[Spice-commits] 61 commits - VERSION block-migration.c block.c block/iscsi.c block/qcow2.c block/qed.c block/raw-posix.c block/raw_bsd.c block/stream.c block/vmdk.c exec.c hw/acpi hw/char hw/core hw/i386 hw/misc hw/ppc hw/usb hw/virtio include/block include/exec include/libdecnumber kvm-all.c linux-user/ioctls.h linux-user/signal.c linux-user/syscall.c linux-user/syscall_defs.h net/slirp.c qemu-doc.texi qemu-img.c qga/commands-posix.c scripts/vmstate-static-checker.py target-i386/helper.c target-ppc/kvm.c target-ppc/kvm_ppc.h target-ppc/translate_init.c tests/Makefile tests/fdc-test.c tests/qemu-iotests tests/test-aio.c tests/test-qemu-opts.c tests/test-throttle.c tests/test-visitor-serialization.c tests/test-vmstate.c tests/vhost-user-test.c tests/wdt_ib700-test.c util/module.c vl.c xen-hvm.c

[Gerd Hoffmann]

 VERSION                               |    2 
 block-migration.c                     |    2 
 block.c                               |   33 +++++---
 block/iscsi.c                         |    3 
 block/qcow2.c                         |   25 ++++--
 block/qed.c                           |    4 -
 block/raw-posix.c                     |   39 +++++++--
 block/raw_bsd.c                       |    3 
 block/stream.c                        |    2 
 block/vmdk.c                          |    4 -
 exec.c                                |   20 +----
 hw/acpi/ich9.c                        |    4 -
 hw/char/cadence_uart.c                |   15 ++-
 hw/char/virtio-serial-bus.c           |   14 ++-
 hw/core/machine.c                     |    8 +-
 hw/i386/kvm/clock.c                   |   52 -------------
 hw/i386/pc_piix.c                     |   15 ---
 hw/i386/pc_q35.c                      |    2 
 hw/misc/imx_ccm.c                     |    1 
 hw/misc/vfio.c                        |    2 
 hw/ppc/e500.c                         |    3 
 hw/ppc/mac_newworld.c                 |    4 -
 hw/ppc/mac_oldworld.c                 |    5 -
 hw/ppc/ppc405_boards.c                |   23 +++--
 hw/ppc/ppc405_uc.c                    |    1 
 hw/ppc/ppc4xx_devs.c                  |   39 ++++++---
 hw/ppc/prep.c                         |    3 
 hw/ppc/spapr.c                        |   21 +++--
 hw/ppc/spapr_iommu.c                  |    4 -
 hw/ppc/virtex_ml507.c                 |    3 
 hw/usb/hcd-ohci.c                     |    2 
 hw/usb/hcd-xhci.c                     |    1 
 hw/virtio/vhost-user.c                |    6 +
 hw/virtio/virtio-rng.c                |    8 +-
 include/block/block.h                 |    2 
 include/block/block_int.h             |    2 
 include/exec/ram_addr.h               |   11 ++
 include/libdecnumber/decNumberLocal.h |    2 
 kvm-all.c                             |    5 -
 linux-user/ioctls.h                   |    2 
 linux-user/signal.c                   |    7 +
 linux-user/syscall.c                  |   32 +++++++-
 linux-user/syscall_defs.h             |   10 ++
 net/slirp.c                           |    1 
 qemu-doc.texi                         |   13 ++-
 qemu-img.c                            |    1 
 qga/commands-posix.c                  |    2 
 scripts/vmstate-static-checker.py     |   27 +++++-
 target-i386/helper.c                  |    3 
 target-ppc/kvm.c                      |   13 ---
 target-ppc/kvm_ppc.h                  |    4 -
 target-ppc/translate_init.c           |   18 +---
 tests/Makefile                        |    5 +
 tests/fdc-test.c                      |    2 
 tests/qemu-iotests/028                |    4 -
 tests/qemu-iotests/028.out            |    2 
 tests/qemu-iotests/036                |   52 ++++++++++++-
 tests/qemu-iotests/036.out            |   35 ++++++++
 tests/qemu-iotests/qcow2.py           |   15 ++-
 tests/test-aio.c                      |    2 
 tests/test-qemu-opts.c                |    2 
 tests/test-throttle.c                 |    8 +-
 tests/test-visitor-serialization.c    |    6 -
 tests/test-vmstate.c                  |    4 -
 tests/vhost-user-test.c               |   11 ++
 tests/wdt_ib700-test.c                |  134 ++++++++++++++++++++++++++++++++++
 util/module.c                         |    9 --
 vl.c                                  |   13 +++
 xen-hvm.c                             |    2 
 69 files changed, 572 insertions(+), 262 deletions(-)

New commits:
commit f368c33d5ab09dd5656924185cd975b11838cd25
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 22 18:17:03 2014 +0100

    Update version for v2.1.0-rc3 release
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/VERSION b/VERSION
index 0a7e4e5..3c09ebb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.0.92
+2.0.93
commit ef493d5c291e4689d64ff4973915a7442109a5c5
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 22 17:10:01 2014 +0100

    hw/misc/imx_ccm.c: Add missing VMState list terminator
    
    The VMStateDescription for the imx_ccm device was missing its
    terminator. Found by static search of the codebase using
    a regex based on one suggested by Ian Jackson:
      pcregrep -rMi '(?s)VMStateField(?:(?!END_OF_LIST).)*?;' $(git grep -l 'VMStateField\[\]')
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Cc: qemu-stable at nongnu.org

diff --git a/hw/misc/imx_ccm.c b/hw/misc/imx_ccm.c
index 750b906..0920288 100644
--- a/hw/misc/imx_ccm.c
+++ b/hw/misc/imx_ccm.c
@@ -67,6 +67,7 @@ static const VMStateDescription vmstate_imx_ccm = {
         VMSTATE_UINT32(pmcr0, IMXCCMState),
         VMSTATE_UINT32(pmcr1, IMXCCMState),
         VMSTATE_UINT32(pll_refclk_freq, IMXCCMState),
+        VMSTATE_END_OF_LIST()
     },
     .post_load = imx_ccm_post_load,
 };
commit 3afca1d6d413592c2b78cf28f52fa24a586d8f56
Author: Laszlo Ersek <lersek at redhat.com>
Date:   Tue Jul 22 17:26:41 2014 +0200

    vmstate_xhci_event: fix unterminated field list
    
    "vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
    migration support"), and first released in v1.6.0. The field list in this
    VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
    
    During normal use (ie. migration), the issue is practically invisible,
    because the "vmstate_xhci_event" object (with the unterminated field list)
    is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
    returns true, for the "ev_buffer" test. Since that field_exists() check
    (apparently) almost always returns false, we almost never traverse
    "vmstate_xhci_event" during migration, which hides the bug.
    
    However, Amit's vmstate checker forces recursion into this VMSD as well,
    and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
    check (field->name != NULL) in dump_vmstate_vmsd(). The result is
    undefined behavior, which in my case translates to infinite recursion
    (because the loop happens to overflow into "vmstate_xhci_intr", which then
    links back to "vmstate_xhci_event").
    
    Add the missing terminator.
    
    Signed-off-by: Laszlo Ersek <lersek at redhat.com>
    Reviewed-by: Amit Shah <amit.shah at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 7f2af89..58c4b11 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3737,6 +3737,7 @@ static const VMStateDescription vmstate_xhci_event = {
         VMSTATE_UINT32(flags,  XHCIEvent),
         VMSTATE_UINT8(slotid,  XHCIEvent),
         VMSTATE_UINT8(epid,    XHCIEvent),
+        VMSTATE_END_OF_LIST()
     }
 };
 
commit 3a18d449836d21dee60439b154056cca9a3b6aee
Merge: b64c670 e206ad4
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 22 16:40:34 2014 +0100

    Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging
    
    Patch queue for ppc - 2014-07-22
    
    Only a single bug fix to make -mem-path only affect RAM regions.
    
    # gpg: Signature made Tue 22 Jul 2014 16:38:04 BST using RSA key ID 03FEDC60
    # gpg: Can't check signature: public key not found
    
    * remotes/agraf/tags/signed-ppc-for-upstream:
      ppc: fix -mem-path failure
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit e206ad48333c50373663945746828fc893b50700
Author: Hu Tao <hutao at cn.fujitsu.com>
Date:   Mon Jul 21 17:30:17 2014 +0800

    ppc: fix -mem-path failure
    
    commit e938ba0c tried to enable -mem-path for ppc but breaked some ppc
    boards.
    
    The problems are:
    
    1. it fails when allocating memory for rom, sram whose sizes are less
       than huge page size:
    
       ./ppc-softmmu/qemu-system-ppc  -m 512 -mem-path /hugepages/ \
       -kernel /home/hutao/Downloads/vmlinux-ppc -initrd \
       /home/hutao/Downloads/initrd-ppc.gz
       qemu-system-ppc: /mnt/data/projects/qemu/exec.c:1184: qemu_ram_set_idstr: Assertion `new_block' failed.
    
    2. if there is a numa node backed by memory backend object, qemu fails
       with message:
    
       ./ppc-softmmu/qemu-system-ppc  -m 512 \
       -object memory-backend-file,size=512M,mem-path=/hugepages,id=f0 \
       -numa node,nodeid=0,memdev=f0 \
       -kernel /home/hutao/Downloads/vmlinux-ppc \
       -initrd /home/hutao/Downloads/initrd-ppc.gz
       qemu-system-ppc: memory backend f0 is used multiple times. Each -numa option must use a different memdev value.
    
    This patch does following:
    
    1. replaces memory_region_allocate_system_memory() with
       memory_region_init_ram() for rom, sram. Then only system memory
       is backed by hugepages when specifying mem-path.
    
    2. for memory banks, allocates all ram with
       one memory_region_allocate_system_memory(), and use
       memory_region_init_alias() to initialize memory banks.
    
    Tested machines: default(g3beige), mac99, taihu, bamboo, ref405ep.
    
    Signed-off-by: Hu Tao <hutao at cn.fujitsu.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 7e97af4..f5bccd2 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -204,8 +204,9 @@ static void ppc_core99_init(MachineState *machine)
     memory_region_add_subregion(get_system_memory(), 0, ram);
 
     /* allocate and load BIOS */
-    memory_region_allocate_system_memory(bios, NULL, "ppc_core99.bios",
-                                         BIOS_SIZE);
+    memory_region_init_ram(bios, NULL, "ppc_core99.bios", BIOS_SIZE);
+    vmstate_register_ram_global(bios);
+
     if (bios_name == NULL)
         bios_name = PROM_FILENAME;
     filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index afae825..cd9bdbc 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -135,8 +135,9 @@ static void ppc_heathrow_init(MachineState *machine)
     memory_region_add_subregion(sysmem, 0, ram);
 
     /* allocate and load BIOS */
-    memory_region_allocate_system_memory(bios, NULL, "ppc_heathrow.bios",
-                                         BIOS_SIZE);
+    memory_region_init_ram(bios, NULL, "ppc_heathrow.bios", BIOS_SIZE);
+    vmstate_register_ram_global(bios);
+
     if (bios_name == NULL)
         bios_name = PROM_FILENAME;
     filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c
index 6b566cd..11d3379 100644
--- a/hw/ppc/ppc405_boards.c
+++ b/hw/ppc/ppc405_boards.c
@@ -214,7 +214,8 @@ static void ref405ep_init(MachineState *machine)
                         33333333, &pic, kernel_filename == NULL ? 0 : 1);
     /* allocate SRAM */
     sram_size = 512 * 1024;
-    memory_region_allocate_system_memory(sram, NULL, "ef405ep.sram", sram_size);
+    memory_region_init_ram(sram, NULL, "ef405ep.sram", sram_size);
+    vmstate_register_ram_global(sram);
     memory_region_add_subregion(sysmem, 0xFFF00000, sram);
     /* allocate and load BIOS */
 #ifdef DEBUG_BOARD_INIT
@@ -245,8 +246,9 @@ static void ref405ep_init(MachineState *machine)
         printf("Load BIOS from file\n");
 #endif
         bios = g_new(MemoryRegion, 1);
-        memory_region_allocate_system_memory(bios, NULL, "ef405ep.bios",
-                                             BIOS_SIZE);
+        memory_region_init_ram(bios, NULL, "ef405ep.bios", BIOS_SIZE);
+        vmstate_register_ram_global(bios);
+
         if (bios_name == NULL)
             bios_name = BIOS_FILENAME;
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
@@ -508,6 +510,7 @@ static void taihu_405ep_init(MachineState *machine)
     MemoryRegion *sysmem = get_system_memory();
     MemoryRegion *bios;
     MemoryRegion *ram_memories = g_malloc(2 * sizeof(*ram_memories));
+    MemoryRegion *ram = g_malloc0(sizeof(*ram));
     hwaddr ram_bases[2], ram_sizes[2];
     long bios_size;
     target_ulong kernel_base, initrd_base;
@@ -517,15 +520,20 @@ static void taihu_405ep_init(MachineState *machine)
     DriveInfo *dinfo;
 
