | 40 +++++++++++++++++-----------------------
1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/qdev-monitor.c b/qdev-monitor.c
index f87f3d8..5fe5e75 100644
--- a/qdev-monitor.c
+++ b/qdev-monitor.c
@@ -182,9 +182,10 @@ static const char *find_typename_by_alias(const char *alias)

int qdev_device_help(QemuOpts *opts)
{
+ Error *local_err = NULL;
const char *driver;
- Property *prop;
- ObjectClass *klass;
+ DevicePropertyInfoList *prop_list;
+ DevicePropertyInfoList *prop;

driver = qemu_opt_get(opts, "driver");
if (driver && is_help_option(driver)) {
@@ -196,35 +197,28 @@ int qdev_device_help(QemuOpts *opts)
return 0;
}

- klass = object_class_by_name(driver);
- if (!klass) {
+ if (!object_class_by_name(driver)) {
const char *typename = find_typename_by_alias(driver);

if (typename) {
driver = typename;
- klass = object_class_by_name(driver);
}
}

- if (!object_class_dynamic_cast(klass, TYPE_DEVICE)) {
- return 0;
+ prop_list = qmp_device_list_properties(driver, &local_err);
+ if (!prop_list) {
+ error_printf("%s\n", error_get_pretty(local_err));
+ error_free(local_err);
+ return 1;
}
- do {
- for (prop = DEVICE_CLASS(klass)->props; prop && prop->name; prop++) {
- /*
- * TODO Properties without a parser are just for dirty hacks.
- * qdev_prop_ptr is the only such PropertyInfo. It's marked
- * for removal. This conditional should be removed along with
- * it.
- */
- if (!prop->info->set) {
- continue; /* no way to set it, don't show */
- }
- error_printf("%s.%s=%s\n", driver, prop->name,
- prop->info->legacy_name ?: prop->info->name);
- }
- klass = object_class_get_parent(klass);
- } while (klass != object_class_by_name(TYPE_DEVICE));
+
+ for (prop = prop_list; prop; prop = prop->next) {
+ error_printf("%s.%s=%s\n", driver,
+ prop->value->name,
+ prop->value->type);
+ }
+
+ qapi_free_DevicePropertyInfoList(prop_list);
return 1;
}

From: Hu Tao <***@cn.fujitsu.com>

Cc: qemu-***@nongnu.org
Signed-off-by: Hu Tao <***@cn.fujitsu.com>
Reviewed-by: Michael S. Tsirkin <***@redhat.com>
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
(cherry picked from commit 41d2f71376fe401a1fdb7deda023769207511790)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/i386/acpi-dsdt.dsl | 4 ++--
hw/i386/acpi-dsdt.hex.generated | 8 ++++----
hw/i386/q35-acpi-dsdt.dsl | 4 ++--
hw/i386/ssdt-mem.dsl | 16 ++++++++--------
hw/i386/ssdt-misc.dsl | 2 +-
include/hw/acpi/pc-hotplug.h | 2 +-
6 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/hw/i386/acpi-dsdt.dsl b/hw/i386/acpi-dsdt.dsl
index 6ba0170..559f4b6 100644
--- a/hw/i386/acpi-dsdt.dsl
+++ b/hw/i386/acpi-dsdt.dsl
@@ -302,7 +302,7 @@ DefinitionBlock (
/****************************************************************
* General purpose events
****************************************************************/
- External(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD, MethodObj)
+ External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD, MethodObj)

Scope(\_GPE) {
Name(_HID, "ACPI0006")
@@ -321,7 +321,7 @@ DefinitionBlock (
}
Method(_E03) {
// Memory hotplug event
- \_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD()
+ \_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD()
}
Method(_L04) {
}
diff --git a/hw/i386/acpi-dsdt.hex.generated b/hw/i386/acpi-dsdt.hex.generated
index 6c8a1fc..a21bf41 100644
--- a/hw/i386/acpi-dsdt.hex.generated
+++ b/hw/i386/acpi-dsdt.hex.generated
@@ -8,7 +8,7 @@ static unsigned char AcpiDsdtAmlCode[] = {
0x0,
0x0,
0x1,
-0x2e,
+0x1f,
0x42,
0x58,
0x50,
@@ -31,9 +31,9 @@ static unsigned char AcpiDsdtAmlCode[] = {
0x4e,
0x54,
0x4c,
-0x13,
-0x9,
-0x12,
+0x28,
+0x5,
+0x10,
0x20,
0x10,
0x49,
diff --git a/hw/i386/q35-acpi-dsdt.dsl b/hw/i386/q35-acpi-dsdt.dsl
index 8c3eae7..054b035 100644
--- a/hw/i386/q35-acpi-dsdt.dsl
+++ b/hw/i386/q35-acpi-dsdt.dsl
@@ -410,7 +410,7 @@ DefinitionBlock (
/****************************************************************
* General purpose events
****************************************************************/
- External(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD, MethodObj)
+ External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD, MethodObj)

Scope(\_GPE) {
Name(_HID, "ACPI0006")
@@ -425,7 +425,7 @@ DefinitionBlock (
}
Method(_E03) {
// Memory hotplug event
- \_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD()
+ \_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_SCAN_METHOD()
}
Method(_L04) {
}
diff --git a/hw/i386/ssdt-mem.dsl b/hw/i386/ssdt-mem.dsl
index 8e17bd1..22ff5dd 100644
--- a/hw/i386/ssdt-mem.dsl
+++ b/hw/i386/ssdt-mem.dsl
@@ -39,10 +39,10 @@ ACPI_EXTRACT_ALL_CODE ssdm_mem_aml
DefinitionBlock ("ssdt-mem.aml", "SSDT", 0x02, "BXPC", "CSSDT", 0x1)
{

- External(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_CRS_METHOD, MethodObj)
- External(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_STATUS_METHOD, MethodObj)
- External(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_OST_METHOD, MethodObj)
- External(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_PROXIMITY_METHOD, MethodObj)
+ External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_CRS_METHOD, MethodObj)
+ External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_STATUS_METHOD, MethodObj)
+ External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_OST_METHOD, MethodObj)
+ External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_PROXIMITY_METHOD, MethodObj)

Scope(\_SB) {
/* v------------------ DO NOT EDIT ------------------v */
@@ -58,19 +58,19 @@ DefinitionBlock ("ssdt-mem.aml", "SSDT", 0x02, "BXPC", "CSSDT", 0x1)
Name(_HID, EISAID("PNP0C80"))

Method(_CRS, 0) {
- Return(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_CRS_METHOD(_UID))
+ Return(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_CRS_METHOD(_UID))
}

Method(_STA, 0) {
- Return(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_STATUS_METHOD(_UID))
+ Return(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_STATUS_METHOD(_UID))
}

Method(_PXM, 0) {
- Return(\_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_PROXIMITY_METHOD(_UID))
+ Return(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_PROXIMITY_METHOD(_UID))
}