     /* RAM is soldered to the board so the size cannot be changed */
-    memory_region_allocate_system_memory(&ram_memories[0], NULL,
-                           "taihu_405ep.ram-0", 0x04000000);
+    ram_size = 0x08000000;
+    memory_region_allocate_system_memory(ram, NULL, "taihu_405ep.ram",
+                                         ram_size);
+
     ram_bases[0] = 0;
     ram_sizes[0] = 0x04000000;
-    memory_region_allocate_system_memory(&ram_memories[1], NULL,
-                           "taihu_405ep.ram-1", 0x04000000);
+    memory_region_init_alias(&ram_memories[0], NULL,
+                             "taihu_405ep.ram-0", ram, ram_bases[0],
+                             ram_sizes[0]);
     ram_bases[1] = 0x04000000;
     ram_sizes[1] = 0x04000000;
-    ram_size = 0x08000000;
+    memory_region_init_alias(&ram_memories[1], NULL,
+                             "taihu_405ep.ram-1", ram, ram_bases[1],
+                             ram_sizes[1]);
 #ifdef DEBUG_BOARD_INIT
     printf("%s: register cpu\n", __func__);
 #endif
@@ -564,8 +572,8 @@ static void taihu_405ep_init(MachineState *machine)
         if (bios_name == NULL)
             bios_name = BIOS_FILENAME;
         bios = g_new(MemoryRegion, 1);
-        memory_region_allocate_system_memory(bios, NULL, "taihu_405ep.bios",
-                                             BIOS_SIZE);
+        memory_region_init_ram(bios, NULL, "taihu_405ep.bios", BIOS_SIZE);
+        vmstate_register_ram_global(bios);
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
         if (filename) {
             bios_size = load_image(filename, memory_region_get_ram_ptr(bios));
diff --git a/hw/ppc/ppc405_uc.c b/hw/ppc/ppc405_uc.c
index fcd5f2d..a73e918 100644
--- a/hw/ppc/ppc405_uc.c
+++ b/hw/ppc/ppc405_uc.c
@@ -974,8 +974,8 @@ static void ppc405_ocm_init(CPUPPCState *env)
 
     ocm = g_malloc0(sizeof(ppc405_ocm_t));
     /* XXX: Size is 4096 or 0x04000000 */
-    memory_region_allocate_system_memory(&ocm->isarc_ram, NULL, "ppc405.ocm",
-                                         4096);
+    memory_region_init_ram(&ocm->isarc_ram, NULL, "ppc405.ocm", 4096);
+    vmstate_register_ram_global(&ocm->isarc_ram);
     memory_region_init_alias(&ocm->dsarc_ram, NULL, "ppc405.dsarc", &ocm->isarc_ram,
                              0, 4096);
     qemu_register_reset(&ocm_reset, ocm);
diff --git a/hw/ppc/ppc4xx_devs.c b/hw/ppc/ppc4xx_devs.c
index 07f9d00..2b5d2cd 100644
--- a/hw/ppc/ppc4xx_devs.c
+++ b/hw/ppc/ppc4xx_devs.c
@@ -683,28 +683,20 @@ ram_addr_t ppc4xx_sdram_adjust(ram_addr_t ram_size, int nr_banks,
                                hwaddr ram_sizes[],
                                const unsigned int sdram_bank_sizes[])
 {
+    MemoryRegion *ram = g_malloc0(sizeof(*ram));
     ram_addr_t size_left = ram_size;
     ram_addr_t base = 0;
+    unsigned int bank_size;
     int i;
     int j;
 
     for (i = 0; i < nr_banks; i++) {
         for (j = 0; sdram_bank_sizes[j] != 0; j++) {
-            unsigned int bank_size = sdram_bank_sizes[j];
-
+            bank_size = sdram_bank_sizes[j];
             if (bank_size <= size_left) {
-                char name[32];
-                snprintf(name, sizeof(name), "ppc4xx.sdram%d", i);
-                memory_region_allocate_system_memory(&ram_memories[i], NULL,
-                                                     name, bank_size);
-                ram_bases[i] = base;
-                ram_sizes[i] = bank_size;
-                base += bank_size;
                 size_left -= bank_size;
-                break;
             }
         }
-
         if (!size_left) {
             /* No need to use the remaining banks. */
             break;
@@ -712,9 +704,31 @@ ram_addr_t ppc4xx_sdram_adjust(ram_addr_t ram_size, int nr_banks,
     }
 
     ram_size -= size_left;
-    if (size_left)
+    if (size_left) {
         printf("Truncating memory to %d MiB to fit SDRAM controller limits.\n",
                (int)(ram_size >> 20));
+    }
+
+    memory_region_allocate_system_memory(ram, NULL, "ppc4xx.sdram", ram_size);
+
+    size_left = ram_size;
+    for (i = 0; i < nr_banks && size_left; i++) {
+        for (j = 0; sdram_bank_sizes[j] != 0; j++) {
+            bank_size = sdram_bank_sizes[j];
+
+            if (bank_size <= size_left) {
+                char name[32];
+                snprintf(name, sizeof(name), "ppc4xx.sdram%d", i);
+                memory_region_init_alias(&ram_memories[i], NULL, name, ram,
+                                         base, bank_size);
+                ram_bases[i] = base;
+                ram_sizes[i] = bank_size;
+                base += bank_size;
+                size_left -= bank_size;
+                break;
+            }
+        }
+    }
 
     return ram_size;
 }
commit b64c670f1ddcd02d003e701f69cf573d7c559ecb
Merge: 25af8e6 713e8a1
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 22 13:16:04 2014 +0100

    Merge remote-tracking branch 'remotes/amit-virtio-rng/for-2.1' into staging
    
    * remotes/amit-virtio-rng/for-2.1:
      virtio-rng: Add human-readable error message for negative max-bytes parameter
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 713e8a102222b6b8ca65050d13b287f5705831b0
Author: John Snow <jsnow at redhat.com>
Date:   Mon Jul 21 17:44:37 2014 -0400

    virtio-rng: Add human-readable error message for negative max-bytes parameter
    
    If a negative integer is used for the max_bytes parameter, QEMU currently
    calls abort() and leaves behind a core dump. This patch replaces the
    abort with a simple error message to make the reason for the termination
    clearer. This also ensures device-hotplug with invalid input doesn't
    cause qemu to quit.
    
    There is an underlying insufficiency in the parameter parsing code of QEMU
    that renders it unable to reject negative values for unsigned properties,
    thus the error message "a non-negative integer below 2^63" is the most
    user-friendly and correct message we can give until the underlying
    insufficiency is corrected.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
index 1356aca..7c5a675 100644
--- a/hw/virtio/virtio-rng.c
+++ b/hw/virtio/virtio-rng.c
@@ -181,7 +181,13 @@ static void virtio_rng_device_realize(DeviceState *dev, Error **errp)
 
     vrng->vq = virtio_add_queue(vdev, 8, handle_input);
 
-    assert(vrng->conf.max_bytes <= INT64_MAX);
+    /* Workaround: Property parsing does not enforce unsigned integers,
+     * So this is a hack to reject such numbers. */
+    if (vrng->conf.max_bytes > INT64_MAX) {
+        error_set(errp, QERR_INVALID_PARAMETER_VALUE, "max-bytes",
+                  "a non-negative integer below 2^63");
+        return;
+    }
     vrng->quota_remaining = vrng->conf.max_bytes;
 
     vrng->rate_limit_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL,
commit 25af8e6b6106f47f5ee276545fcab47cefa67ba1
Merge: 3585895 dc54e25
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 22 12:03:44 2014 +0100

    Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
    
    One of the two pending migration fix, and a small KVM patch.
    
    # gpg: Signature made Tue 22 Jul 2014 11:49:30 BST using RSA key ID 9B4D86F2
    # gpg: Can't check signature: public key not found
    
    * remotes/bonzini/tags/for-upstream:
      kvm-all: Use 'tmpcpu' instead of 'cpu' in sub-looping to avoid 'cpu' be NULL
      exec: fix migration with devices that use address_space_rw
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit dc54e2525389e903cee2b847cf761b5d857f75cb
Author: Chen Gang <gang.chen.5i5j at gmail.com>
Date:   Sat Jul 19 09:21:46 2014 +0800

    kvm-all: Use 'tmpcpu' instead of 'cpu' in sub-looping to avoid 'cpu' be NULL
    
    If kvm_arch_remove_sw_breakpoint() in CPU_FOREACH() always be fail, it
    will let 'cpu' NULL. And the next kvm_arch_remove_sw_breakpoint() in
    QTAILQ_FOREACH_SAFE() will get NULL parameter for 'cpu'.
    
    And kvm_arch_remove_sw_breakpoint() can assumes 'cpu' must never be NULL,
    so need define additional temporary variable for 'cpu' to avoid the case.
    
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Chen Gang <gang.chen.5i5j at gmail.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 3ae30ee..1402f4f 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -2077,12 +2077,13 @@ void kvm_remove_all_breakpoints(CPUState *cpu)
 {
     struct kvm_sw_breakpoint *bp, *next;
     KVMState *s = cpu->kvm_state;
+    CPUState *tmpcpu;
 
     QTAILQ_FOREACH_SAFE(bp, &s->kvm_sw_breakpoints, entry, next) {
         if (kvm_arch_remove_sw_breakpoint(cpu, bp) != 0) {
             /* Try harder to find a CPU that currently sees the breakpoint. */
-            CPU_FOREACH(cpu) {
-                if (kvm_arch_remove_sw_breakpoint(cpu, bp) == 0) {
+            CPU_FOREACH(tmpcpu) {
+                if (kvm_arch_remove_sw_breakpoint(tmpcpu, bp) == 0) {
                     break;
                 }
             }
commit 6886867e9880830d735d8ae6f6cc63ed9eb2be0c
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Mon Jul 21 16:45:18 2014 +0200

    exec: fix migration with devices that use address_space_rw
    
    Devices that use address_space_rw to write large areas to memory
    (as opposed to address_space_map/unmap) were broken with respect
    to migration since fe680d0 (exec: Limit translation limiting in
    address_space_translate to xen, 2014-05-07).  Such devices include
    IDE CD-ROMs.
    
    The reason is that invalidate_and_set_dirty (called by address_space_rw
    but not address_space_map/unmap) was only setting the dirty bit for
    the first page in the translation.
    
    To fix this, introduce cpu_physical_memory_set_dirty_range_nocode that
    is the same as cpu_physical_memory_set_dirty_range except it does not
    muck with the DIRTY_MEMORY_CODE bitmap.  This function can be used if
    the caller invalidates translations with tb_invalidate_phys_page_range.
    
    There is another difference between cpu_physical_memory_set_dirty_range
    and cpu_physical_memory_set_dirty_flag; the former includes a call
    to xen_modified_memory.  This is handled separately in
    invalidate_and_set_dirty, and is not needed in other callers of
    cpu_physical_memory_set_dirty_range_nocode, so leave it alone.
    
    Just one nit: now that invalidate_and_set_dirty takes care of handling
    multiple pages, there is no need for address_space_unmap to wrap it
    in a loop.  In fact that loop would now be O(n^2).
    
    Reported-by: Dave Gilbert <dgilbert at redhat.com>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/exec.c b/exec.c
index 5a2a25e..765bd94 100644
--- a/exec.c
+++ b/exec.c
@@ -1568,8 +1568,7 @@ static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
     default:
         abort();
     }
-    cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_MIGRATION);
-    cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_VGA);
+    cpu_physical_memory_set_dirty_range_nocode(ram_addr, size);
     /* we remove the notdirty callback only if the code has been
        flushed */
     if (!cpu_physical_memory_is_clean(ram_addr)) {
@@ -1978,8 +1977,7 @@ static void invalidate_and_set_dirty(hwaddr addr,
         /* invalidate code */
         tb_invalidate_phys_page_range(addr, addr + length, 0);
         /* set dirty bit */
-        cpu_physical_memory_set_dirty_flag(addr, DIRTY_MEMORY_VGA);
-        cpu_physical_memory_set_dirty_flag(addr, DIRTY_MEMORY_MIGRATION);
+        cpu_physical_memory_set_dirty_range_nocode(addr, length);
     }
     xen_modified_memory(addr, length);
 }
@@ -2335,15 +2333,7 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
         mr = qemu_ram_addr_from_host(buffer, &addr1);
         assert(mr != NULL);
         if (is_write) {
-            while (access_len) {
-                unsigned l;
-                l = TARGET_PAGE_SIZE;
-                if (l > access_len)
-                    l = access_len;
-                invalidate_and_set_dirty(addr1, l);
-                addr1 += l;
-                access_len -= l;
-            }
+            invalidate_and_set_dirty(addr1, access_len);
         }
         if (xen_enabled()) {
             xen_invalidate_map_cache_entry(buffer);
@@ -2581,9 +2571,7 @@ void stl_phys_notdirty(AddressSpace *as, hwaddr addr, uint32_t val)
                 /* invalidate code */
                 tb_invalidate_phys_page_range(addr1, addr1 + 4, 0);
                 /* set dirty bit */
-                cpu_physical_memory_set_dirty_flag(addr1,
-                                                   DIRTY_MEMORY_MIGRATION);
-                cpu_physical_memory_set_dirty_flag(addr1, DIRTY_MEMORY_VGA);
+                cpu_physical_memory_set_dirty_range_nocode(addr1, 4);
             }
         }
     }
diff --git a/include/exec/ram_addr.h b/include/exec/ram_addr.h
index e9eb831..6593be1 100644
--- a/include/exec/ram_addr.h
+++ b/include/exec/ram_addr.h
@@ -71,6 +71,17 @@ static inline void cpu_physical_memory_set_dirty_flag(ram_addr_t addr,
     set_bit(addr >> TARGET_PAGE_BITS, ram_list.dirty_memory[client]);
 }
 
+static inline void cpu_physical_memory_set_dirty_range_nocode(ram_addr_t start,
+                                                              ram_addr_t length)
+{
+    unsigned long end, page;
+
+    end = TARGET_PAGE_ALIGN(start + length) >> TARGET_PAGE_BITS;
+    page = start >> TARGET_PAGE_BITS;
+    bitmap_set(ram_list.dirty_memory[DIRTY_MEMORY_MIGRATION], page, end - page);
+    bitmap_set(ram_list.dirty_memory[DIRTY_MEMORY_VGA], page, end - page);
+}
+
 static inline void cpu_physical_memory_set_dirty_range(ram_addr_t start,
                                                        ram_addr_t length)
 {
commit 35858955e6c6f9ef41c199d15457c13426ac6434
Merge: 147fc41 b0ddb8b
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Jul 21 18:06:12 2014 +0100

    Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-2.1' into staging
    
    QOM and device refactorings
    
    * Machine: Property name fixups for 2.1 ABI
    
    # gpg: Signature made Mon 21 Jul 2014 18:00:23 BST using RSA key ID 3E7E013F
    # gpg: Good signature from "Andreas Färber <afaerber at suse.de>"
    # gpg:                 aka "Andreas Färber <afaerber at suse.com>"
    
    * remotes/afaerber/tags/qom-devices-for-2.1:
      machine: Replace underscores in machine's property names
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit b0ddb8bf6bf1739240640f353fd49e9e5d3f85dc
Author: Marcel Apfelbaum <marcel.a at redhat.com>
Date:   Fri Jul 18 19:32:37 2014 +0300

    machine: Replace underscores in machine's property names
    
    Replaced '_' with '-' to comply with QOM guidelines.
    Made the conversion from command line to QMP in vl.c.
    
    Signed-off-by: Marcel Apfelbaum <marcel.a at redhat.com>
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Andreas Färber <afaerber at suse.de>

diff --git a/hw/core/machine.c b/hw/core/machine.c
index cbba679..7a66c57 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -239,11 +239,11 @@ static void machine_initfn(Object *obj)
 {
     object_property_add_str(obj, "accel",
                             machine_get_accel, machine_set_accel, NULL);
-    object_property_add_bool(obj, "kernel_irqchip",
+    object_property_add_bool(obj, "kernel-irqchip",
                              machine_get_kernel_irqchip,
                              machine_set_kernel_irqchip,
                              NULL);
-    object_property_add(obj, "kvm_shadow_mem", "int",
+    object_property_add(obj, "kvm-shadow-mem", "int",
                         machine_get_kvm_shadow_mem,
                         machine_set_kvm_shadow_mem,
                         NULL, NULL, NULL);
@@ -257,11 +257,11 @@ static void machine_initfn(Object *obj)
                             machine_get_dtb, machine_set_dtb, NULL);
     object_property_add_str(obj, "dumpdtb",
                             machine_get_dumpdtb, machine_set_dumpdtb, NULL);
-    object_property_add(obj, "phandle_start", "int",
+    object_property_add(obj, "phandle-start", "int",
                         machine_get_phandle_start,
                         machine_set_phandle_start,
                         NULL, NULL, NULL);
-    object_property_add_str(obj, "dt_compatible",
+    object_property_add_str(obj, "dt-compatible",
                             machine_get_dt_compatible,
                             machine_set_dt_compatible,
                             NULL);
diff --git a/vl.c b/vl.c
index 6abedcf..fe451aa 100644
--- a/vl.c
+++ b/vl.c
@@ -2823,15 +2823,25 @@ static int object_set_property(const char *name, const char *value, void *opaque
     Object *obj = OBJECT(opaque);
     StringInputVisitor *siv;
     Error *local_err = NULL;
+    char *c, *qom_name;
 
     if (strcmp(name, "qom-type") == 0 || strcmp(name, "id") == 0 ||
         strcmp(name, "type") == 0) {
         return 0;
     }
 
+    qom_name = g_strdup(name);
+    c = qom_name;
+    while (*c++) {
+        if (*c == '_') {
+            *c = '-';
+        }
+    }
+
     siv = string_input_visitor_new(value);
-    object_property_set(obj, string_input_get_visitor(siv), name, &local_err);
+    object_property_set(obj, string_input_get_visitor(siv), qom_name, &local_err);
     string_input_visitor_cleanup(siv);
+    g_free(qom_name);
 
     if (local_err) {
         qerror_report_err(local_err);
commit 147fc419734b057b9d9154c2ca0d9d397054104b
Merge: 50a2c45 748bfb4
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jul 18 16:59:29 2014 +0100

    Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-07-18' into staging
    
    trivial patches for 2014-07-18
    
    # gpg: Signature made Fri 18 Jul 2014 15:04:43 BST using RSA key ID A4C3D7DB
    # gpg: Good signature from "Michael Tokarev <mjt at tls.msk.ru>"
    # gpg:                 aka "Michael Tokarev <mjt at corpit.ru>"
    # gpg:                 aka "Michael Tokarev <mjt at debian.org>"
    # gpg: WARNING: This key is not certified with a trusted signature!
    # gpg:          There is no indication that the signature belongs to the owner.
    # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
    #      Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514  66A7 BEE5 9D74 A4C3 D7DB
    
    * remotes/mjt/tags/trivial-patches-2014-07-18:
      tests: Add missing 'static' attributes (fix warnings from smatch)
      migration: Add missing 'static' attribute
      qga: Add missing 'static' attribute
      hw/usb: Add missing 'static' attribute
      doc: slirp supports ICMP echo if enabled in Linux
      qemu-img: Remove redundancy "ret = -1"
      Fix new typos in comments (found by codespell)
      slirp: Give error message if hostfwd_add/remove for unrecognized vlan/stack
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 50a2c45da92383138e0d3f22952f3813814e18b3
Merge: e0097ea fa666c1
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jul 18 14:46:53 2014 +0100

    Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
    
    Andreas's fixes to --enable-modules, two 2.1 regression fixes, and a
    new qtest.  Michael sent a pull request of his own, so I dropped
    the vhost changes.
    
    # gpg: Signature made Fri 18 Jul 2014 14:30:34 BST using RSA key ID 9B4D86F2
    # gpg: Can't check signature: public key not found
    
    * remotes/bonzini/tags/for-upstream:
      Revert "kvmclock: Ensure time in migration never goes backward"
      Revert "kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation"
      module: Don't complain when a module is absent
      module: Simplify module_load()
      qtest: new test for wdt_ib700
      target-i386: Allow execute from user mode when SMEP is enabled.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 748bfb4eee8e699f3d2dd6a95820d1a9e57e4aa6
Author: Stefan Weil <sw at weilnetz.de>
Date:   Mon Jul 7 21:03:38 2014 +0200

    tests: Add missing 'static' attributes (fix warnings from smatch)
    
    Smatch also complains about 0 used for pointers, so replace those by
    NULL in test-visitor-serialization.c, too.
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/tests/fdc-test.c b/tests/fdc-test.c
index c8e1e7b..203074c 100644
--- a/tests/fdc-test.c
+++ b/tests/fdc-test.c
@@ -65,7 +65,7 @@ enum {
     DSKCHG  = 0x80,
 };
 
-char test_image[] = "/tmp/qtest.XXXXXX";
+static char test_image[] = "/tmp/qtest.XXXXXX";
 
 #define assert_bit_set(data, mask) g_assert_cmphex((data) & (mask), ==, (mask))
 #define assert_bit_clear(data, mask) g_assert_cmphex((data) & (mask), ==, 0)
diff --git a/tests/test-aio.c b/tests/test-aio.c
index 4c40a49..f12b6e0 100644
--- a/tests/test-aio.c
+++ b/tests/test-aio.c
@@ -15,7 +15,7 @@
 #include "qemu/timer.h"
 #include "qemu/sockets.h"
 
-AioContext *ctx;
+static AioContext *ctx;
 
 typedef struct {
     EventNotifier e;
diff --git a/tests/test-qemu-opts.c b/tests/test-qemu-opts.c
index 3653507..ca08ac5 100644
--- a/tests/test-qemu-opts.c
+++ b/tests/test-qemu-opts.c
@@ -56,7 +56,7 @@ static QemuOptsList opts_list_02 = {
     },
 };
 
-QemuOptsList opts_list_03 = {
+static QemuOptsList opts_list_03 = {
     .name = "opts_list_03",
     .head = QTAILQ_HEAD_INITIALIZER(opts_list_03.head),
     .desc = {
diff --git a/tests/test-throttle.c b/tests/test-throttle.c
index 3de6ab8..000ae31 100644
--- a/tests/test-throttle.c
+++ b/tests/test-throttle.c
@@ -15,10 +15,10 @@
 #include "block/aio.h"
 #include "qemu/throttle.h"
 
-AioContext     *ctx;
-LeakyBucket    bkt;
-ThrottleConfig cfg;
-ThrottleState  ts;
+static AioContext     *ctx;
+static LeakyBucket    bkt;
+static ThrottleConfig cfg;
+static ThrottleState  ts;
 
 /* useful function */
 static bool double_cmp(double x, double y)
diff --git a/tests/test-visitor-serialization.c b/tests/test-visitor-serialization.c
index 74d6481..7ad1886 100644
--- a/tests/test-visitor-serialization.c
+++ b/tests/test-visitor-serialization.c
@@ -372,8 +372,8 @@ static void test_primitive_lists(gconstpointer opaque)
     TestArgs *args = (TestArgs *) opaque;
     const SerializeOps *ops = args->ops;
     PrimitiveType *pt = args->test_data;
-    PrimitiveList pl = { .value = { 0 } };
-    PrimitiveList pl_copy = { .value = { 0 } };
+    PrimitiveList pl = { .value = { NULL } };
+    PrimitiveList pl_copy = { .value = { NULL } };
     PrimitiveList *pl_copy_ptr = &pl_copy;
     Error *err = NULL;
     void *serialize_data;
@@ -771,7 +771,7 @@ static void test_nested_struct_list(gconstpointer opaque)
     g_free(args);
 }
 
-PrimitiveType pt_values[] = {
+static PrimitiveType pt_values[] = {
     /* string tests */
     {
         .description = "string_empty",
diff --git a/tests/test-vmstate.c b/tests/test-vmstate.c
index a462335..d72c64c 100644
--- a/tests/test-vmstate.c
+++ b/tests/test-vmstate.c
@@ -29,8 +29,8 @@
 #include "migration/vmstate.h"
 #include "block/coroutine.h"
 
-char temp_file[] = "/tmp/vmst.test.XXXXXX";
-int temp_fd;
+static char temp_file[] = "/tmp/vmst.test.XXXXXX";
+static int temp_fd;
 
 /* Fake yield_until_fd_readable() implementation so we don't have to pull the
  * coroutine code as dependency.
commit 7a46d042e02e87157c13424df56dd06e9da77e89
Author: Stefan Weil <sw at weilnetz.de>
Date:   Mon Jul 7 21:09:30 2014 +0200

    migration: Add missing 'static' attribute
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/block-migration.c b/block-migration.c
index 25a0388..73cdd07 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -861,7 +861,7 @@ static bool block_is_active(void *opaque)
     return block_mig_state.blk_enable == 1;
 }
 
-SaveVMHandlers savevm_block_handlers = {
+static SaveVMHandlers savevm_block_handlers = {
     .set_params = block_set_params,
     .save_live_setup = block_save_setup,
     .save_live_iterate = block_save_iterate,
commit 13a439ec4027a442a69a46d8d5305689460c2af2
Author: Stefan Weil <sw at weilnetz.de>
Date:   Mon Jul 7 21:07:29 2014 +0200

    qga: Add missing 'static' attribute
    
    This fixes a warning from the static code analysis (smatch).
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 34ddba0..8e6272c 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -643,7 +643,7 @@ typedef enum {
     FSFREEZE_HOOK_FREEZE,
 } FsfreezeHookArg;
 
-const char *fsfreeze_hook_arg_string[] = {
+static const char *fsfreeze_hook_arg_string[] = {
     "thaw",
     "freeze",
 };
commit b9b45b4a88df949ab3780ecf7abca55e66ae05d1
Author: Stefan Weil <sw at weilnetz.de>
Date:   Mon Jul 7 21:05:30 2014 +0200

    hw/usb: Add missing 'static' attribute
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index cace945..13afdf5 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -2021,7 +2021,7 @@ static const VMStateDescription vmstate_ohci_eof_timer = {
     },
 };
 
-const VMStateDescription vmstate_ohci_state = {
+static const VMStateDescription vmstate_ohci_state = {
     .name = "ohci-core",
     .version_id = 1,
     .minimum_version_id = 1,
commit 37cbfcce1426e9b53cd235d2c7f9f6740f4c467c
Author: Gernot Hillier <gernot.hillier at siemens.com>
Date:   Thu Jul 10 16:01:25 2014 +0200

    doc: slirp supports ICMP echo if enabled in Linux
    
    Since QEMU 0.15, slirp (user mode networking) supports ping to the
    Internet, see e6d43cfb1f9
    
    Signed-off-by: Gernot Hillier <gernot.hillier at siemens.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 551619a..2b232ae 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -1205,9 +1205,16 @@ In order to check that the user mode network is working, you can ping
 the address 10.0.2.2 and verify that you got an address in the range
 10.0.2.x from the QEMU virtual DHCP server.
 
-Note that @code{ping} is not supported reliably to the internet as it
-would require root privileges. It means you can only ping the local
-router (10.0.2.2).
+Note that ICMP traffic in general does not work with user mode networking.
+ at code{ping}, aka. ICMP echo, to the local router (10.0.2.2) shall work,
+however. If you're using QEMU on Linux >= 3.0, it can use unprivileged ICMP
+ping sockets to allow @code{ping} to the Internet. The host admin has to set
+the ping_group_range in order to grant access to those sockets. To allow ping
+for GID 100 (usually users group):
+
+ at example
+echo 100 100 > /proc/sys/net/ipv4/ping_group_range
+ at end example
 
 When using the built-in TFTP server, the router is also the TFTP
 server.
commit b847ae2d60ce05643a7fd02fcc6e3390ae97a1ee
Author: Chen Gang <gang.chen.5i5j at gmail.com>
Date:   Thu Jul 3 23:57:15 2014 +0800

    qemu-img: Remove redundancy "ret = -1"
    
    In this case, 'ret' is already '-1', so need not do it again.
    
    Signed-off-by: Chen Gang <gang.chen.5i5j at gmail.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/qemu-img.c b/qemu-img.c
index c98896b..d4518e7 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -246,7 +246,6 @@ static int read_password(char *buf, int buf_size)
             if (errno == EAGAIN || errno == EINTR) {
                 continue;
             } else {
-                ret = -1;
                 break;
             }
         } else if (ret == 0) {
commit a9dd38db68a280fd8e2ece16904a5bae52be1925
Author: Stefan Weil <sw at weilnetz.de>
Date:   Mon Jul 7 21:00:41 2014 +0200

    Fix new typos in comments (found by codespell)
    
    arbitary -> arbitrary
    basicly -> basically
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index ec8ccdb..7081c08 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -114,7 +114,7 @@ static void pc_init1(MachineState *machine,
         lowmem = 0xe0000000;
     }
 
-    /* Handle the machine opt max-ram-below-4g.  It is basicly doing
+    /* Handle the machine opt max-ram-below-4g.  It is basically doing
      * min(qemu limit, user limit).
      */
     if (lowmem > pc_machine->max_ram_below_4g) {
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 36b6ab0..f551961 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -103,7 +103,7 @@ static void pc_q35_init(MachineState *machine)
         lowmem = 0xb0000000;
     }
 
-    /* Handle the machine opt max-ram-below-4g.  It is basicly doing
+    /* Handle the machine opt max-ram-below-4g.  It is basically doing
      * min(qemu limit, user limit).
      */
     if (lowmem > pc_machine->max_ram_below_4g) {
diff --git a/include/libdecnumber/decNumberLocal.h b/include/libdecnumber/decNumberLocal.h
index cd4eb79..71ed77b 100644
--- a/include/libdecnumber/decNumberLocal.h
+++ b/include/libdecnumber/decNumberLocal.h
@@ -153,7 +153,7 @@
 
 
   /* ---------------------------------------------------------------- */
-  /* Definitions for arbitary-precision modules (only valid after     */
+  /* Definitions for arbitrary-precision modules (only valid after    */
   /* decNumber.h has been included)				      */
   /* ---------------------------------------------------------------- */
 
diff --git a/xen-hvm.c b/xen-hvm.c
index c928b36..a2486cf 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -165,7 +165,7 @@ static void xen_ram_init(ram_addr_t *below_4g_mem_size,
                                                    PC_MACHINE_MAX_RAM_BELOW_4G,
                                                    &error_abort);
 
-    /* Handle the machine opt max-ram-below-4g.  It is basicly doing
+    /* Handle the machine opt max-ram-below-4g.  It is basically doing
      * min(xen limit, user limit).
      */
     if (HVM_BELOW_4G_RAM_END <= user_lowmem) {
commit b739ef05dbaffcaade5e756a70f91cdf9c327154
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Jun 16 16:47:11 2014 +0100

    slirp: Give error message if hostfwd_add/remove for unrecognized vlan/stack
    
    If the user specified a (vlan ID, slirp stack name) tuple in a monitor
    hostfwd_add/remove command and we can't find it, give the user an
    error message rather than silently doing nothing.
    
    This brings this error case in slirp_lookup() into line with the
    other two.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Michael Tokarev <mjt at tls.msk.ru>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/net/slirp.c b/net/slirp.c
index 8fddc03..647039e 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -282,6 +282,7 @@ static SlirpState *slirp_lookup(Monitor *mon, const char *vlan,
         NetClientState *nc;
         nc = net_hub_find_client_by_name(strtol(vlan, NULL, 0), stack);
         if (!nc) {
+            monitor_printf(mon, "unrecognized (vlan-id, stackname) pair\n");
             return NULL;
         }
         if (strcmp(nc->model, "user")) {
commit fa666c10f2f3e15685ff88abd3bc433ddce012d6
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Jul 15 21:46:02 2014 +0200

    Revert "kvmclock: Ensure time in migration never goes backward"
    
    This reverts commit a096b3a6732f846ec57dc28b47ee9435aa0609bf.
    
    This patch caused a hang that was fixed by commit 9b17868 (kvmclock:
    Ensure proper env->tsc value for kvmclock_current_nsec calculation,
    2014-06-03), and we just had to revert that commit.  Drop this one
    too.
    