Method(_OST, 3) {
- \_SB.PCI0.MEMORY_HOPTLUG_DEVICE.MEMORY_SLOT_OST_METHOD(_UID, Arg0, Arg1, Arg2)
+ \_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_OST_METHOD(_UID, Arg0, Arg1, Arg2)
}
}
}
diff --git a/hw/i386/ssdt-misc.dsl b/hw/i386/ssdt-misc.dsl
index d329b8b..0fd4480 100644
--- a/hw/i386/ssdt-misc.dsl
+++ b/hw/i386/ssdt-misc.dsl
@@ -120,7 +120,7 @@ DefinitionBlock ("ssdt-misc.aml", "SSDT", 0x01, "BXPC", "BXSSDTSUSP", 0x1)

External(MEMORY_SLOT_NOTIFY_METHOD, MethodObj)
Scope(\_SB.PCI0) {
- Device(MEMORY_HOPTLUG_DEVICE) {
+ Device(MEMORY_HOTPLUG_DEVICE) {
Name(_HID, "PNP0A06")
Name(_UID, "Memory hotplug resources")

diff --git a/include/hw/acpi/pc-hotplug.h b/include/hw/acpi/pc-hotplug.h
index bf5157d..b9db295 100644
--- a/include/hw/acpi/pc-hotplug.h
+++ b/include/hw/acpi/pc-hotplug.h
@@ -32,7 +32,7 @@
#define ACPI_MEMORY_HOTPLUG_IO_LEN 24
#define ACPI_MEMORY_HOTPLUG_BASE 0x0a00

-#define MEMORY_HOPTLUG_DEVICE MHPD
+#define MEMORY_HOTPLUG_DEVICE MHPD
#define MEMORY_SLOTS_NUMBER MDNR
#define MEMORY_HOTPLUG_IO_REGION HPMR
#define MEMORY_SLOT_ADDR_LOW MRBL

From: Hu Tao <***@cn.fujitsu.com>

If user specifies a node number that exceeds the available numa nodes in
emulated system for pc-dimm device, the device will report an invalid _PXM
to OSPM. Fix this by checking the node property value.

Cc: qemu-***@nongnu.org
Signed-off-by: Hu Tao <***@cn.fujitsu.com>
Reviewed-by: Michael S. Tsirkin <***@redhat.com>
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
(cherry picked from commit cfe0ffd0272f1a6d34d27ac1a7072d1c42d33ad3)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/mem/pc-dimm.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
index 08f49ed..92e276f 100644
--- a/hw/mem/pc-dimm.c
+++ b/hw/mem/pc-dimm.c
@@ -252,6 +252,11 @@ static void pc_dimm_realize(DeviceState *dev, Error **errp)
error_setg(errp, "'" PC_DIMM_MEMDEV_PROP "' property is not set");
return;
}
+ if (dimm->node >= nb_numa_nodes) {
+ error_setg(errp, "'" PC_DIMM_NODE_PROP
+ "' exceeds numa node number: %" PRId32, nb_numa_nodes);
+ return;
+ }
}

static MemoryRegion *pc_dimm_get_memory_region(PCDIMMDevice *dimm)

From: Alex Williamson <***@redhat.com>

When new MSI-X vectors are enabled we need to disable MSI-X and
re-enable it with the correct number of vectors. That means we need
to reprogram the eventfd triggers for each vector. Prior to f4d45d47
vector->use tracked whether a vector was masked or unmasked and we
could always pick the KVM path when available for unmasked vectors.
Now vfio doesn't track mask state itself and vector->use and virq
remains configured even for masked vectors. Therefore we need to ask
the MSI-X code whether a vector is masked in order to select the
correct signaling path. As noted in the comment, MSI relies on
hardware to handle masking.

Signed-off-by: Alex Williamson <***@redhat.com>
Cc: qemu-***@nongnu.org # QEMU 2.1
(cherry picked from commit c048be5cc92ae201c339d46984476c4629275ed6)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/misc/vfio.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 0b9eba0..e88b610 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -120,11 +120,20 @@ typedef struct VFIOINTx {
} VFIOINTx;

typedef struct VFIOMSIVector {
- EventNotifier interrupt; /* eventfd triggered on interrupt */
- EventNotifier kvm_interrupt; /* eventfd triggered for KVM irqfd bypass */
+ /*
+ * Two interrupt paths are configured per vector. The first, is only used
+ * for interrupts injected via QEMU. This is typically the non-accel path,
+ * but may also be used when we want QEMU to handle masking and pending
+ * bits. The KVM path bypasses QEMU and is therefore higher performance,
+ * but requires masking at the device. virq is used to track the MSI route
+ * through KVM, thus kvm_interrupt is only available when virq is set to a
+ * valid (>= 0) value.
+ */
+ EventNotifier interrupt;
+ EventNotifier kvm_interrupt;
struct VFIODevice *vdev; /* back pointer to device */
MSIMessage msg; /* cache the MSI message so we know when it changes */
- int virq; /* KVM irqchip route for QEMU bypass */
+ int virq;
bool use;
} VFIOMSIVector;

@@ -681,13 +690,24 @@ static int vfio_enable_vectors(VFIODevice *vdev, bool msix)
fds = (int32_t *)&irq_set->data;

for (i = 0; i < vdev->nr_vectors; i++) {
- if (!vdev->msi_vectors[i].use) {
- fds[i] = -1;
- } else if (vdev->msi_vectors[i].virq >= 0) {
- fds[i] = event_notifier_get_fd(&vdev->msi_vectors[i].kvm_interrupt);
- } else {
- fds[i] = event_notifier_get_fd(&vdev->msi_vectors[i].interrupt);
+ int fd = -1;
+
+ /*
+ * MSI vs MSI-X - The guest has direct access to MSI mask and pending
+ * bits, therefore we always use the KVM signaling path when setup.
+ * MSI-X mask and pending bits are emulated, so we want to use the
+ * KVM signaling path only when configured and unmasked.
+ */
+ if (vdev->msi_vectors[i].use) {
+ if (vdev->msi_vectors[i].virq < 0 ||
+ (msix && msix_is_masked(&vdev->pdev, i))) {
+ fd = event_notifier_get_fd(&vdev->msi_vectors[i].interrupt);
+ } else {
+ fd = event_notifier_get_fd(&vdev->msi_vectors[i].kvm_interrupt);
+ }
}
+
+ fds[i] = fd;
}

ret = ioctl(vdev->fd, VFIO_DEVICE_SET_IRQS, irq_set);

From: Jan Kiszka <***@siemens.com>

The spec says (and real HW confirms this) that, if the bus master bit
is 0, the device will not generate any PCI accesses. MSI and MSI-X
messages fall among these, so we should use the corresponding address
space to deliver them. This will prevent delivery if bus master support
is disabled.