    Cc: agraf at suse.de
    Cc: mtosatti at redhat.com
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index feb5fc5..07b9c0e 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -14,7 +14,6 @@
  */
 
 #include "qemu-common.h"
-#include "qemu/host-utils.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
 #include "hw/sysbus.h"
@@ -35,47 +34,6 @@ typedef struct KVMClockState {
     bool clock_valid;
 } KVMClockState;
 
-struct pvclock_vcpu_time_info {
-    uint32_t   version;
-    uint32_t   pad0;
-    uint64_t   tsc_timestamp;
-    uint64_t   system_time;
-    uint32_t   tsc_to_system_mul;
-    int8_t     tsc_shift;
-    uint8_t    flags;
-    uint8_t    pad[2];
-} __attribute__((__packed__)); /* 32 bytes */
-
-static uint64_t kvmclock_current_nsec(KVMClockState *s)
-{
-    CPUState *cpu = first_cpu;
-    CPUX86State *env = cpu->env_ptr;
-    hwaddr kvmclock_struct_pa = env->system_time_msr & ~1ULL;
-    uint64_t migration_tsc = env->tsc;
-    struct pvclock_vcpu_time_info time;
-    uint64_t delta;
-    uint64_t nsec_lo;
-    uint64_t nsec_hi;
-    uint64_t nsec;
-
-    if (!(env->system_time_msr & 1ULL)) {
-        /* KVM clock not active */
-        return 0;
-    }
-
-    cpu_physical_memory_read(kvmclock_struct_pa, &time, sizeof(time));
-
-    delta = migration_tsc - time.tsc_timestamp;
-    if (time.tsc_shift < 0) {
-        delta >>= -time.tsc_shift;
-    } else {
-        delta <<= time.tsc_shift;
-    }
-
-    mulu64(&nsec_lo, &nsec_hi, delta, time.tsc_to_system_mul);
-    nsec = (nsec_lo >> 32) | (nsec_hi << 32);
-    return nsec + time.system_time;
-}
 
 static void kvmclock_vm_state_change(void *opaque, int running,
                                      RunState state)
@@ -87,15 +45,9 @@ static void kvmclock_vm_state_change(void *opaque, int running,
 
     if (running) {
         struct kvm_clock_data data;
-        uint64_t time_at_migration = kvmclock_current_nsec(s);
 
         s->clock_valid = false;
 
-	/* We can't rely on the migrated clock value, just discard it */
-	if (time_at_migration) {
-	        s->clock = time_at_migration;
-	}
-
         data.clock = s->clock;
         data.flags = 0;
         ret = kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, &data);
commit 108e4c3871e0d0cd185ccffef5e932961f92dd63
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Jul 15 21:45:42 2014 +0200

    Revert "kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation"
    
    This reverts commit 9b1786829aefb83f37a8f3135e3ea91c56001b56.
    
    This patch fixed a hang introduced by commit a096b3a (kvmclock: Ensure
    time in migration never goes backward, 2014-05-16), but it causes
    a regression in migration whose cause is not quite clear.
    
    Because of this, I'm choosing to revert both patches.  This trades a
    2.1 regression for a bug that's been there forever.
    
    Cc: agraf at suse.de
    Cc: mtosatti at redhat.com
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index 272a88a..feb5fc5 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -17,7 +17,6 @@
 #include "qemu/host-utils.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
-#include "sysemu/cpus.h"
 #include "hw/sysbus.h"
 #include "hw/kvm/clock.h"
 
@@ -66,7 +65,6 @@ static uint64_t kvmclock_current_nsec(KVMClockState *s)
 
     cpu_physical_memory_read(kvmclock_struct_pa, &time, sizeof(time));
 
-    assert(time.tsc_timestamp <= migration_tsc);
     delta = migration_tsc - time.tsc_timestamp;
     if (time.tsc_shift < 0) {
         delta >>= -time.tsc_shift;
@@ -125,8 +123,6 @@ static void kvmclock_vm_state_change(void *opaque, int running,
         if (s->clock_valid) {
             return;
         }
-
-        cpu_synchronize_all_states();
         ret = kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, &data);
         if (ret < 0) {
             fprintf(stderr, "KVM_GET_CLOCK failed: %s\n", strerror(ret));
commit bb2eb1892d36e5c9fa1695924434313e3acbb1c0
Author: Andreas Färber <afaerber at suse.de>
Date:   Tue Jul 15 16:04:26 2014 +0200

    module: Don't complain when a module is absent
    
    The current implementation depends on a configure-time generated list of
    block modules. When any of them is absent, module_load() emits a warning.
    
    This is suboptimal because extracting code to modules was mainly done to
    allow separate packaging of modules with intrusive dependencies. Absence
    of optional packages then leads to absence of modules and an error
    message, which users may recognize as new and report as error.
    
    Cc: Paolo Bonzini <pbonzini at redhat.com>
    Cc: Michael Tokarev <mjt at tls.msk.ru>
    Reviewed-by: Fam Zheng <famz at redhat.com>
    Signed-off-by: Andreas Färber <afaerber at suse.de>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/util/module.c b/util/module.c
index 9fd3030..4bd4a94 100644
--- a/util/module.c
+++ b/util/module.c
@@ -209,9 +209,6 @@ static void module_load(module_init_type type)
                 break;
             }
         }
-        if (ret == -ENOENT) {
-            fprintf(stderr, "Can't find module: %s\n", *mp);
-        }
     }
 
     for (i = 0; i < ARRAY_SIZE(dirs); i++) {
commit f9e13f8fd87710063f9fa0feaf7de0348b32612a
Author: Andreas Färber <afaerber at suse.de>
Date:   Tue Jul 15 16:04:25 2014 +0200

    module: Simplify module_load()
    
    The file path is not used for error reporting, so we can free it
    directly after use.
    
    Reviewed-by: Fam Zheng <famz at redhat.com>
    Signed-off-by: Andreas Färber <afaerber at suse.de>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/util/module.c b/util/module.c
index 214effb..9fd3030 100644
--- a/util/module.c
+++ b/util/module.c
@@ -202,18 +202,16 @@ static void module_load(module_init_type type)
         for (i = 0; i < ARRAY_SIZE(dirs); i++) {
             fname = g_strdup_printf("%s/%s%s", dirs[i], *mp, HOST_DSOSUF);
             ret = module_load_file(fname);
+            g_free(fname);
+            fname = NULL;
             /* Try loading until loaded a module file */
             if (!ret) {
                 break;
             }
-            g_free(fname);
-            fname = NULL;
         }
         if (ret == -ENOENT) {
             fprintf(stderr, "Can't find module: %s\n", *mp);
         }
-
-        g_free(fname);
     }
 
     for (i = 0; i < ARRAY_SIZE(dirs); i++) {
commit f52b7687825ae7b998ce790cd6028ff760b20b4c
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Jul 15 14:57:06 2014 +0200

    qtest: new test for wdt_ib700
    
    Since the "pause" watchdog action had a regression and it went
    unnoticed for a while, let's add a test for it.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/tests/Makefile b/tests/Makefile
index 1fcd633..c4422ee 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -141,6 +141,8 @@ check-qtest-i386-y += tests/i440fx-test$(EXESUF)
 check-qtest-i386-y += tests/fw_cfg-test$(EXESUF)
 check-qtest-i386-y += tests/blockdev-test$(EXESUF)
 check-qtest-i386-y += tests/qdev-monitor-test$(EXESUF)
+check-qtest-i386-y += tests/wdt_ib700-test$(EXESUF)
+gcov-files-i386-y += hw/watchdog/watchdog.c hw/watchdog/wdt_ib700.c
 check-qtest-i386-y += $(check-qtest-pci-y)
 gcov-files-i386-y += $(gcov-files-pci-y)
 check-qtest-i386-y += tests/vmxnet3-test$(EXESUF)
@@ -311,6 +313,7 @@ tests/pcnet-test$(EXESUF): tests/pcnet-test.o
 tests/eepro100-test$(EXESUF): tests/eepro100-test.o
 tests/vmxnet3-test$(EXESUF): tests/vmxnet3-test.o
 tests/ne2000-test$(EXESUF): tests/ne2000-test.o
+tests/wdt_ib700-test$(EXESUF): tests/wdt_ib700-test.o
 tests/virtio-balloon-test$(EXESUF): tests/virtio-balloon-test.o
 tests/virtio-blk-test$(EXESUF): tests/virtio-blk-test.o
 tests/virtio-net-test$(EXESUF): tests/virtio-net-test.o
diff --git a/tests/wdt_ib700-test.c b/tests/wdt_ib700-test.c
new file mode 100644
index 0000000..513a533
--- /dev/null
+++ b/tests/wdt_ib700-test.c
@@ -0,0 +1,134 @@
+/*
+ * QTest testcase for the IB700 watchdog
+ *
+ * Copyright (c) 2014 Red Hat, Inc.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <glib.h>
+#include <string.h>
+#include "libqtest.h"
+#include "qemu/osdep.h"
+
+#define NS_PER_SEC 1000000000ULL
+
+static void qmp_check_no_event(void)
+{
+    QDict *resp = qmp("{'execute':'query-status'}");
+    g_assert(qdict_haskey(resp, "return"));
+    QDECREF(resp);
+}
+
+static QDict *qmp_get_event(const char *name)
+{
+    QDict *event = qmp("");
+    QDict *data;
+    g_assert(qdict_haskey(event, "event"));
+    g_assert(!strcmp(qdict_get_str(event, "event"), name));
+
+    if (qdict_haskey(event, "data")) {
+        data = qdict_get_qdict(event, "data");
+        QINCREF(data);
+    } else {
+        data = NULL;
+    }
+
+    QDECREF(event);
+    return data;
+}
+
+static QDict *ib700_program_and_wait(QTestState *s)
+{
+    clock_step(NS_PER_SEC * 40);
+    qmp_check_no_event();
+
+    /* 2 second limit */
+    outb(0x443, 14);
+
+    /* Ping */
+    clock_step(NS_PER_SEC);
+    qmp_check_no_event();
+    outb(0x443, 14);
+
+    /* Disable */
+    clock_step(NS_PER_SEC);
+    qmp_check_no_event();
+    outb(0x441, 1);
+    clock_step(3 * NS_PER_SEC);
+    qmp_check_no_event();
+
+    /* Enable and let it fire */
+    outb(0x443, 13);
+    clock_step(3 * NS_PER_SEC);
+    qmp_check_no_event();
+    clock_step(2 * NS_PER_SEC);
+    return qmp_get_event("WATCHDOG");
+}
+
+
+static void ib700_pause(void)
+{
+    QDict *d;
+    QTestState *s = qtest_start("-watchdog-action pause -device ib700");
+    qtest_irq_intercept_in(s, "ioapic");
+    d = ib700_program_and_wait(s);
+    g_assert(!strcmp(qdict_get_str(d, "action"), "pause"));
+    QDECREF(d);
+    d = qmp_get_event("STOP");
+    QDECREF(d);
+    qtest_end();
+}
+
+static void ib700_reset(void)
+{
+    QDict *d;
+    QTestState *s = qtest_start("-watchdog-action reset -device ib700");
+    qtest_irq_intercept_in(s, "ioapic");
+    d = ib700_program_and_wait(s);
+    g_assert(!strcmp(qdict_get_str(d, "action"), "reset"));
+    QDECREF(d);
+    d = qmp_get_event("RESET");
+    QDECREF(d);
+    qtest_end();
+}
+
+static void ib700_shutdown(void)
+{
+    QDict *d;
+    QTestState *s = qtest_start("-watchdog-action reset -no-reboot -device ib700");
+    qtest_irq_intercept_in(s, "ioapic");
+    d = ib700_program_and_wait(s);
+    g_assert(!strcmp(qdict_get_str(d, "action"), "reset"));
+    QDECREF(d);
+    d = qmp_get_event("SHUTDOWN");
+    QDECREF(d);
+    qtest_end();
+}
+
+static void ib700_none(void)
+{
+    QDict *d;
+    QTestState *s = qtest_start("-watchdog-action none -device ib700");
+    qtest_irq_intercept_in(s, "ioapic");
+    d = ib700_program_and_wait(s);
+    g_assert(!strcmp(qdict_get_str(d, "action"), "none"));
+    QDECREF(d);
+    qtest_end();
+}
+
+int main(int argc, char **argv)
+{
+    int ret;
+
+    g_test_init(&argc, &argv, NULL);
+    qtest_add_func("/wdt_ib700/pause", ib700_pause);
+    qtest_add_func("/wdt_ib700/reset", ib700_reset);
+    qtest_add_func("/wdt_ib700/shutdown", ib700_shutdown);
+    qtest_add_func("/wdt_ib700/none", ib700_none);
+
+    ret = g_test_run();
+
+    return ret;
+}
commit e0097ea371a647651f6c89c3091c4962fdde26fd
Merge: 4d121a5 8283c5c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jul 18 13:47:22 2014 +0100

    Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
    
    Block pull request
    
    # gpg: Signature made Fri 18 Jul 2014 13:39:43 BST using RSA key ID 81AB73C8
    # gpg: Good signature from "Stefan Hajnoczi <stefanha at redhat.com>"
    # gpg:                 aka "Stefan Hajnoczi <stefanha at gmail.com>"
    
    * remotes/stefanha/tags/block-pull-request:
      qemu-iotests: fix 028 failure due to disk image path
      raw-posix: Fail gracefully if no working alignment is found
      block: Add Error argument to bdrv_refresh_limits()
      qcow2: Fix error path for unknown incompatible features
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 8283c5c316333fb9d2540167f3e22bd91404ecee
Author: Stefan Hajnoczi <stefanha at redhat.com>
Date:   Thu Jul 17 19:09:39 2014 +0100

    qemu-iotests: fix 028 failure due to disk image path
    
    The disk image path is echoed by QEMU's readline when the "drive_backup
    disk ${TEST_IMG}.copy" HMP command is issued.  Unfortunately it is very
    hard to filter out the path due to readline's character-by-character
    output (with terminal escape sequences).  Just redirect this command to
    /dev/null for now.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
    Reviewed-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/tests/qemu-iotests/028 b/tests/qemu-iotests/028
index d5718c5..9e701e1 100755
--- a/tests/qemu-iotests/028
+++ b/tests/qemu-iotests/028
@@ -110,7 +110,9 @@ _launch_qemu -drive file="${TEST_IMG}",cache=${CACHEMODE},id=disk
 h=$QEMU_HANDLE
 QEMU_COMM_TIMEOUT=1
 
-_send_qemu_cmd $h "drive_backup disk ${TEST_IMG}.copy" "(qemu)"
+# Silence output since it contains the disk image path and QEMU's readline
+# character echoing makes it very hard to filter the output
+_send_qemu_cmd $h "drive_backup disk ${TEST_IMG}.copy" "(qemu)" >/dev/null
 qemu_cmd_repeat=20 _send_qemu_cmd $h "info block-jobs" "No active jobs"
 _send_qemu_cmd $h 'quit' ""
 
diff --git a/tests/qemu-iotests/028.out b/tests/qemu-iotests/028.out
index 38099e4..0e1a5ae 100644
--- a/tests/qemu-iotests/028.out
+++ b/tests/qemu-iotests/028.out
@@ -468,8 +468,6 @@ No errors were found on the image.
 