Cc: qemu-***@nongnu.org
Signed-off-by: Jan Kiszka <***@siemens.com>
Reviewed-by: Michael S. Tsirkin <***@redhat.com>
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
(cherry picked from commit cc943c36faa192cd4b32af8fe5edb31894017d35)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/pci/msi.c | 2 +-
hw/pci/msix.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/pci/msi.c b/hw/pci/msi.c
index a4a3040..52d2313 100644
--- a/hw/pci/msi.c
+++ b/hw/pci/msi.c
@@ -291,7 +291,7 @@ void msi_notify(PCIDevice *dev, unsigned int vector)
"notify vector 0x%x"
" address: 0x%"PRIx64" data: 0x%"PRIx32"\n",
vector, msg.address, msg.data);
- stl_le_phys(&address_space_memory, msg.address, msg.data);
+ stl_le_phys(&dev->bus_master_as, msg.address, msg.data);
}

/* Normally called by pci_default_write_config(). */
diff --git a/hw/pci/msix.c b/hw/pci/msix.c
index 5c49bfc..20ae476 100644
--- a/hw/pci/msix.c
+++ b/hw/pci/msix.c
@@ -439,7 +439,7 @@ void msix_notify(PCIDevice *dev, unsigned vector)

msg = msix_get_message(dev, vector);

- stl_le_phys(&address_space_memory, msg.address, msg.data);
+ stl_le_phys(&dev->bus_master_as, msg.address, msg.data);
}

void msix_reset(PCIDevice *dev)

From: Michael Tokarev <***@tls.msk.ru>

Commit 58ac321135a introduced a check to ide dma processing which
constrains all requests to drive size. However, apparently, some
valid requests (like TRIM) does not fit in this constraint, and
fails in 2.1. So check the range only for reads and writes.

Cc: qemu-***@nongnu.org
Signed-off-by: Michael Tokarev <***@tls.msk.ru>
Signed-off-by: Markus Armbruster <***@redhat.com>
Signed-off-by: Stefan Hajnoczi <***@redhat.com>
(cherry picked from commit d66168ed687325aa6d338ce3a3cff18ce3098ed6)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/ide/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index db191a6..7256592 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -688,7 +688,8 @@ void ide_dma_cb(void *opaque, int ret)
sector_num, n, s->dma_cmd);
#endif

- if (!ide_sect_range_ok(s, sector_num, n)) {
+ if ((s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) &&
+ !ide_sect_range_ok(s, sector_num, n)) {
dma_buf_commit(s);
ide_dma_error(s);
return;

From: zhanghailiang <***@huawei.com>

In function virtio_blk_handle_request, it may freed memory pointed by req,
So do not access member of req after calling this function.

Cc: qemu-***@nongnu.org
Reviewed-by: Michael S. Tsirkin <***@redhat.com>
Reviewed-by: Stefan Hajnoczi <***@redhat.com>
Signed-off-by: zhanghailiang <***@huawei.com>
Signed-off-by: Kevin Wolf <***@redhat.com>
(cherry picked from commit 1bdb176ac5add5dc9d54a230da7511b66851f1e7)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/block/virtio-blk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index c241c50..0e3925b 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -469,8 +469,9 @@ static void virtio_blk_dma_restart_bh(void *opaque)
s->rq = NULL;

while (req) {
+ VirtIOBlockReq *next = req->next;
virtio_blk_handle_request(req, &mrb);
- req = req->next;
+ req = next;
}

virtio_submit_multiwrite(s->bs, &mrb);

From: Michael Tokarev <***@tls.msk.ru>

Some non-linux systems, for example a system with
FreeBSD kernel and glibc, may declare struct mmsghdr
(in glibc) but may not have linux-specific header
file linux/ip.h. The actual implementation in qemu
includes this linux-specific header file unconditionally,
so compilation fails if it is not present. Include
this header in the configure test too.

Signed-off-by: Michael Tokarev <***@tls.msk.ru>
(cherry picked from commit bff6cb72961f1bd2c766efe85ff5850fd8d7e77d)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
configure | 1 +
1 file changed, 1 insertion(+)

diff --git a/configure b/configure
index f7685b5..f49e618 100755
--- a/configure
+++ b/configure
@@ -1723,6 +1723,7 @@ fi

cat > $TMPC <<EOF
#include <sys/socket.h>
+#include <linux/ip.h>
int main(void) { return sizeof(struct mmsghdr); }
EOF
if compile_prog "" "" ; then

From: Peter Maydell <***@linaro.org>

When we take an exception resulting from a BRK instruction,
the architecture requires that the "preferred return address"
reported to the exception handler is the address of the BRK
itself, not the following instruction (like undefined
insns, and in contrast with SVC, HVC and SMC). Follow this,
rather than incorrectly reporting the address of the following
insn.

(We do get this correct for the A32/T32 BKPT insns.)

Signed-off-by: Peter Maydell <***@linaro.org>
Cc: qemu-***@nongnu.org
(cherry picked from commit 229a138d740142885dd4e7063e25147d7f71fdef)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
target-arm/translate-a64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index 33b5025..fc319d5 100644
--- a/target-arm/translate-a64.c
+++ b/target-arm/translate-a64.c
@@ -1454,7 +1454,7 @@ static void disas_exc(DisasContext *s, uint32_t insn)
break;
}
/* BRK */
- gen_exception_insn(s, 0, EXCP_BKPT, syn_aa64_bkpt(imm16));
+ gen_exception_insn(s, 4, EXCP_BKPT, syn_aa64_bkpt(imm16));
break;
case 2:
if (op2_ll != 0) {

From: Peter Lieven <***@kamp.de>

bs->total_sectors is not yet updated at this point. resulting
in memory corruption if the volume has grown and data is written
to the newly availble areas.

CC: qemu-***@nongnu.org
Signed-off-by: Peter Lieven <***@kamp.de>
Signed-off-by: Kevin Wolf <***@redhat.com>
(cherry picked from commit d832fb4d66ead62da4af7e44cce34cd939e865e1)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
block/iscsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index a7bb697..ed883c3 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -1509,7 +1509,8 @@ static int iscsi_truncate(BlockDriverState *bs, int64_t offset)
if (iscsilun->allocationmap != NULL) {
g_free(iscsilun->allocationmap);
iscsilun->allocationmap =
- bitmap_new(DIV_ROUND_UP(bs->total_sectors,
+ bitmap_new(DIV_ROUND_UP(sector_lun2qemu(iscsilun->num_blocks,
+ iscsilun),
iscsilun->cluster_sectors));
}

From: Stefan Hajnoczi <***@redhat.com>

The "hotplugged" device property was not reported before commit
f4eb32b590bf58c1c67570775eb78beb09964fad ("qmp: show QOM properties in
device-list-properties"). Fix this difference.

Signed-off-by: Stefan Hajnoczi <***@redhat.com>
Reviewed-by: Eric Blake <***@redhat.com>
(cherry picked from commit 4115dd6527fbdf49dbd1eba24ad68e0fae1e305a)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
qmp.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/qmp.c b/qmp.c
index 0d2553a..c6767c4 100644
--- a/qmp.c
+++ b/qmp.c
@@ -509,6 +509,7 @@ DevicePropertyInfoList *qmp_device_list_properties(const char *typename,
if (strcmp(prop->name, "type") == 0 ||
strcmp(prop->name, "realized") == 0 ||
strcmp(prop->name, "hotpluggable") == 0 ||
+ strcmp(prop->name, "hotplugged") == 0 ||
strcmp(prop->name, "parent_bus") == 0) {
continue;
}

From: Hu Tao <***@cn.fujitsu.com>

The error messages before and after patch are:

before:
qemu-system-x86_64: total memory for NUMA nodes (134217728) should equal RAM size (20000000)

after:
qemu-system-x86_64: total memory for NUMA nodes (0x8000000) should equal RAM size (0x20000000)

Cc: qemu-***@nongnu.org
Signed-off-by: Hu Tao <***@cn.fujitsu.com>
Reviewed-by: Michael S. Tsirkin <***@redhat.com>
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
(cherry picked from commit c68233aee8ef47861b65f0d079c5b0b3816447e5)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
numa.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/numa.c b/numa.c
index 7bf7834..c78cec9 100644
--- a/numa.c
+++ b/numa.c
@@ -210,8 +210,8 @@ void set_numa_nodes(void)
numa_total += numa_info[i].node_mem;
}
if (numa_total != ram_size) {
- error_report("total memory for NUMA nodes (%" PRIu64 ")"
- " should equal RAM size (" RAM_ADDR_FMT ")",
+ error_report("total memory for NUMA nodes (0x%" PRIx64 ")"
+ " should equal RAM size (0x" RAM_ADDR_FMT ")",
numa_total, ram_size);
exit(1);
}

From: "Michael S. Tsirkin" <***@redhat.com>

RSDP should be aligned at a 16-byte boundary.
This would by chance at the moment, fix up acpi build
to make it robust.

Cc: qemu-***@nongnu.org
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
Reviewed-by: Laszlo Ersek <***@redhat.com>
(cherry picked from commit d67aadccfa0bd3330a7b8e7e0a1726117ba75cf1)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/i386/acpi-build.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 816c6d9..10b84d0 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1393,7 +1393,7 @@ build_rsdp(GArray *rsdp_table, GArray *linker, unsigned rsdt)
{
AcpiRsdpDescriptor *rsdp = acpi_data_push(rsdp_table, sizeof *rsdp);

- bios_linker_loader_alloc(linker, ACPI_BUILD_RSDP_FILE, 1,
+ bios_linker_loader_alloc(linker, ACPI_BUILD_RSDP_FILE, 16,
true /* fseg memory */);

memcpy(&rsdp->signature, "RSD PTR ", 8);

From: Stefan Hajnoczi <***@redhat.com>

The following O_DIRECT read from a <512 byte file fails:

$ truncate -s 320 test.img
$ qemu-io -n -c 'read -P 0 0 512' test.img
qemu-io: can't open device test.img: Could not read image for determining its format: Invalid argument

Note that qemu-io completes successfully without the -n (O_DIRECT)
option.

This patch fixes qemu-iotests ./check -nocache -vmdk 059.

Cc: qemu-***@nongnu.org
Suggested-by: Kevin Wolf <***@redhat.com>
Reported-by: Markus Armbruster <***@redhat.com>
Signed-off-by: Stefan Hajnoczi <***@redhat.com>
Signed-off-by: Kevin Wolf <***@redhat.com>
(cherry picked from commit 61ed73cff427206b3a959b18a4877952f566279b)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
block/raw-posix.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/block/raw-posix.c b/block/raw-posix.c
index 8e9758e..87fc170 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -747,6 +747,15 @@ static ssize_t handle_aiocb_rw_linear(RawPosixAIOData *aiocb, char *buf)
}
if (len == -1 && errno == EINTR) {
continue;
+ } else if (len == -1 && errno == EINVAL &&
+ (aiocb->bs->open_flags & BDRV_O_NOCACHE) &&
+ !(aiocb->aio_type & QEMU_AIO_WRITE) &&
+ offset > 0) {
+ /* O_DIRECT pread() may fail with EINVAL when offset is unaligned
+ * after a short read. Assume that O_DIRECT short reads only occur
+ * at EOF. Therefore this is a short read, not an I/O error.
+ */
+ break;
} else if (len == -1) {
offset = -errno;
break;

From: "Michael S. Tsirkin" <***@redhat.com>

When memory is allocated on a wrong node, MPOL_MF_STRICT
doesn't move it - it just fails the allocation.
A simple way to reproduce the failure is with mlock=on
realtime feature.

The code comment actually says: "ensure policy won't be ignored"
so setting MPOL_MF_MOVE seems like a better way to do this.

Cc: qemu-***@nongnu.org
Signed-off-by: Michael S. Tsirkin <***@redhat.com>

(cherry picked from commit 288d3322022d6ad646407f3ca6f1a6a746565b9a)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
backends/hostmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backends/hostmem.c b/backends/hostmem.c
index ca10c51..a9905c0 100644
--- a/backends/hostmem.c
+++ b/backends/hostmem.c
@@ -304,7 +304,7 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
/* ensure policy won't be ignored in case memory is preallocated
* before mbind(). note: MPOL_MF_STRICT is ignored on hugepages so
* this doesn't catch hugepage case. */
- unsigned flags = MPOL_MF_STRICT;
+ unsigned flags = MPOL_MF_STRICT | MPOL_MF_MOVE;

/* check for invalid host-nodes and policies and give more verbose
* error messages than mbind(). */

From: "Michael S. Tsirkin" <***@redhat.com>

- int should be printed using %d
- print actual wrong value for property

Cc: qemu-***@nongnu.org
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
(cherry picked from commit 988eba0f681bd4f82e9e02998da8106f165ed82c)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/mem/pc-dimm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
index 92e276f..5bfc5b7 100644
--- a/hw/mem/pc-dimm.c
+++ b/hw/mem/pc-dimm.c
@@ -253,8 +253,9 @@ static void pc_dimm_realize(DeviceState *dev, Error **errp)
return;
}
if (dimm->node >= nb_numa_nodes) {
- error_setg(errp, "'" PC_DIMM_NODE_PROP
- "' exceeds numa node number: %" PRId32, nb_numa_nodes);
+ error_setg(errp, "'DIMM property " PC_DIMM_NODE_PROP " has value %"
+ PRIu32 "' which exceeds the number of numa nodes: %d",
+ dimm->node, nb_numa_nodes);
return;
}
}

From: Christoffer Dall <***@linaro.org>

The current code supplies the PSCI v0.1 function IDs in the DT even when
KVM uses PSCI v0.2.

This will break guest kernels that only support PSCI v0.1 as they will
use the IDs provided in the DT. Guest kernels with PSCI v0.2 support
are not affected by this patch, because they ignore the function IDs in
the device tree and rely on the architecture definition.

Define QEMU versions of the constants and check that they correspond to
the Linux defines on Linux build hosts. After this patch, both guest
kernels with PSCI v0.1 support and guest kernels with PSCI v0.2 should
work.

Tested on TC2 for 32-bit and APM Mustang for 64-bit (aarch64 guest
only). Both cases tested with 3.14 and linus/master and verified I
could bring up 2 cpus with both guest kernels. Also tested 32-bit with
a 3.14 host kernel with only PSCI v0.1 and both guests booted here as
well.