 block-backup
 
-QEMU X.Y.Z monitor - type 'help' for more information
-(qemu) ddrdridrivdrivedrive_drive_bdrive_badrive_bacdrive_backdrive_backudrive_backupdrive_backup drive_backup ddrive_backup didrive_backup disdrive_backup diskdrive_backup disk drive_backup disk /drive_backup disk /hdrive_backup disk /hodri
 ve_backup disk /homdrive_backup disk /homedrive_backup disk /home/drive_backup disk /home/kdrive_backup disk /home/kwdrive_backup disk /home/kwodrive_backup disk /home/kwoldrive_backup disk /home/kwolfdrive_backup disk /home/kwolf/drive_backup disk /home/kwolf/s
 drive_backup disk /home/kwolf/sodrive_backup disk /home/kwolf/soudrive_backup disk /home/kwolf/sourdrive_backup disk /home/kwolf/sourcdrive_backup disk /home/kwolf/sourcedrive_backup disk /home/kwolf/source/drive_backup disk /home/kwolf/source/q[
 Ddrive_backup disk /home/kwolf/source/qedrive_backup disk /home/kwolf/source/qemdrive_backup disk /home/kwolf/source/qemudrive_backup disk /home/kwolf/source/qemu/drive_backup disk /home/kwolf/source/qemu/tdrive_backup disk /home/kwolf/source/qemu/te
 drive_backup disk /home/kwolf/source/qemu/tesdrive_backup disk /home/kwolf/source/qemu/testdrive_backup disk /home/kwolf/source/qemu/testsdrive_backup disk /home/kwolf/source/qemu/tests/drive_backup disk /home/kwolf/source/qemu/tests/q
 drive_backup disk /home/kwolf/source/qemu/tests/qedrive_backup disk /home/kwolf/source/qemu/tests/qemdrive_backup disk /home/kwolf/source/qemu/tests/qemudrive_backup disk /home/kwolf/source/qemu/tests/qemu-drive_backup disk /home/kwolf/source/qemu/tests/qemu-i[
 Ddrive_backup disk /home/kwolf/source/qemu/tests/qemu-iodrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotdrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotedrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotes[
 Ddrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotestdrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotestsdrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/drive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/s
 [Ddrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/scdrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/scrdrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/scradrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/scrat[
 Ddrive_backup disk /home/kwolf/source/qemu/tests/qemu-iotests/scratcdrive_backup disk TEST_DIRdrive_backup disk TEST_DIR/drive_backup disk TEST_DIR/t[
 Ddrive_backup disk TEST_DIR/t.drive_backup disk TEST_DIR/t.qdrive_backup disk TEST_DIR/t.qcdrive_backup disk TEST_DIR/t.qco
 [Ddrive_backup disk TEST_DIR/t.qcowdrive_backup disk TEST_DIR/t.qcow2drive_backup disk TEST_DIR/t.qcow2.drive_backup disk TEST_DIR/t.qcow2.c[
 Ddrive_backup disk TEST_DIR/t.qcow2.codrive_backup disk TEST_DIR/t.qcow2.copdrive_backup disk TEST_DIR/t.qcow2.copy
 Formatting 'TEST_DIR/t.qcow2.copy', fmt=qcow2 size=4294968832 backing_file='TEST_DIR/t.qcow2.base' backing_fmt='qcow2' encryption=off cluster_size=65536 lazy_refcounts=off
 (qemu) iininfinfoinfo info binfo blinfo bloinfo blocinfo blockinfo block-info block-jinfo block-joinfo block-jobinfo block-jobs
 Type backup, device disk: Completed 0 of 4294968832 bytes, speed limit 0 bytes/s
commit df26a35025427f34c1d4e5a8e51152371a5e231e
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Jul 16 17:48:17 2014 +0200

    raw-posix: Fail gracefully if no working alignment is found
    
    If qemu couldn't find out what O_DIRECT alignment to use with a given
    file, it would run into assert(bdrv_opt_mem_align(bs) != 0); in block.c
    and confuse users. This adds a more descriptive error message for such
    cases.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Eric Blake <eblake at redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/block/raw-posix.c b/block/raw-posix.c
index ef497b2..8e9758e 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -221,7 +221,7 @@ static int raw_normalize_devicepath(const char **filename)
 }
 #endif
 
-static void raw_probe_alignment(BlockDriverState *bs)
+static void raw_probe_alignment(BlockDriverState *bs, int fd, Error **errp)
 {
     BDRVRawState *s = bs->opaque;
     char *buf;
@@ -240,24 +240,24 @@ static void raw_probe_alignment(BlockDriverState *bs)
     s->buf_align = 0;
 
 #ifdef BLKSSZGET
-    if (ioctl(s->fd, BLKSSZGET, &sector_size) >= 0) {
+    if (ioctl(fd, BLKSSZGET, &sector_size) >= 0) {
         bs->request_alignment = sector_size;
     }
 #endif
 #ifdef DKIOCGETBLOCKSIZE
-    if (ioctl(s->fd, DKIOCGETBLOCKSIZE, &sector_size) >= 0) {
+    if (ioctl(fd, DKIOCGETBLOCKSIZE, &sector_size) >= 0) {
         bs->request_alignment = sector_size;
     }
 #endif
 #ifdef DIOCGSECTORSIZE
-    if (ioctl(s->fd, DIOCGSECTORSIZE, &sector_size) >= 0) {
+    if (ioctl(fd, DIOCGSECTORSIZE, &sector_size) >= 0) {
         bs->request_alignment = sector_size;
     }
 #endif
 #ifdef CONFIG_XFS
     if (s->is_xfs) {
         struct dioattr da;
-        if (xfsctl(NULL, s->fd, XFS_IOC_DIOINFO, &da) >= 0) {
+        if (xfsctl(NULL, fd, XFS_IOC_DIOINFO, &da) >= 0) {
             bs->request_alignment = da.d_miniosz;
             /* The kernel returns wrong information for d_mem */
             /* s->buf_align = da.d_mem; */
@@ -270,7 +270,7 @@ static void raw_probe_alignment(BlockDriverState *bs)
         size_t align;
         buf = qemu_memalign(MAX_BLOCKSIZE, 2 * MAX_BLOCKSIZE);
         for (align = 512; align <= MAX_BLOCKSIZE; align <<= 1) {
-            if (pread(s->fd, buf + align, MAX_BLOCKSIZE, 0) >= 0) {
+            if (pread(fd, buf + align, MAX_BLOCKSIZE, 0) >= 0) {
                 s->buf_align = align;
                 break;
             }
@@ -282,13 +282,18 @@ static void raw_probe_alignment(BlockDriverState *bs)
         size_t align;
         buf = qemu_memalign(s->buf_align, MAX_BLOCKSIZE);
         for (align = 512; align <= MAX_BLOCKSIZE; align <<= 1) {
-            if (pread(s->fd, buf, align, 0) >= 0) {
+            if (pread(fd, buf, align, 0) >= 0) {
                 bs->request_alignment = align;
                 break;
             }
         }
         qemu_vfree(buf);
     }
+
+    if (!s->buf_align || !bs->request_alignment) {
+        error_setg(errp, "Could not find working O_DIRECT alignment. "
+                         "Try cache.direct=off.");
+    }
 }
 
 static void raw_parse_flags(int bdrv_flags, int *open_flags)
@@ -505,6 +510,7 @@ static int raw_reopen_prepare(BDRVReopenState *state,
     BDRVRawState *s;
     BDRVRawReopenState *raw_s;
     int ret = 0;
+    Error *local_err = NULL;
 
     assert(state != NULL);
     assert(state->bs != NULL);
@@ -577,6 +583,19 @@ static int raw_reopen_prepare(BDRVReopenState *state,
             ret = -1;
         }
     }
+
+    /* Fail already reopen_prepare() if we can't get a working O_DIRECT
+     * alignment with the new fd. */
+    if (raw_s->fd != -1) {
+        raw_probe_alignment(state->bs, raw_s->fd, &local_err);
+        if (local_err) {
+            qemu_close(raw_s->fd);
+            raw_s->fd = -1;
+            error_propagate(errp, local_err);
+            ret = -EINVAL;
+        }
+    }
+
     return ret;
 }
 
@@ -619,7 +638,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     BDRVRawState *s = bs->opaque;
 
-    raw_probe_alignment(bs);
+    raw_probe_alignment(bs, s->fd, errp);
     bs->bl.opt_mem_alignment = s->buf_align;
 }
 
commit 3baca891391afba154e250f5a108c6bab6c92cf9
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Jul 16 17:48:16 2014 +0200

    block: Add Error argument to bdrv_refresh_limits()
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Eric Blake <eblake at redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/block.c b/block.c
index 3e252a2..8cf519b 100644
--- a/block.c
+++ b/block.c
@@ -508,19 +508,24 @@ int bdrv_create_file(const char *filename, QemuOpts *opts, Error **errp)
     return ret;
 }
 
-int bdrv_refresh_limits(BlockDriverState *bs)
+void bdrv_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     BlockDriver *drv = bs->drv;
+    Error *local_err = NULL;
 
     memset(&bs->bl, 0, sizeof(bs->bl));
 
     if (!drv) {
-        return 0;
+        return;
     }
 
     /* Take some limits from the children as a default */
     if (bs->file) {
-        bdrv_refresh_limits(bs->file);
+        bdrv_refresh_limits(bs->file, &local_err);
+        if (local_err) {
+            error_propagate(errp, local_err);
+            return;
+        }
         bs->bl.opt_transfer_length = bs->file->bl.opt_transfer_length;
         bs->bl.opt_mem_alignment = bs->file->bl.opt_mem_alignment;
     } else {
@@ -528,7 +533,11 @@ int bdrv_refresh_limits(BlockDriverState *bs)
     }
 
     if (bs->backing_hd) {
-        bdrv_refresh_limits(bs->backing_hd);
+        bdrv_refresh_limits(bs->backing_hd, &local_err);
+        if (local_err) {
+            error_propagate(errp, local_err);
+            return;
+        }
         bs->bl.opt_transfer_length =
             MAX(bs->bl.opt_transfer_length,
                 bs->backing_hd->bl.opt_transfer_length);
@@ -539,10 +548,8 @@ int bdrv_refresh_limits(BlockDriverState *bs)
 
     /* Then let the driver override it */
     if (drv->bdrv_refresh_limits) {
-        return drv->bdrv_refresh_limits(bs);
+        drv->bdrv_refresh_limits(bs, errp);
     }
-
-    return 0;
 }
 
 /*
@@ -993,7 +1000,13 @@ static int bdrv_open_common(BlockDriverState *bs, BlockDriverState *file,
         goto free_and_fail;
     }
 
-    bdrv_refresh_limits(bs);
+    bdrv_refresh_limits(bs, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        ret = -EINVAL;
+        goto free_and_fail;
+    }
+
     assert(bdrv_opt_mem_align(bs) != 0);
     assert((bs->request_alignment != 0) || bs->sg);
     return 0;
@@ -1154,7 +1167,7 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd)
     bdrv_op_unblock(bs->backing_hd, BLOCK_OP_TYPE_COMMIT,
                     bs->backing_blocker);
 out:
-    bdrv_refresh_limits(bs);
+    bdrv_refresh_limits(bs, NULL);
 }
 
 /*
@@ -1778,7 +1791,7 @@ void bdrv_reopen_commit(BDRVReopenState *reopen_state)
                                               BDRV_O_CACHE_WB);
     reopen_state->bs->read_only = !(reopen_state->flags & BDRV_O_RDWR);
 
-    bdrv_refresh_limits(reopen_state->bs);
+    bdrv_refresh_limits(reopen_state->bs, NULL);
 }
 
 /*
diff --git a/block/iscsi.c b/block/iscsi.c
index f3e83e2..a7bb697 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -1450,7 +1450,7 @@ static void iscsi_close(BlockDriverState *bs)
     memset(iscsilun, 0, sizeof(IscsiLun));
 }
 
-static int iscsi_refresh_limits(BlockDriverState *bs)
+static void iscsi_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     IscsiLun *iscsilun = bs->opaque;
 
@@ -1475,7 +1475,6 @@ static int iscsi_refresh_limits(BlockDriverState *bs)
     }
     bs->bl.opt_transfer_length = sector_lun2qemu(iscsilun->bl.opt_xfer_len,
                                                  iscsilun);
-    return 0;
 }
 
 /* Since iscsi_open() ignores bdrv_flags, there is nothing to do here in
diff --git a/block/qcow2.c b/block/qcow2.c
index e1631d5..1e3ab6b 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -866,13 +866,11 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     return ret;
 }
 
-static int qcow2_refresh_limits(BlockDriverState *bs)
+static void qcow2_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     BDRVQcowState *s = bs->opaque;
 
     bs->bl.write_zeroes_alignment = s->cluster_sectors;
-
-    return 0;
 }
 
 static int qcow2_set_key(BlockDriverState *bs, const char *key)
diff --git a/block/qed.c b/block/qed.c
index cd4872b..7944832 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -528,13 +528,11 @@ out:
     return ret;
 }
 
-static int bdrv_qed_refresh_limits(BlockDriverState *bs)
+static void bdrv_qed_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     BDRVQEDState *s = bs->opaque;
 
     bs->bl.write_zeroes_alignment = s->header.cluster_size >> BDRV_SECTOR_BITS;
-
-    return 0;
 }
 
 /* We have nothing to do for QED reopen, stubs just return
diff --git a/block/raw-posix.c b/block/raw-posix.c
index 2bcc73d..ef497b2 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -615,14 +615,12 @@ static void raw_reopen_abort(BDRVReopenState *state)
     state->opaque = NULL;
 }
 
-static int raw_refresh_limits(BlockDriverState *bs)
+static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     BDRVRawState *s = bs->opaque;
 
     raw_probe_alignment(bs);
     bs->bl.opt_mem_alignment = s->buf_align;
-
-    return 0;
 }
 
 static ssize_t handle_aiocb_ioctl(RawPosixAIOData *aiocb)
diff --git a/block/raw_bsd.c b/block/raw_bsd.c
index 492f58d..f82f4c2 100644
--- a/block/raw_bsd.c
+++ b/block/raw_bsd.c
@@ -94,10 +94,9 @@ static int raw_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
     return bdrv_get_info(bs->file, bdi);
 }
 
-static int raw_refresh_limits(BlockDriverState *bs)
+static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     bs->bl = bs->file->bl;
-    return 0;
 }
 
 static int raw_truncate(BlockDriverState *bs, int64_t offset)
diff --git a/block/stream.c b/block/stream.c
index 34de8ba..cdea3e8 100644
--- a/block/stream.c
+++ b/block/stream.c
@@ -76,7 +76,7 @@ static void close_unused_images(BlockDriverState *top, BlockDriverState *base,
         bdrv_unref(unused);
     }
 
-    bdrv_refresh_limits(top);
+    bdrv_refresh_limits(top, NULL);
 }
 
 static void coroutine_fn stream_run(void *opaque)
diff --git a/block/vmdk.c b/block/vmdk.c
index 27a78da..0517bba 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -938,7 +938,7 @@ fail:
 }
 
 
-static int vmdk_refresh_limits(BlockDriverState *bs)
+static void vmdk_refresh_limits(BlockDriverState *bs, Error **errp)
 {
     BDRVVmdkState *s = bs->opaque;
     int i;
@@ -950,8 +950,6 @@ static int vmdk_refresh_limits(BlockDriverState *bs)
                     s->extents[i].cluster_sectors);
         }
     }
-
-    return 0;
 }
 
 static int get_whole_cluster(BlockDriverState *bs,
diff --git a/include/block/block.h b/include/block/block.h
index 32d3676..f08471d 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -278,7 +278,7 @@ int bdrv_truncate(BlockDriverState *bs, int64_t offset);
 int64_t bdrv_getlength(BlockDriverState *bs);
 int64_t bdrv_get_allocated_file_size(BlockDriverState *bs);
 void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr);
-int bdrv_refresh_limits(BlockDriverState *bs);
+void bdrv_refresh_limits(BlockDriverState *bs, Error **errp);
 int bdrv_commit(BlockDriverState *bs);
 int bdrv_commit_all(void);
 int bdrv_change_backing_file(BlockDriverState *bs,
diff --git a/include/block/block_int.h b/include/block/block_int.h
index f6c3bef..7b541a0 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -240,7 +240,7 @@ struct BlockDriver {
     int (*bdrv_debug_resume)(BlockDriverState *bs, const char *tag);
     bool (*bdrv_debug_is_suspended)(BlockDriverState *bs, const char *tag);
 
-    int (*bdrv_refresh_limits)(BlockDriverState *bs);
+    void (*bdrv_refresh_limits)(BlockDriverState *bs, Error **errp);
 
     /*
      * Returns 1 if newly created images are guaranteed to contain only
commit 12ac6d3db721a288c8953c5c253230aa0949a0e1
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Jul 17 11:41:53 2014 +0200

    qcow2: Fix error path for unknown incompatible features
    
    qcow2's report_unsupported_feature() had two bugs: A 32 bit truncation
    would prevent feature table entries for bits 32-63 from being used, and
    it could assign errp multiple times if there was more than one unknown
    feature, resulting in an error_set() assertion failure.
    