Cc: qemu-***@nongnu.org
Signed-off-by: Christoffer Dall <***@linaro.org>
Signed-off-by: Peter Maydell <***@linaro.org>
(cherry picked from commit 863714ba6cdc09d1a84069815dc67c8da66b0a29)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/arm/virt.c | 31 ++++++++++++++++++++++++++-----
target-arm/kvm-consts.h | 27 +++++++++++++++++++++++++++
2 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index a6fd5e6..c8fdac4 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -194,20 +194,41 @@ static void fdt_add_psci_node(const VirtBoardInfo *vbi)

/* No PSCI for TCG yet */
if (kvm_enabled()) {
+ uint32_t cpu_suspend_fn;
+ uint32_t cpu_off_fn;
+ uint32_t cpu_on_fn;
+ uint32_t migrate_fn;
+
qemu_fdt_add_subnode(fdt, "/psci");
if (armcpu->psci_version == 2) {
const char comp[] = "arm,psci-0.2\0arm,psci";
qemu_fdt_setprop(fdt, "/psci", "compatible", comp, sizeof(comp));
+
+ cpu_off_fn = QEMU_PSCI_0_2_FN_CPU_OFF;
+ if (arm_feature(&armcpu->env, ARM_FEATURE_AARCH64)) {
+ cpu_suspend_fn = QEMU_PSCI_0_2_FN64_CPU_SUSPEND;
+ cpu_on_fn = QEMU_PSCI_0_2_FN64_CPU_ON;
+ migrate_fn = QEMU_PSCI_0_2_FN64_MIGRATE;
+ } else {
+ cpu_suspend_fn = QEMU_PSCI_0_2_FN_CPU_SUSPEND;
+ cpu_on_fn = QEMU_PSCI_0_2_FN_CPU_ON;
+ migrate_fn = QEMU_PSCI_0_2_FN_MIGRATE;
+ }
} else {
qemu_fdt_setprop_string(fdt, "/psci", "compatible", "arm,psci");
+
+ cpu_suspend_fn = QEMU_PSCI_0_1_FN_CPU_SUSPEND;
+ cpu_off_fn = QEMU_PSCI_0_1_FN_CPU_OFF;
+ cpu_on_fn = QEMU_PSCI_0_1_FN_CPU_ON;
+ migrate_fn = QEMU_PSCI_0_1_FN_MIGRATE;
}

qemu_fdt_setprop_string(fdt, "/psci", "method", "hvc");
- qemu_fdt_setprop_cell(fdt, "/psci", "cpu_suspend",
- QEMU_PSCI_0_1_FN_CPU_SUSPEND);
- qemu_fdt_setprop_cell(fdt, "/psci", "cpu_off", QEMU_PSCI_0_1_FN_CPU_OFF);
- qemu_fdt_setprop_cell(fdt, "/psci", "cpu_on", QEMU_PSCI_0_1_FN_CPU_ON);
- qemu_fdt_setprop_cell(fdt, "/psci", "migrate", QEMU_PSCI_0_1_FN_MIGRATE);
+
+ qemu_fdt_setprop_cell(fdt, "/psci", "cpu_suspend", cpu_suspend_fn);
+ qemu_fdt_setprop_cell(fdt, "/psci", "cpu_off", cpu_off_fn);
+ qemu_fdt_setprop_cell(fdt, "/psci", "cpu_on", cpu_on_fn);
+ qemu_fdt_setprop_cell(fdt, "/psci", "migrate", migrate_fn);
}
}

diff --git a/target-arm/kvm-consts.h b/target-arm/kvm-consts.h
index bcad7ba..091c126 100644
--- a/target-arm/kvm-consts.h
+++ b/target-arm/kvm-consts.h
@@ -17,6 +17,7 @@
#ifdef CONFIG_KVM
#include "qemu/compiler.h"
#include <linux/kvm.h>
+#include <linux/psci.h>

#define MISMATCH_CHECK(X, Y) QEMU_BUILD_BUG_ON(X != Y)

@@ -50,6 +51,32 @@ MISMATCH_CHECK(QEMU_PSCI_0_1_FN_CPU_OFF, KVM_PSCI_FN_CPU_OFF)
MISMATCH_CHECK(QEMU_PSCI_0_1_FN_CPU_ON, KVM_PSCI_FN_CPU_ON)
MISMATCH_CHECK(QEMU_PSCI_0_1_FN_MIGRATE, KVM_PSCI_FN_MIGRATE)

+#define QEMU_PSCI_0_2_FN_BASE 0x84000000
+#define QEMU_PSCI_0_2_FN(n) (QEMU_PSCI_0_2_FN_BASE + (n))
+
+#define QEMU_PSCI_0_2_64BIT 0x40000000
+#define QEMU_PSCI_0_2_FN64_BASE \
+ (QEMU_PSCI_0_2_FN_BASE + QEMU_PSCI_0_2_64BIT)
+#define QEMU_PSCI_0_2_FN64(n) (QEMU_PSCI_0_2_FN64_BASE + (n))
+
+#define QEMU_PSCI_0_2_FN_CPU_SUSPEND QEMU_PSCI_0_2_FN(1)
+#define QEMU_PSCI_0_2_FN_CPU_OFF QEMU_PSCI_0_2_FN(2)
+#define QEMU_PSCI_0_2_FN_CPU_ON QEMU_PSCI_0_2_FN(3)
+#define QEMU_PSCI_0_2_FN_MIGRATE QEMU_PSCI_0_2_FN(5)
+
+#define QEMU_PSCI_0_2_FN64_CPU_SUSPEND QEMU_PSCI_0_2_FN64(1)
+#define QEMU_PSCI_0_2_FN64_CPU_OFF QEMU_PSCI_0_2_FN64(2)
+#define QEMU_PSCI_0_2_FN64_CPU_ON QEMU_PSCI_0_2_FN64(3)
+#define QEMU_PSCI_0_2_FN64_MIGRATE QEMU_PSCI_0_2_FN64(5)
+
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_SUSPEND, PSCI_0_2_FN_CPU_SUSPEND)
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_OFF, PSCI_0_2_FN_CPU_OFF)
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN_CPU_ON, PSCI_0_2_FN_CPU_ON)
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN_MIGRATE, PSCI_0_2_FN_MIGRATE)
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_CPU_SUSPEND, PSCI_0_2_FN64_CPU_SUSPEND)
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_CPU_ON, PSCI_0_2_FN64_CPU_ON)
+MISMATCH_CHECK(QEMU_PSCI_0_2_FN64_MIGRATE, PSCI_0_2_FN64_MIGRATE)
+
/* Note that KVM uses overlapping values for AArch32 and AArch64
* target CPU numbers. AArch32 targets:
*/

From: Fam Zheng <***@redhat.com>

Otherwise error_callback_bh will access the already released acb.

Cc: qemu-***@nongnu.org
Signed-off-by: Fam Zheng <***@redhat.com>
Signed-off-by: Kevin Wolf <***@redhat.com>
(cherry picked from commit cbf95a0b117461473f05ab3cce4d01ba2b29e60a)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
block/blkdebug.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/block/blkdebug.c b/block/blkdebug.c
index f51407d..01b8e73 100644
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@@ -449,6 +449,10 @@ static void error_callback_bh(void *opaque)
static void blkdebug_aio_cancel(BlockDriverAIOCB *blockacb)
{
BlkdebugAIOCB *acb = container_of(blockacb, BlkdebugAIOCB, common);
+ if (acb->bh) {
+ qemu_bh_delete(acb->bh);
+ acb->bh = NULL;
+ }
qemu_aio_release(acb);
}

From: Stefan Hajnoczi <***@redhat.com>

Signed-off-by: Stefan Hajnoczi <***@redhat.com>
Signed-off-by: Kevin Wolf <***@redhat.com>
(cherry picked from commit 8d9eb33ca0bbb8bca0f1775623ed3cf5f39760cd)