    Fix the truncation, make sure to set the error exactly once and add a
    qemu-iotests case for it.
    
    This fixes https://bugs.launchpad.net/qemu/+bug/1342704/
    
    Reported-by: Maria Kustova <maria.k at catit.be>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Eric Blake <eblake at redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index b0faa69..e1631d5 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -210,20 +210,31 @@ static void GCC_FMT_ATTR(3, 4) report_unsupported(BlockDriverState *bs,
 static void report_unsupported_feature(BlockDriverState *bs,
     Error **errp, Qcow2Feature *table, uint64_t mask)
 {
+    char *features = g_strdup("");
+    char *old;
+
     while (table && table->name[0] != '\0') {
         if (table->type == QCOW2_FEAT_TYPE_INCOMPATIBLE) {
-            if (mask & (1 << table->bit)) {
-                report_unsupported(bs, errp, "%.46s", table->name);
-                mask &= ~(1 << table->bit);
+            if (mask & (1ULL << table->bit)) {
+                old = features;
+                features = g_strdup_printf("%s%s%.46s", old, *old ? ", " : "",
+                                           table->name);
+                g_free(old);
+                mask &= ~(1ULL << table->bit);
             }
         }
         table++;
     }
 
     if (mask) {
-        report_unsupported(bs, errp, "Unknown incompatible feature: %" PRIx64,
-                           mask);
+        old = features;
+        features = g_strdup_printf("%s%sUnknown incompatible feature: %" PRIx64,
+                                   old, *old ? ", " : "", mask);
+        g_free(old);
     }
+
+    report_unsupported(bs, errp, "%s", features);
+    g_free(features);
 }
 
 /*
diff --git a/tests/qemu-iotests/036 b/tests/qemu-iotests/036
index a773653..392f1ef 100755
--- a/tests/qemu-iotests/036
+++ b/tests/qemu-iotests/036
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Test that qcow2 unknown autoclear feature bits are cleared
+# Test qcow2 feature bits
 #
 # Copyright (C) 2011 Red Hat, Inc.
 # Copyright IBM, Corp. 2010
@@ -50,6 +50,56 @@ _supported_os Linux
 # Only qcow2v3 and later supports feature bits
 IMGOPTS="compat=1.1"
 
+echo
+echo === Image with unknown incompatible feature bit ===
+echo
+_make_test_img 64M
+$PYTHON qcow2.py "$TEST_IMG" set-feature-bit incompatible 63
+
+# Without feature table
+$PYTHON qcow2.py "$TEST_IMG" dump-header
+_img_info
+
+# With feature table containing bit 63
+printf "\x00\x3f%s" "Test feature" | $PYTHON qcow2.py "$TEST_IMG" add-header-ext-stdio 0x6803f857
+_img_info
+
+echo
+echo === Image with multiple incompatible feature bits ===
+echo
+_make_test_img 64M
+$PYTHON qcow2.py "$TEST_IMG" set-feature-bit incompatible 61
+$PYTHON qcow2.py "$TEST_IMG" set-feature-bit incompatible 62
+$PYTHON qcow2.py "$TEST_IMG" set-feature-bit incompatible 63
+
+# Without feature table
+_img_info
+
+# With feature table containing bit 63
+printf "\x00\x3f%s" "Test feature" | $PYTHON qcow2.py "$TEST_IMG" add-header-ext-stdio 0x6803f857
+_img_info
+
+# With feature table containing bit 61
+$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0x6803f857
+printf "\x00\x3d%s" "Test feature" | $PYTHON qcow2.py "$TEST_IMG" add-header-ext-stdio 0x6803f857
+_img_info
+
+# With feature table containing bits 61 and 62
+$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0x6803f857
+printf "\x00\x3d%s\x00%40s\x00\x3e%s\x00%40s" "test1" "" "test2" "" | $PYTHON qcow2.py "$TEST_IMG" add-header-ext-stdio 0x6803f857
+_img_info
+
+# With feature table containing all bits
+$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0x6803f857
+printf "\x00\x3d%s\x00%40s\x00\x3e%s\x00%40s\x00\x3f%s\x00%40s" "test1" "" "test2" "" "test3" "" | $PYTHON qcow2.py "$TEST_IMG" add-header-ext-stdio 0x6803f857
+_img_info
+
+# With feature table containing unrelated bits, including compatible/autoclear
+$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0x6803f857
+printf "\x01\x3d%s\x00%40s\x00\x3e%s\x00%40s\x02\x3f%s\x00%40s\x00\x3c%s\x00%40s" "test1" "" "test2" "" "test3" "" "test4" "" | $PYTHON qcow2.py "$TEST_IMG" add-header-ext-stdio 0x6803f857
+_img_info
+
+
 echo === Create image with unknown autoclear feature bit ===
 echo
 _make_test_img 64M
diff --git a/tests/qemu-iotests/036.out b/tests/qemu-iotests/036.out
index 55a3e6e..720bd89 100644
--- a/tests/qemu-iotests/036.out
+++ b/tests/qemu-iotests/036.out
@@ -1,4 +1,39 @@
 QA output created by 036
+
+=== Image with unknown incompatible feature bit ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+magic                     0x514649fb
+version                   3
+backing_file_offset       0x0
+backing_file_size         0x0
+cluster_bits              16
+size                      67108864
+crypt_method              0
+l1_size                   1
+l1_table_offset           0x30000
+refcount_table_offset     0x10000
+refcount_table_clusters   1
+nb_snapshots              0
+snapshot_offset           0x0
+incompatible_features     0x8000000000000000
+compatible_features       0x0
+autoclear_features        0x0
+refcount_order            4
+header_length             104
+
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: Unknown incompatible feature: 8000000000000000
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: Test feature
+
+=== Image with multiple incompatible feature bits ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: Unknown incompatible feature: e000000000000000
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: Test feature, Unknown incompatible feature: 6000000000000000
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: Test feature, Unknown incompatible feature: c000000000000000
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: test1, test2, Unknown incompatible feature: 8000000000000000
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: test1, test2, test3
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'image' uses a IMGFMT feature which is not supported by this qemu version: test2, Unknown incompatible feature: a000000000000000
 === Create image with unknown autoclear feature bit ===
 
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
diff --git a/tests/qemu-iotests/qcow2.py b/tests/qemu-iotests/qcow2.py
index 44a2b45..2058596 100755
--- a/tests/qemu-iotests/qcow2.py
+++ b/tests/qemu-iotests/qcow2.py
@@ -176,6 +176,10 @@ def cmd_add_header_ext(fd, magic, data):
     h.extensions.append(QcowHeaderExtension.create(magic, data))
     h.update(fd)
 
+def cmd_add_header_ext_stdio(fd, magic):
+    data = sys.stdin.read()
+    cmd_add_header_ext(fd, magic, data)
+
 def cmd_del_header_ext(fd, magic):
     try:
         magic = int(magic, 0)
@@ -220,11 +224,12 @@ def cmd_set_feature_bit(fd, group, bit):
     h.update(fd)
 
 cmds = [
-    [ 'dump-header',    cmd_dump_header,    0, 'Dump image header and header extensions' ],
-    [ 'set-header',     cmd_set_header,     2, 'Set a field in the header'],
-    [ 'add-header-ext', cmd_add_header_ext, 2, 'Add a header extension' ],
-    [ 'del-header-ext', cmd_del_header_ext, 1, 'Delete a header extension' ],
-    [ 'set-feature-bit', cmd_set_feature_bit, 2, 'Set a feature bit'],
+    [ 'dump-header',          cmd_dump_header,          0, 'Dump image header and header extensions' ],
+    [ 'set-header',           cmd_set_header,           2, 'Set a field in the header'],
+    [ 'add-header-ext',       cmd_add_header_ext,       2, 'Add a header extension' ],
+    [ 'add-header-ext-stdio', cmd_add_header_ext_stdio, 1, 'Add a header extension, data from stdin' ],
+    [ 'del-header-ext',       cmd_del_header_ext,       1, 'Delete a header extension' ],
+    [ 'set-feature-bit',      cmd_set_feature_bit,      2, 'Set a feature bit'],
 ]
 
 def main(filename, cmd, args):
commit 4d121a549869b93475ccf8b9a0d3e693011d1abb
Merge: 5734d03 cd98639
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jul 18 09:35:51 2014 +0100

    Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
    
    pc,vhost,test fixes
    
    Minor bugfixes all over the place.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    
    # gpg: Signature made Fri 18 Jul 2014 00:43:04 BST using RSA key ID D28D5469
    # gpg: Good signature from "Michael S. Tsirkin <mst at kernel.org>"
    # gpg:                 aka "Michael S. Tsirkin <mst at redhat.com>"
    
    * remotes/mst/tags/for_upstream:
      vhost-user: minor cleanups
      qtest: Adapt vhost-user-test to latest vhost-user changes
      vhost-user: Fix VHOST_SET_MEM_TABLE processing
      qtest: fix vhost-user-test compilation with old GLib
      fix typo: apci -> acpi
      pc_piix: Reuse pc_compat_1_2() for pc-0.1[0123]
      pc: fix qemu exiting with error when -m X < 128 with old machines types
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit cd98639f673d92836b6b5fd60279b411748f2f1e
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Fri Jul 18 02:22:24 2014 +0300

    vhost-user: minor cleanups
    
    assert to verify cast does not discard information
    minor style fixup.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 3d23218..4e88d9c 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -217,7 +217,9 @@ static int vhost_user_call(struct vhost_dev *dev, unsigned long int request,
         for (i = 0; i < dev->mem->nregions; ++i) {
             struct vhost_memory_region *reg = dev->mem->regions + i;
             ram_addr_t ram_addr;
-            qemu_ram_addr_from_host((void *)reg->userspace_addr, &ram_addr);
+
+            assert((uintptr_t)reg->userspace_addr == reg->userspace_addr);
+            qemu_ram_addr_from_host((void *)(uintptr_t)reg->userspace_addr, &ram_addr);
             fd = qemu_get_ram_fd(ram_addr);
             if (fd > 0) {
                 msg.memory.regions[fd_num].userspace_addr = reg->userspace_addr;
commit d6970e3b004a5b339abfe8adb0d70585dc8b7d6d
Author: Nikolay Nikolaev <n.nikolaev at virtualopensystems.com>
Date:   Sat Jul 12 04:43:19 2014 +0300

    qtest: Adapt vhost-user-test to latest vhost-user changes
    
    A new field mmap_offset was added in the vhost-user message, we need to reflect
    this change in the test too.
    
    Signed-off-by: Nikolay Nikolaev <n.nikolaev at virtualopensystems.com>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/tests/vhost-user-test.c b/tests/vhost-user-test.c
index 406ba70..75fedf0 100644
--- a/tests/vhost-user-test.c
+++ b/tests/vhost-user-test.c
@@ -76,6 +76,7 @@ typedef struct VhostUserMemoryRegion {
     uint64_t guest_phys_addr;
     uint64_t memory_size;
     uint64_t userspace_addr;
+    uint64_t mmap_offset;
 } VhostUserMemoryRegion;
 
 typedef struct VhostUserMemory {
@@ -205,6 +206,7 @@ static void read_guest_mem(void)
     uint32_t *guest_mem;
     gint64 end_time;
     int i, j;
+    size_t size;
 
     g_mutex_lock(data_mutex);
 
@@ -231,8 +233,13 @@ static void read_guest_mem(void)
 
         g_assert_cmpint(memory.regions[i].memory_size, >, 1024);
 
-        guest_mem = mmap(0, memory.regions[i].memory_size,
-        PROT_READ | PROT_WRITE, MAP_SHARED, fds[i], 0);
+        size =  memory.regions[i].memory_size + memory.regions[i].mmap_offset;
+
+        guest_mem = mmap(0, size, PROT_READ | PROT_WRITE,
+                         MAP_SHARED, fds[i], 0);
+
+        g_assert(guest_mem != MAP_FAILED);
+        guest_mem += (memory.regions[i].mmap_offset / sizeof(*guest_mem));
 
         for (j = 0; j < 256; j++) {
             uint32_t a = readl(memory.regions[i].guest_phys_addr + j*4);
commit f69a28051f856e906bd9c2f9f27b3106a47e18f6
Author: Nikolay Nikolaev <n.nikolaev at virtualopensystems.com>
Date:   Sat Jul 12 04:42:35 2014 +0300

    vhost-user: Fix VHOST_SET_MEM_TABLE processing
    
    qemu_get_ram_fd doesn't accept a guest physical address. ram_addr_t are
    opaque values that are assigned in qemu_ram_alloc.
    
    Find the ram_addr_t corresponding to the userspace_addr using qemu_ram_addr_from_host,
    and then call qemu_get_ram_fd on it.
    
    Thanks to Paolo Bonzini <pbonzini at redhat.com>
    
    Signed-off-by: Nikolay Nikolaev <n.nikolaev at virtualopensystems.com>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 38e5806..3d23218 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -216,7 +216,9 @@ static int vhost_user_call(struct vhost_dev *dev, unsigned long int request,
     case VHOST_SET_MEM_TABLE:
         for (i = 0; i < dev->mem->nregions; ++i) {
             struct vhost_memory_region *reg = dev->mem->regions + i;
-            fd = qemu_get_ram_fd(reg->guest_phys_addr);
+            ram_addr_t ram_addr;
+            qemu_ram_addr_from_host((void *)reg->userspace_addr, &ram_addr);
+            fd = qemu_get_ram_fd(ram_addr);
             if (fd > 0) {
                 msg.memory.regions[fd_num].userspace_addr = reg->userspace_addr;
                 msg.memory.regions[fd_num].memory_size  = reg->memory_size;
commit 5734d031aa2fdb442410ca958ca5382d54fd71ff
Author: Igor Mammedov <imammedo at redhat.com>
Date:   Tue Jul 8 15:29:46 2014 +0200

    pc: fix qemu exiting with error when -m X < 128 with old machine types
    
    If machine doesn't support memory hotplug then starting QEMU
    with initial memory less than default will make QEMU exit with
    following error message:
    
    $QEMU -m 16  -M isapc
    qemu-system-i386: "-memory 'slots|maxmem'" is not supported by: isapc
    
    Set maxram_size to initial memory value before parsing
    'maxmem' option allows to keep maxmem in sync with initial
    memory size if no maxmem option was specified.
    