Conflicts:
tests/qemu-iotests/group

*fix up context mismatches due to lack of 099 and 103 tests

Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
tests/qemu-iotests/101 | 58 ++++++++++++++++++++++++++++++++++++++++++++++
tests/qemu-iotests/101.out | 10 ++++++++
tests/qemu-iotests/group | 1 +
3 files changed, 69 insertions(+)
create mode 100755 tests/qemu-iotests/101
create mode 100644 tests/qemu-iotests/101.out

diff --git a/tests/qemu-iotests/101 b/tests/qemu-iotests/101
new file mode 100755
index 0000000..70fbf25
--- /dev/null
+++ b/tests/qemu-iotests/101
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Test short file I/O
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=***@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+
+_cleanup()
+{
+ _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt raw
+_supported_proto file
+_supported_os Linux
+
+
+echo
+echo "== creating short image file =="
+dd if=/dev/zero of="$TEST_IMG" bs=1 count=320
+
+echo
+echo "== reading bytes beyond EOF gives zeroes =="
+$QEMU_IO -c "read -P 0 0 512" "$TEST_IMG" | _filter_qemu_io
+
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/101.out b/tests/qemu-iotests/101.out
new file mode 100644
index 0000000..9a996e8
--- /dev/null
+++ b/tests/qemu-iotests/101.out
@@ -0,0 +1,10 @@
+QA output created by 101
+
+== creating short image file ==
+320+0 records in
+320+0 records out
+
+== reading bytes beyond EOF gives zeroes ==
+read 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 6e67f61..e25e992 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -100,3 +100,4 @@
091 rw auto quick
092 rw auto quick
095 rw auto quick
+101 rw auto quick

From: "Michael S. Tsirkin" <***@redhat.com>

commit 868270f23d8db2cce83e4f082fe75e8625a5fbf9
acpi-build: tweak acpi migration limits
broke kernel loading with -kernel/-initrd: it doubled
the size of ACPI tables but did not reserve
enough memory.

As a result, issues on boot and halt are observed.

Fix this up by doubling reserved memory for new machine types.

Cc: qemu-***@nongnu.org
Reported-by: Stefan Hajnoczi <***@redhat.com>
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
(cherry picked from commit 927766c7d34275ecf586020cc5305e377cc4af10)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/i386/pc.c | 12 +++++++++---
hw/i386/pc_piix.c | 1 +
hw/i386/pc_q35.c | 1 +
include/hw/i386/pc.h | 2 ++
4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 2cf22b1..97932a6 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -73,7 +73,12 @@
#endif

/* Leave a chunk of memory at the top of RAM for the BIOS ACPI tables. */
-#define ACPI_DATA_SIZE 0x10000
+unsigned acpi_data_size = 0x20000;
+void pc_set_legacy_acpi_data_size(void)
+{
+ acpi_data_size = 0x10000;
+}
+
#define BIOS_CFG_IOPORT 0x510
#define FW_CFG_ACPI_TABLES (FW_CFG_ARCH_LOCAL + 0)
#define FW_CFG_SMBIOS_ENTRIES (FW_CFG_ARCH_LOCAL + 1)
@@ -811,8 +816,9 @@ static void load_linux(FWCfgState *fw_cfg,
initrd_max = 0x37ffffff;
}

- if (initrd_max >= max_ram_size-ACPI_DATA_SIZE)
- initrd_max = max_ram_size-ACPI_DATA_SIZE-1;
+ if (initrd_max >= max_ram_size - acpi_data_size) {
+ initrd_max = max_ram_size - acpi_data_size - 1;
+ }

fw_cfg_add_i32(fw_cfg, FW_CFG_CMDLINE_ADDR, cmdline_addr);
fw_cfg_add_i32(fw_cfg, FW_CFG_CMDLINE_SIZE, strlen(kernel_cmdline)+1);
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 9694f88..8dc8290 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -318,6 +318,7 @@ static void pc_compat_2_0(MachineState *machine)
legacy_acpi_table_size = 6652;
smbios_legacy_mode = true;
has_reserved_memory = false;
+ pc_set_legacy_acpi_data_size();
}

static void pc_compat_1_7(MachineState *machine)
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index c39ee98..4e2dd49 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -282,6 +282,7 @@ static void pc_compat_2_0(MachineState *machine)
{
smbios_legacy_mode = true;
has_reserved_memory = false;
+ pc_set_legacy_acpi_data_size();
}

static void pc_compat_1_7(MachineState *machine)
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index f4b9b2b..5f0a265 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -177,6 +177,8 @@ void pc_acpi_init(const char *default_dsdt);
PcGuestInfo *pc_guest_info_init(ram_addr_t below_4g_mem_size,
ram_addr_t above_4g_mem_size);

+void pc_set_legacy_acpi_data_size(void);
+
#define PCI_HOST_PROP_PCI_HOLE_START "pci-hole-start"
#define PCI_HOST_PROP_PCI_HOLE_END "pci-hole-end"
#define PCI_HOST_PROP_PCI_HOLE64_START "pci-hole64-start"

From: Stefan Hajnoczi <***@redhat.com>

EventNotifier is implemented using an eventfd or pipe. It therefore
consumes file descriptors, which can be limited by rlimits and should
therefore be used sparingly.

Switch from EventNotifier to QEMUBH in thread-pool.c. Originally
EventNotifier was used because qemu_bh_schedule() was not thread-safe
yet.

Reported-by: Christian Borntraeger <***@de.ibm.com>
Signed-off-by: Stefan Hajnoczi <***@redhat.com>
(cherry picked from commit c2e50e3d11a0bf4c973cc30478c1af0f2d5f8e81)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
thread-pool.c | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/thread-pool.c b/thread-pool.c
index dfb699d..4cfd078 100644
--- a/thread-pool.c
+++ b/thread-pool.c
@@ -21,7 +21,6 @@
#include "block/coroutine.h"
#include "trace.h"
#include "block/block_int.h"
-#include "qemu/event_notifier.h"
#include "block/thread-pool.h"
#include "qemu/main-loop.h"

@@ -57,8 +56,8 @@ struct ThreadPoolElement {
};

struct ThreadPool {
- EventNotifier notifier;
AioContext *ctx;
+ QEMUBH *completion_bh;
QemuMutex lock;
QemuCond check_cancel;
QemuCond worker_stopped;
@@ -119,7 +118,7 @@ static void *worker_thread(void *opaque)
qemu_cond_broadcast(&pool->check_cancel);
}

- event_notifier_set(&pool->notifier);
+ qemu_bh_schedule(pool->completion_bh);
}

pool->cur_threads--;
@@ -168,12 +167,11 @@ static void spawn_thread(ThreadPool *pool)
}
}

-static void event_notifier_ready(EventNotifier *notifier)
+static void thread_pool_completion_bh(void *opaque)
{
- ThreadPool *pool = container_of(notifier, ThreadPool, notifier);
+ ThreadPool *pool = opaque;
ThreadPoolElement *elem, *next;