    Signed-off-by: Igor Mammedov <imammedo at redhat.com>
    CC: Bruce Rogers <brogers at suse.com>
    Reviewed-By: Bruce Rogers <brogers at suse.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/vl.c b/vl.c
index 6e084c2..6abedcf 100644
--- a/vl.c
+++ b/vl.c
@@ -3315,6 +3315,7 @@ int main(int argc, char **argv, char **envp)
                     error_report("ram size too large");
                     exit(EXIT_FAILURE);
                 }
+                maxram_size = ram_size;
 
                 maxmem_str = qemu_opt_get(opts, "maxmem");
                 slots_str = qemu_opt_get(opts, "slots");
commit af52fe862fba686713044efdf9158195f84535ab
Author: KONRAD Frederic <fred.konrad at greensocs.com>
Date:   Tue Jul 15 17:18:44 2014 +0200

    cadence_uart: check for serial backend before using it.
    
    This checks that s->chr is not NULL before using it.
    
    Signed-off-by: KONRAD Frederic <fred.konrad at greensocs.com>
    Reviewed-by: Peter Crosthwaite <peter.crosthwaite at xilinx.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index dbbc167..a5736cb 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -175,8 +175,10 @@ static void uart_send_breaks(UartState *s)
 {
     int break_enabled = 1;
 
-    qemu_chr_fe_ioctl(s->chr, CHR_IOCTL_SERIAL_SET_BREAK,
-                               &break_enabled);
+    if (s->chr) {
+        qemu_chr_fe_ioctl(s->chr, CHR_IOCTL_SERIAL_SET_BREAK,
+                                   &break_enabled);
+    }
 }
 
 static void uart_parameters_setup(UartState *s)
@@ -227,7 +229,9 @@ static void uart_parameters_setup(UartState *s)
 
     packet_size += ssp.data_bits + ssp.stop_bits;
     s->char_tx_time = (get_ticks_per_sec() / ssp.speed) * packet_size;
-    qemu_chr_fe_ioctl(s->chr, CHR_IOCTL_SERIAL_SET_PARAMS, &ssp);
+    if (s->chr) {
+        qemu_chr_fe_ioctl(s->chr, CHR_IOCTL_SERIAL_SET_PARAMS, &ssp);
+    }
 }
 
 static int uart_can_receive(void *opaque)
@@ -295,6 +299,7 @@ static gboolean cadence_uart_xmit(GIOChannel *chan, GIOCondition cond,
     /* instant drain the fifo when there's no back-end */
     if (!s->chr) {
         s->tx_count = 0;
+        return FALSE;
     }
 
     if (!s->tx_count) {
@@ -375,7 +380,9 @@ static void uart_read_rx_fifo(UartState *s, uint32_t *c)
         *c = s->rx_fifo[rx_rpos];
         s->rx_count--;
 
-        qemu_chr_accept_input(s->chr);
+        if (s->chr) {
+            qemu_chr_accept_input(s->chr);
+        }
     } else {
         *c = 0;
     }
commit 231f6927c813d2e4f49e5aeb20ebd236b391bce8
Merge: 104369c 79fe16c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jul 17 12:17:28 2014 +0100

    Merge remote-tracking branch 'remotes/amit-migration/for-2.1' into staging
    
    * remotes/amit-migration/for-2.1:
      vmstate static checker: detect section renames
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 104369c8c7c116e7656ee6344d66ac872fd86143
Merge: 5a73480 57d84cf
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jul 17 11:18:51 2014 +0100

    Merge remote-tracking branch 'remotes/amit/for-2.1' into staging
    
    * remotes/amit/for-2.1:
      virtio-serial-bus: keep port 0 reserved for virtconsole even on unplug
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 57d84cf35302fe51789c18354bf09a521bb603df
Author: Amit Shah <amit.shah at redhat.com>
Date:   Mon Jul 14 16:51:56 2014 +0530

    virtio-serial-bus: keep port 0 reserved for virtconsole even on unplug
    
    We keep port 0 reserved for compat with older guests, where only
    virtio-console was expected.  Even if a system is started without a
    virtio-console port, port #0 is kept aside.  However, after a
    virtconsole port is unplugged, port id 0 became available, and the next
    hotplug of a virtserialport caused failure due to it not being a console
    port.
    
    Steps to reproduce:
    
    $ ./x86_64-softmmu/qemu-system-x86_64 -m 512 -cpu host -enable-kvm -device virtio-serial-pci -monitor stdio  -vnc :1
    QEMU 2.0.91 monitor - type 'help' for more information
    (qemu) device_add virtconsole,id=p1
    (qemu) device_del p1
    (qemu) device_add virtserialport,id=p1
    Port number 0 on virtio-serial devices reserved for virtconsole devices for backward compatibility.
    Device 'virtserialport' could not be initialized
    (qemu) quit
    
    Reported-by: dengmin <mdeng at redhat.com>
    Reviewed-by: Amos Kong <akong at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index 07bebc0..23123b7 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -797,10 +797,18 @@ static void add_port(VirtIOSerial *vser, uint32_t port_id)
 static void remove_port(VirtIOSerial *vser, uint32_t port_id)
 {
     VirtIOSerialPort *port;
-    unsigned int i;
 
-    i = port_id / 32;
-    vser->ports_map[i] &= ~(1U << (port_id % 32));
+    /*
+     * Don't mark port 0 removed -- we explicitly reserve it for
+     * backward compat with older guests, ensure a virtconsole device
+     * unplug retains the reservation.
+     */
+    if (port_id) {
+        unsigned int i;
+
+        i = port_id / 32;
+        vser->ports_map[i] &= ~(1U << (port_id % 32));
+    }
 
     port = find_port_by_id(vser, port_id);
     /*
commit 79fe16c0489ca658f53796206067a551fc915ba2
Author: Amit Shah <amit.shah at redhat.com>
Date:   Fri Jul 11 18:10:45 2014 +0530

    vmstate static checker: detect section renames
    
    Commit 292b1634 changed the section name of "ICH9 LPC" to "ICH9-LPC",
    and that causes the static checker to flag this:
    
    Section "ICH9 LPC" does not exist in dest
    
    This patch introduces a function that checks for section renames and
    also a dictionary that maps those renames.
    
    Reported-by: "Dr. David Alan Gilbert" <dgilbert at redhat.com>
    Signed-off-by: Amit Shah <amit.shah at redhat.com>
    
    ---
    This is a small patch to a script; doesn't break qemu and helps with the
    static checker, so it's a very low-risk patch for 2.1.

diff --git a/scripts/vmstate-static-checker.py b/scripts/vmstate-static-checker.py
index 1604e68..3bae769 100755
--- a/scripts/vmstate-static-checker.py
+++ b/scripts/vmstate-static-checker.py
@@ -79,6 +79,18 @@ def check_fields_match(name, s_field, d_field):
 
     return False
 
+def get_changed_sec_name(sec):
+    # Section names can change -- see commit 292b1634 for an example.
+    changes = {
+        "ICH9 LPC": "ICH9-LPC",
+    }
+
+    for item in changes:
+        if item == sec:
+            return changes[item]
+        if changes[item] == sec:
+            return item
+    return ""
 
 def exists_in_substruct(fields, item):
     # Some QEMU versions moved a few fields inside a substruct.  This
@@ -314,13 +326,18 @@ def main():
         dest_data = temp
 
     for sec in src_data:
-        if not sec in dest_data:
-            print "Section \"" + sec + "\" does not exist in dest"
-            bump_taint()
-            continue
+        dest_sec = sec
+        if not dest_sec in dest_data:
+            # Either the section name got changed, or the section
+            # doesn't exist in dest.
+            dest_sec = get_changed_sec_name(sec)
+            if not dest_sec in dest_data:
+                print "Section \"" + sec + "\" does not exist in dest"
+                bump_taint()
+                continue
 
         s = src_data[sec]
-        d = dest_data[sec]
+        d = dest_data[dest_sec]
 
         if sec == "vmschkmachine":
             check_machine_type(s, d)
commit 5a7348045091a2bc15d85bb177e5956aa6114e5a
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 15 18:55:37 2014 +0100

    Update version for v2.1.0-rc2 release
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/VERSION b/VERSION
index a162201..0a7e4e5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.0.91
+2.0.92
commit 82172b751929314a81337aa91deea82e8297af1f
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 15 18:30:41 2014 +0100

    tests/Makefile: Only run vhost-user-test on Linux
    
    vhost-user-test uses the linux/vhost.h header, so it must only be
    enabled if CONFIG_LINUX is defined. (Previously it was enabled
    for CONFIG_POSIX, which broke 'make check' on MacOSX.)
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/tests/Makefile b/tests/Makefile
index 1fcd633..fa25c70 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -158,7 +158,7 @@ gcov-files-i386-y += hw/usb/hcd-ehci.c
 gcov-files-i386-y += hw/usb/hcd-uhci.c
 gcov-files-i386-y += hw/usb/dev-hid.c
 gcov-files-i386-y += hw/usb/dev-storage.c
-check-qtest-i386-$(CONFIG_POSIX) += tests/vhost-user-test$(EXESUF)
+check-qtest-i386-$(CONFIG_LINUX) += tests/vhost-user-test$(EXESUF)
 check-qtest-x86_64-y = $(check-qtest-i386-y)
 gcov-files-i386-y += i386-softmmu/hw/timer/mc146818rtc.c
 gcov-files-x86_64-y = $(subst i386-softmmu/,x86_64-softmmu/,$(gcov-files-i386-y))
commit b4bda1ae57a20a7ce7cb0077946fc33d6d6fd6c5
Author: Ricky Zhou <ricky at rzhou.org>
Date:   Mon Jul 14 13:54:47 2014 -0700

    target-i386: Allow execute from user mode when SMEP is enabled.
    
    Previously, execute would be disabled for all pages with SMEP enabled,
    regardless of what mode the access took place in.
    
    Signed-off-by: Ricky Zhou <ricky at rzhou.org>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/target-i386/helper.c b/target-i386/helper.c
index 11ca864..47b982b 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -750,7 +750,8 @@ do_check_protect_pse36:
     /* the page can be put in the TLB */
     prot = PAGE_READ;
     if (!(ptep & PG_NX_MASK) &&
-        !((env->cr[4] & CR4_SMEP_MASK) && (ptep & PG_USER_MASK))) {
+        (mmu_idx == MMU_USER_IDX ||
+         !((env->cr[4] & CR4_SMEP_MASK) && (ptep & PG_USER_MASK)))) {
         prot |= PAGE_EXEC;
     }
     if (pte & PG_DIRTY_MASK) {
commit cbb46f5f49d4a9cc5ce1a2f43a749003c71bbeb4
Merge: 146ae00 b545f63
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 15 16:49:28 2014 +0100

    Merge remote-tracking branch 'remotes/riku/linux-user-for-upstream' into staging
    
    * remotes/riku/linux-user-for-upstream:
      linux-user: use TARGET_SA_ONSTACK in get_sigframe
      alloca one extra byte sockets
      linux-user: handle AF_PACKET sockaddrs in target_to_host_sockaddr
      qemu-user: Impl. setsockopt(SO_BINDTODEVICE)
      SIOCGIFINDEX: fix typo
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 146ae00192ffcbd78f6b11fa78c72d1b3d628d8a
Merge: 2c65ebe 27e2778
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jul 15 15:51:12 2014 +0100

    Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' into staging
    
    Patch queue for ppc - 2014-07-15
    
    Some more bug fixes during the RC phase:
    
      - Fix huge page mapping regressions
      - Fix Book3S thread number enumeration
      - Fix Book3S VFIO permission issue
    
    # gpg: Signature made Tue 15 Jul 2014 15:13:54 BST using RSA key ID 03FEDC60
    # gpg: Can't check signature: public key not found
    
    * remotes/agraf/tags/signed-ppc-for-upstream:
      sPAPR/IOMMU: Fix TCE entry permission
      spapr: Enable use of huge pages
      spapr: Move RMA memory region registration code
      ppc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
      target-ppc: Fix number of threads per core limit
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 27e27782f78212cbd97170b0854c35a0738cfd34
Author: Gavin Shan <gwshan at linux.vnet.ibm.com>
Date:   Mon Jul 14 22:09:43 2014 +1000

    sPAPR/IOMMU: Fix TCE entry permission
    
    The permission of TCE entry should exclude physical base address.
    Otherwise, unmapping TCE entry can be interpreted to mapping TCE
    entry wrongly for VFIO devices.
    
    Signed-off-by: Gavin Shan <gwshan at linux.vnet.ibm.com>
    Acked-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index aef4c9c..0b9eba0 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -2489,7 +2489,7 @@ static void vfio_iommu_map_notify(Notifier *n, void *data)
         return;
     }
 
-    if (iotlb->perm != IOMMU_NONE) {
+    if ((iotlb->perm & IOMMU_RW) != IOMMU_NONE) {
         vaddr = memory_region_get_ram_ptr(mr) + xlat;
 
         ret = vfio_dma_map(container, iotlb->iova,
diff --git a/hw/ppc/spapr_iommu.c b/hw/ppc/spapr_iommu.c
index 698ae60..f6e32a4 100644
--- a/hw/ppc/spapr_iommu.c
+++ b/hw/ppc/spapr_iommu.c
@@ -81,7 +81,7 @@ static IOMMUTLBEntry spapr_tce_translate_iommu(MemoryRegion *iommu, hwaddr addr)
         ret.iova = addr & page_mask;
         ret.translated_addr = tce & page_mask;
         ret.addr_mask = ~page_mask;
-        ret.perm = tce;
+        ret.perm = tce & IOMMU_RW;
     }
     trace_spapr_iommu_xlate(tcet->liobn, addr, ret.iova, ret.perm,
                             ret.addr_mask);
@@ -223,7 +223,7 @@ static target_ulong put_tce_emu(sPAPRTCETable *tcet, target_ulong ioba,
     entry.iova = ioba & page_mask;
     entry.translated_addr = tce & page_mask;
     entry.addr_mask = ~page_mask;
-    entry.perm = tce;
+    entry.perm = tce & IOMMU_RW;
     memory_region_notify_iommu(&tcet->iommu, entry);
 
     return H_SUCCESS;
commit f92f5da108225fc7dcc5f357fdc473083890fe3f
Author: Alexey Kardashevskiy <aik at ozlabs.ru>
Date:   Fri Jul 11 01:03:42 2014 +1000

    spapr: Enable use of huge pages
    
    0b183fc87 "memory: move mem_path handling to
    memory_region_allocate_system_memory" disabled -mempath use for all
    machines that do not use memory_region_allocate_system_memory() to
    register RAM. Since SPAPR uses memory_region_init_ram(), the huge pages
    support was disabled for it.
    