- event_notifier_test_and_clear(notifier);
restart:
QLIST_FOREACH_SAFE(elem, &pool->head, all, next) {
if (elem->state != THREAD_CANCELED && elem->state != THREAD_DONE) {
@@ -215,7 +213,7 @@ static void thread_pool_cancel(BlockDriverAIOCB *acb)
qemu_sem_timedwait(&pool->sem, 0) == 0) {
QTAILQ_REMOVE(&pool->request_list, elem, reqs);
elem->state = THREAD_CANCELED;
- event_notifier_set(&pool->notifier);
+ qemu_bh_schedule(pool->completion_bh);
} else {
pool->pending_cancellations++;
while (elem->state != THREAD_CANCELED && elem->state != THREAD_DONE) {
@@ -224,7 +222,7 @@ static void thread_pool_cancel(BlockDriverAIOCB *acb)
pool->pending_cancellations--;
}
qemu_mutex_unlock(&pool->lock);
- event_notifier_ready(&pool->notifier);
+ thread_pool_completion_bh(pool);
}

static const AIOCBInfo thread_pool_aiocb_info = {
@@ -293,8 +291,8 @@ static void thread_pool_init_one(ThreadPool *pool, AioContext *ctx)
}

memset(pool, 0, sizeof(*pool));
- event_notifier_init(&pool->notifier, false);
pool->ctx = ctx;
+ pool->completion_bh = aio_bh_new(ctx, thread_pool_completion_bh, pool);
qemu_mutex_init(&pool->lock);
qemu_cond_init(&pool->check_cancel);
qemu_cond_init(&pool->worker_stopped);
@@ -304,8 +302,6 @@ static void thread_pool_init_one(ThreadPool *pool, AioContext *ctx)

QLIST_INIT(&pool->head);
QTAILQ_INIT(&pool->request_list);
-
- aio_set_event_notifier(ctx, &pool->notifier, event_notifier_ready);
}

ThreadPool *thread_pool_new(AioContext *ctx)
@@ -339,11 +335,10 @@ void thread_pool_free(ThreadPool *pool)

qemu_mutex_unlock(&pool->lock);

- aio_set_event_notifier(pool->ctx, &pool->notifier, NULL);
+ qemu_bh_delete(pool->completion_bh);
qemu_sem_destroy(&pool->sem);
qemu_cond_destroy(&pool->check_cancel);
qemu_cond_destroy(&pool->worker_stopped);
qemu_mutex_destroy(&pool->lock);
- event_notifier_cleanup(&pool->notifier);
g_free(pool);
}

From: Christoffer Dall <***@linaro.org>

The function IDs for PSCI v0.1 are exported by KVM and defined as
KVM_PSCI_FN_<something>. To build using these defines in non-KVM code,
QEMU defines these IDs locally and check their correctness against the
KVM headers when those are available.

However, the naming scheme used for QEMU (almost) clashes with the PSCI
v0.2 definitions from Linux so to avoid unfortunate naming when we
introduce local PSCI v0.2 defines, rename the current local defines with
QEMU_ prependend and clearly identify the PSCI version as v0.1 in the
defines.

Cc: qemu-***@nongnu.org
Signed-off-by: Christoffer Dall <***@linaro.org>
Signed-off-by: Peter Maydell <***@linaro.org>
(cherry picked from commit a65c9c17cef16bcb98ec6cf4feb8676c1a2d1168)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/arm/virt.c | 8 ++++----
target-arm/kvm-consts.h | 22 +++++++++++-----------
2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 89532bd..a6fd5e6 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -204,10 +204,10 @@ static void fdt_add_psci_node(const VirtBoardInfo *vbi)

qemu_fdt_setprop_string(fdt, "/psci", "method", "hvc");
qemu_fdt_setprop_cell(fdt, "/psci", "cpu_suspend",
- PSCI_FN_CPU_SUSPEND);
- qemu_fdt_setprop_cell(fdt, "/psci", "cpu_off", PSCI_FN_CPU_OFF);
- qemu_fdt_setprop_cell(fdt, "/psci", "cpu_on", PSCI_FN_CPU_ON);
- qemu_fdt_setprop_cell(fdt, "/psci", "migrate", PSCI_FN_MIGRATE);
+ QEMU_PSCI_0_1_FN_CPU_SUSPEND);
+ qemu_fdt_setprop_cell(fdt, "/psci", "cpu_off", QEMU_PSCI_0_1_FN_CPU_OFF);
+ qemu_fdt_setprop_cell(fdt, "/psci", "cpu_on", QEMU_PSCI_0_1_FN_CPU_ON);
+ qemu_fdt_setprop_cell(fdt, "/psci", "migrate", QEMU_PSCI_0_1_FN_MIGRATE);
}
}

diff --git a/target-arm/kvm-consts.h b/target-arm/kvm-consts.h
index 6009a33..bcad7ba 100644
--- a/target-arm/kvm-consts.h
+++ b/target-arm/kvm-consts.h
@@ -38,17 +38,17 @@ MISMATCH_CHECK(CP_REG_SIZE_U64, KVM_REG_SIZE_U64)
MISMATCH_CHECK(CP_REG_ARM, KVM_REG_ARM)
MISMATCH_CHECK(CP_REG_ARCH_MASK, KVM_REG_ARCH_MASK)

-#define PSCI_FN_BASE 0x95c1ba5e
-#define PSCI_FN(n) (PSCI_FN_BASE + (n))
-#define PSCI_FN_CPU_SUSPEND PSCI_FN(0)
-#define PSCI_FN_CPU_OFF PSCI_FN(1)
-#define PSCI_FN_CPU_ON PSCI_FN(2)
-#define PSCI_FN_MIGRATE PSCI_FN(3)
-
-MISMATCH_CHECK(PSCI_FN_CPU_SUSPEND, KVM_PSCI_FN_CPU_SUSPEND)
-MISMATCH_CHECK(PSCI_FN_CPU_OFF, KVM_PSCI_FN_CPU_OFF)
-MISMATCH_CHECK(PSCI_FN_CPU_ON, KVM_PSCI_FN_CPU_ON)
-MISMATCH_CHECK(PSCI_FN_MIGRATE, KVM_PSCI_FN_MIGRATE)
+#define QEMU_PSCI_0_1_FN_BASE 0x95c1ba5e
+#define QEMU_PSCI_0_1_FN(n) (QEMU_PSCI_0_1_FN_BASE + (n))
+#define QEMU_PSCI_0_1_FN_CPU_SUSPEND QEMU_PSCI_0_1_FN(0)
+#define QEMU_PSCI_0_1_FN_CPU_OFF QEMU_PSCI_0_1_FN(1)
+#define QEMU_PSCI_0_1_FN_CPU_ON QEMU_PSCI_0_1_FN(2)
+#define QEMU_PSCI_0_1_FN_MIGRATE QEMU_PSCI_0_1_FN(3)
+
+MISMATCH_CHECK(QEMU_PSCI_0_1_FN_CPU_SUSPEND, KVM_PSCI_FN_CPU_SUSPEND)
+MISMATCH_CHECK(QEMU_PSCI_0_1_FN_CPU_OFF, KVM_PSCI_FN_CPU_OFF)
+MISMATCH_CHECK(QEMU_PSCI_0_1_FN_CPU_ON, KVM_PSCI_FN_CPU_ON)
+MISMATCH_CHECK(QEMU_PSCI_0_1_FN_MIGRATE, KVM_PSCI_FN_MIGRATE)

/* Note that KVM uses overlapping values for AArch32 and AArch64
* target CPU numbers. AArch32 targets:

From: Ben Draper <***@xrsa.net>

When running VMware ESXi under qemu-kvm the guest discards frames
that are too short. Short ARP Requests will be dropped, this prevents
guests on the same bridge as VMware ESXi from communicating. This patch
simply adds the padding on the network device itself.

Signed-off-by: Ben Draper <***@xrsa.net>
Reviewed-by: Dmitry Fleytman <***@daynix.com>
Cc: qemu-***@nongnu.org
Signed-off-by: Michael Tokarev <***@tls.msk.ru>
(cherry picked from commit 40a87c6c9b11ef9c14e0301f76abf0eb2582f08e)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/net/vmxnet3.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 77bea6f..ae3e50f 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -34,6 +34,7 @@

#define PCI_DEVICE_ID_VMWARE_VMXNET3_REVISION 0x1
#define VMXNET3_MSIX_BAR_SIZE 0x2000
+#define MIN_BUF_SIZE 60

#define VMXNET3_BAR0_IDX (0)
#define VMXNET3_BAR1_IDX (1)
@@ -1871,12 +1872,21 @@ vmxnet3_receive(NetClientState *nc, const uint8_t *buf, size_t size)
{
VMXNET3State *s = qemu_get_nic_opaque(nc);
size_t bytes_indicated;
+ uint8_t min_buf[MIN_BUF_SIZE];

if (!vmxnet3_can_receive(nc)) {
VMW_PKPRN("Cannot receive now");
return -1;
}

+ /* Pad to minimum Ethernet frame length */
+ if (size < sizeof(min_buf)) {
+ memcpy(min_buf, buf, size);
+ memset(&min_buf[size], 0, sizeof(min_buf) - size);
+ buf = min_buf;
+ size = sizeof(min_buf);
+ }
+
if (s->peer_has_vhdr) {
vmxnet_rx_pkt_set_vhdr(s->rx_pkt, (struct virtio_net_hdr *)buf);
buf += sizeof(struct virtio_net_hdr);

From: Stefan Hajnoczi <***@redhat.com>

The thread pool has a race condition if two elements complete before
thread_pool_completion_bh() runs:

If element A's callback waits for element B using aio_poll() it will
deadlock since pool->completion_bh is not marked scheduled when the
nested aio_poll() runs.

Fix this by marking the BH scheduled while thread_pool_completion_bh()
is executing. This way any nested aio_poll() loops will enter
thread_pool_completion_bh() and complete the remaining elements.

Signed-off-by: Stefan Hajnoczi <***@redhat.com>
(cherry picked from commit 3c80ca158c96ff902a30883a8933e755988948b1)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
thread-pool.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/thread-pool.c b/thread-pool.c
index 4cfd078..23888dc 100644
--- a/thread-pool.c
+++ b/thread-pool.c
@@ -185,6 +185,12 @@ restart:
QLIST_REMOVE(elem, all);
/* Read state before ret. */
smp_rmb();
+
+ /* Schedule ourselves in case elem->common.cb() calls aio_poll() to
+ * wait for another request that completed at the same time.
+ */
+ qemu_bh_schedule(pool->completion_bh);
+
elem->common.cb(elem->common.opaque, elem->ret);
qemu_aio_release(elem);
goto restart;

From: Gonglei <***@huawei.com>

Prevent out-of-bounds array access on
acpi_pcihp_pci_status.

Signed-off-by: Gonglei <***@huawei.com>
Reviewed-by: Peter Crosthwaite <***@xilinx.com>
Reviewed-by: Michael S. Tsirkin <***@redhat.com>
Signed-off-by: Michael S. Tsirkin <***@redhat.com>
Cc: qemu-***@nongnu.org
Reviewed-by: Marcel Apfelbaum <***@redhat.com>
(cherry picked from commit fa365d7cd11185237471823a5a33d36765454e16)
Signed-off-by: Michael Roth <***@linux.vnet.ibm.com>
---
hw/acpi/pcihp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index fae663a..34dedf1 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
uint32_t val = 0;
int bsel = s->hotplug_select;

- if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
+ if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
return 0;
}

Hi Michael,

The Patch *[PATCH V4] net: Forbid dealing with packets when VM is not running*
has been reviewed by Jason Wang <***@redhat.com>,
Juan Quintela <***@redhat.com> and Michael S. Tsirkin <***@redhat.com>.

It is a bug fix patch, and should be include.

If you can not find this patch in your mailbox, i will send it once again:)

Thanks,
zhanghailiang

These new ones just got into master yesterday:

1844e68ecabbdfdf0228774bcd5cf0f63ffc2e57 target-i386: Don't forbid NX bit on PAE PDEs and PTEs
d8b5c67b05420d966664664ff287af05b884bdd1 x86: Use common variable range MTRR counts
d1ae67f626c5ed5729e1d8212834291b409d26df x86: kvm: Add MTRR support for kvm_get|put_msrs()
9db2efd95e13330075bff027cd682a063d725332 x86: Clear MTRRs on vCPU reset
9db693f76441e2fc7e1b05dc454e7db4d3298dcb block/iscsi: fix memory corruption on iscsi resize
7b71758d79106a63a0b8aba02df752d9995ea50c vl: process -object after other backend options

Paolo

A bunch of other patches Cc stable were merged upstream
since then - could you please send an update
of what's in?

Quoting Michael Roth (2014-08-27 12:35:57)
As of now the following additional patches have been applied to
the 2.1.1 staging tree (see stable commit for upstream commit ref):

a7f9ea2 qxl-render: add more sanity checks
1511595 target-arm: Correct Cortex-A57 ISAR5 and AA64ISAR0 ID register values
44a1530 target-arm: Fix regression that disabled VFP for ARMv5 CPUs
95dcaa4 x86: Clear MTRRs on vCPU reset
7fd25d3 x86: kvm: Add MTRR support for kvm_get|put_msrs()
0f9c63b x86: Use common variable range MTRR counts
0c69595 target-i386: Don't forbid NX bit on PAE PDEs and PTEs
89713cb vl: process -object after other backend options
93dcbd3 spapr_pci: map the MSI window in each PHB

The following patches have been Cc'd to qemu-stable and are still
pending upstream commit/merge:

[PATCH] virtio-net: don't run bh on vm stopped (Michael S. Tsirkin)
* pull just sent by Michael Tsirkin
[PATCH] net: prevent sending packets while guest is stopped (Stefan Hajnoczi)
[PATCH v2 2/4] pci: Avoid losing config updates to MSI/MSIX cap regs (Knut Omang)
[PATCH V4] net: Forbid dealing with packets when VM is not running (zhanghailiang)
* looks like Stefan has this queued for net
[PATCH V2] acpi-build: Set FORCE_APIC_CLUSTER_MODEL bit for FADT flags (zhanghailiang)
[RESEND v2 0/3] Fix some memory leaks about query memdev (Chen Fan)
* looks like Michael Tokarev has this queued for trivial
[PATCH] target-i386: Support migratable=no properly (Eduardo Habkost)
* pinged
[PATCH 1/3] pc: Fix disabling of vapic for compat PC models (Jan Kiszka)
* pinged
[PATCH] pty: Fix byte loss bug when connecting to pty (Sebastian Tanase)
* pinged, presumably going through Gerd's tree

Let me know if anything is missing.