    This replaces memory_region_init_ram()+vmstate_register_ram_global() with
    memory_region_allocate_system_memory() to get huge pages back.
    
    This changes RAM size from (ram_limit - rma_alloc_size) to ram_limit as
    the previous patch moved RMA memory region allocation after RAM allocation
    and therefore this change does not have immediate effect but simplifies
    the code.
    
    Signed-off-by: Alexey Kardashevskiy <aik at ozlabs.ru>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 4ae5dbf..d01978f 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1335,14 +1335,9 @@ static void ppc_spapr_init(MachineState *machine)
 
     /* allocate RAM */
     spapr->ram_limit = ram_size;
-    if (spapr->ram_limit > rma_alloc_size) {
-        ram_addr_t nonrma_base = rma_alloc_size;
-        ram_addr_t nonrma_size = spapr->ram_limit - rma_alloc_size;
-
-        memory_region_init_ram(ram, NULL, "ppc_spapr.ram", nonrma_size);
-        vmstate_register_ram_global(ram);
-        memory_region_add_subregion(sysmem, nonrma_base, ram);
-    }
+    memory_region_allocate_system_memory(ram, NULL, "ppc_spapr.ram",
+                                         spapr->ram_limit);
+    memory_region_add_subregion(sysmem, 0, ram);
 
     if (rma_alloc_size && rma) {
         rma_region = g_new(MemoryRegion, 1);
commit 658fa66b8192e4b755880609f2845aef9797d048
Author: Alexey Kardashevskiy <aik at ozlabs.ru>
Date:   Fri Jul 11 01:03:41 2014 +1000

    spapr: Move RMA memory region registration code
    
    PPC970 does not support VRMA (virtual RMA) so real memory required
    for SLOF to execute must be allocated by the KVM_ALLOCATE_RMA ioctl.
    Later this memory is used as a part of the guest RAM area.
    The RMA allocating code also registers a memory region for this piece
    of RAM.
    
    We are going to simplify memory regions layout: RMA memory region
    will be a subregion in the RAM memory region, both starting from zero.
    This way we will not have to take care of start address alignment for
    the piece of RAM next to the RMA.
    
    This moves memory region business closer to the RAM memory region
    creation/allocation code.
    
    As this is a mechanical patch, no change in behaviour is expected.
    
    Signed-off-by: Alexey Kardashevskiy <aik at ozlabs.ru>
    [agraf: fix compilation on non-kvm systems]
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a23c0f0..4ae5dbf 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1223,6 +1223,8 @@ static void ppc_spapr_init(MachineState *machine)
     int i;
     MemoryRegion *sysmem = get_system_memory();
     MemoryRegion *ram = g_new(MemoryRegion, 1);
+    MemoryRegion *rma_region;
+    void *rma = NULL;
     hwaddr rma_alloc_size;
     hwaddr node0_size = (nb_numa_nodes > 1) ? numa_info[0].node_mem : ram_size;
     uint32_t initrd_base = 0;
@@ -1239,7 +1241,7 @@ static void ppc_spapr_init(MachineState *machine)
     cpu_ppc_hypercall = emulate_spapr_hypercall;
 
     /* Allocate RMA if necessary */
-    rma_alloc_size = kvmppc_alloc_rma("ppc_spapr.rma", sysmem);
+    rma_alloc_size = kvmppc_alloc_rma(&rma);
 
     if (rma_alloc_size == -1) {
         hw_error("qemu: Unable to create RMA\n");
@@ -1342,6 +1344,14 @@ static void ppc_spapr_init(MachineState *machine)
         memory_region_add_subregion(sysmem, nonrma_base, ram);
     }
 
+    if (rma_alloc_size && rma) {
+        rma_region = g_new(MemoryRegion, 1);
+        memory_region_init_ram_ptr(rma_region, NULL, "ppc_spapr.rma",
+                                   rma_alloc_size, rma);
+        vmstate_register_ram_global(rma_region);
+        memory_region_add_subregion(sysmem, 0, rma_region);
+    }
+
     filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, "spapr-rtas.bin");
     spapr->rtas_size = load_image_targphys(filename, spapr->rtas_addr,
                                            rtas_limit - spapr->rtas_addr);
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 2d87108..42718f7 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -1580,13 +1580,11 @@ int kvmppc_smt_threads(void)
 }
 
 #ifdef TARGET_PPC64
-off_t kvmppc_alloc_rma(const char *name, MemoryRegion *sysmem)
+off_t kvmppc_alloc_rma(void **rma)
 {
-    void *rma;
     off_t size;
     int fd;
     struct kvm_allocate_rma ret;
-    MemoryRegion *rma_region;
 
     /* If cap_ppc_rma == 0, contiguous RMA allocation is not supported
      * if cap_ppc_rma == 1, contiguous RMA allocation is supported, but
@@ -1609,17 +1607,12 @@ off_t kvmppc_alloc_rma(const char *name, MemoryRegion *sysmem)
 
     size = MIN(ret.rma_size, 256ul << 20);
 
-    rma = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
-    if (rma == MAP_FAILED) {
+    *rma = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+    if (*rma == MAP_FAILED) {
         fprintf(stderr, "KVM: Error mapping RMA: %s\n", strerror(errno));
         return -1;
     };
 
-    rma_region = g_new(MemoryRegion, 1);
-    memory_region_init_ram_ptr(rma_region, NULL, name, size, rma);
-    vmstate_register_ram_global(rma_region);
-    memory_region_add_subregion(sysmem, 0, rma_region);
-
     return size;
 }
 
diff --git a/target-ppc/kvm_ppc.h b/target-ppc/kvm_ppc.h
index 1118122..d9516e7 100644
--- a/target-ppc/kvm_ppc.h
+++ b/target-ppc/kvm_ppc.h
@@ -31,7 +31,7 @@ int kvmppc_or_tsr_bits(PowerPCCPU *cpu, uint32_t tsr_bits);
 int kvmppc_set_tcr(PowerPCCPU *cpu);
 int kvmppc_booke_watchdog_enable(PowerPCCPU *cpu);
 #ifndef CONFIG_USER_ONLY
-off_t kvmppc_alloc_rma(const char *name, MemoryRegion *sysmem);
+off_t kvmppc_alloc_rma(void **rma);
 bool kvmppc_spapr_use_multitce(void);
 void *kvmppc_create_spapr_tce(uint32_t liobn, uint32_t window_size, int *pfd,
                               bool vfio_accel);
@@ -134,7 +134,7 @@ static inline int kvmppc_booke_watchdog_enable(PowerPCCPU *cpu)
 }
 
 #ifndef CONFIG_USER_ONLY
-static inline off_t kvmppc_alloc_rma(const char *name, MemoryRegion *sysmem)
+static inline off_t kvmppc_alloc_rma(void **rma)
 {
     return 0;
 }
commit e938ba0c35b0a6732a380b712b0f19511375a6a4
Author: Shreyas B. Prabhu <shreyas at linux.vnet.ibm.com>
Date:   Thu Jul 10 17:31:03 2014 +0530

    ppc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
    
    Commit 0b183fc871:"memory: move mem_path handling to
    memory_region_allocate_system_memory" split memory_region_init_ram and
    memory_region_init_ram_from_file. Also it moved mem-path handling a step
    up from memory_region_init_ram to memory_region_allocate_system_memory.
    
    Therefore for any board that uses memory_region_init_ram directly,
    -mem-path is not supported.
    
    Fix this by replacing memory_region_init_ram with
    memory_region_allocate_system_memory.
    
    Signed-off-by: Shreyas B. Prabhu <shreyas at linux.vnet.ibm.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index bb2e75f..1a5b30d 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -701,8 +701,7 @@ void ppce500_init(MachineState *machine, PPCE500Params *params)
     machine->ram_size = ram_size;
 
     /* Register Memory */
-    memory_region_init_ram(ram, NULL, "mpc8544ds.ram", ram_size);
-    vmstate_register_ram_global(ram);
+    memory_region_allocate_system_memory(ram, NULL, "mpc8544ds.ram", ram_size);
     memory_region_add_subregion(address_space_mem, 0, ram);
 
     dev = qdev_create(NULL, "e500-ccsr");
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 89d3cad..7e97af4 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -200,13 +200,12 @@ static void ppc_core99_init(MachineState *machine)
     }
 
     /* allocate RAM */
-    memory_region_init_ram(ram, NULL, "ppc_core99.ram", ram_size);
-    vmstate_register_ram_global(ram);
+    memory_region_allocate_system_memory(ram, NULL, "ppc_core99.ram", ram_size);
     memory_region_add_subregion(get_system_memory(), 0, ram);
 
     /* allocate and load BIOS */
-    memory_region_init_ram(bios, NULL, "ppc_core99.bios", BIOS_SIZE);
-    vmstate_register_ram_global(bios);
+    memory_region_allocate_system_memory(bios, NULL, "ppc_core99.bios",
+                                         BIOS_SIZE);
     if (bios_name == NULL)
         bios_name = PROM_FILENAME;
     filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 4b5e905..afae825 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -130,13 +130,13 @@ static void ppc_heathrow_init(MachineState *machine)
         exit(1);
     }
 
-    memory_region_init_ram(ram, NULL, "ppc_heathrow.ram", ram_size);
-    vmstate_register_ram_global(ram);
+    memory_region_allocate_system_memory(ram, NULL, "ppc_heathrow.ram",
+                                         ram_size);
     memory_region_add_subregion(sysmem, 0, ram);
 
     /* allocate and load BIOS */
-    memory_region_init_ram(bios, NULL, "ppc_heathrow.bios", BIOS_SIZE);
-    vmstate_register_ram_global(bios);
+    memory_region_allocate_system_memory(bios, NULL, "ppc_heathrow.bios",
+                                         BIOS_SIZE);
     if (bios_name == NULL)
         bios_name = PROM_FILENAME;
     filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c
index 98ad2d7..6b566cd 100644
--- a/hw/ppc/ppc405_boards.c
+++ b/hw/ppc/ppc405_boards.c
@@ -199,8 +199,8 @@ static void ref405ep_init(MachineState *machine)
     MemoryRegion *sysmem = get_system_memory();
 
     /* XXX: fix this */
-    memory_region_init_ram(&ram_memories[0], NULL, "ef405ep.ram", 0x08000000);
-    vmstate_register_ram_global(&ram_memories[0]);
+    memory_region_allocate_system_memory(&ram_memories[0], NULL, "ef405ep.ram",
+                                         0x08000000);
     ram_bases[0] = 0;
     ram_sizes[0] = 0x08000000;
     memory_region_init(&ram_memories[1], NULL, "ef405ep.ram1", 0);
@@ -214,8 +214,7 @@ static void ref405ep_init(MachineState *machine)
                         33333333, &pic, kernel_filename == NULL ? 0 : 1);
     /* allocate SRAM */
     sram_size = 512 * 1024;
-    memory_region_init_ram(sram, NULL, "ef405ep.sram", sram_size);
-    vmstate_register_ram_global(sram);
+    memory_region_allocate_system_memory(sram, NULL, "ef405ep.sram", sram_size);
     memory_region_add_subregion(sysmem, 0xFFF00000, sram);
     /* allocate and load BIOS */
 #ifdef DEBUG_BOARD_INIT
@@ -246,8 +245,8 @@ static void ref405ep_init(MachineState *machine)
         printf("Load BIOS from file\n");
 #endif
         bios = g_new(MemoryRegion, 1);
-        memory_region_init_ram(bios, NULL, "ef405ep.bios", BIOS_SIZE);
-        vmstate_register_ram_global(bios);
+        memory_region_allocate_system_memory(bios, NULL, "ef405ep.bios",
+                                             BIOS_SIZE);
         if (bios_name == NULL)
             bios_name = BIOS_FILENAME;
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
@@ -518,14 +517,12 @@ static void taihu_405ep_init(MachineState *machine)
     DriveInfo *dinfo;
 
     /* RAM is soldered to the board so the size cannot be changed */
-    memory_region_init_ram(&ram_memories[0], NULL,
+    memory_region_allocate_system_memory(&ram_memories[0], NULL,
                            "taihu_405ep.ram-0", 0x04000000);
-    vmstate_register_ram_global(&ram_memories[0]);
     ram_bases[0] = 0;
     ram_sizes[0] = 0x04000000;
-    memory_region_init_ram(&ram_memories[1], NULL,
+    memory_region_allocate_system_memory(&ram_memories[1], NULL,
                            "taihu_405ep.ram-1", 0x04000000);
-    vmstate_register_ram_global(&ram_memories[1]);
     ram_bases[1] = 0x04000000;
     ram_sizes[1] = 0x04000000;
     ram_size = 0x08000000;
@@ -567,8 +564,8 @@ static void taihu_405ep_init(MachineState *machine)
         if (bios_name == NULL)
             bios_name = BIOS_FILENAME;
         bios = g_new(MemoryRegion, 1);
-        memory_region_init_ram(bios, NULL, "taihu_405ep.bios", BIOS_SIZE);
-        vmstate_register_ram_global(bios);
+        memory_region_allocate_system_memory(bios, NULL, "taihu_405ep.bios",
+                                             BIOS_SIZE);
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
         if (filename) {
             bios_size = load_image(filename, memory_region_get_ram_ptr(bios));
diff --git a/hw/ppc/ppc405_uc.c b/hw/ppc/ppc405_uc.c
index 54ba59e..fcd5f2d 100644
--- a/hw/ppc/ppc405_uc.c
+++ b/hw/ppc/ppc405_uc.c
@@ -23,6 +23,7 @@
  */
 #include "hw/hw.h"
 #include "hw/ppc/ppc.h"
+#include "hw/boards.h"
 #include "ppc405.h"
 #include "hw/char/serial.h"
 #include "qemu/timer.h"
@@ -973,8 +974,8 @@ static void ppc405_ocm_init(CPUPPCState *env)
 
     ocm = g_malloc0(sizeof(ppc405_ocm_t));
     /* XXX: Size is 4096 or 0x04000000 */
-    memory_region_init_ram(&ocm->isarc_ram, NULL, "ppc405.ocm", 4096);
-    vmstate_register_ram_global(&ocm->isarc_ram);
+    memory_region_allocate_system_memory(&ocm->isarc_ram, NULL, "ppc405.ocm",
+                                         4096);
     memory_region_init_alias(&ocm->dsarc_ram, NULL, "ppc405.dsarc", &ocm->isarc_ram,
                              0, 4096);
     qemu_register_reset(&ocm_reset, ocm);
diff --git a/hw/ppc/ppc4xx_devs.c b/hw/ppc/ppc4xx_devs.c
index 8a43111..07f9d00 100644
--- a/hw/ppc/ppc4xx_devs.c
+++ b/hw/ppc/ppc4xx_devs.c
@@ -24,6 +24,7 @@
 #include "hw/hw.h"
 #include "hw/ppc/ppc.h"
 #include "hw/ppc/ppc4xx.h"
+#include "hw/boards.h"
 #include "qemu/log.h"
 #include "exec/address-spaces.h"
 
@@ -694,8 +695,8 @@ ram_addr_t ppc4xx_sdram_adjust(ram_addr_t ram_size, int nr_banks,
             if (bank_size <= size_left) {
                 char name[32];
                 snprintf(name, sizeof(name), "ppc4xx.sdram%d", i);
-                memory_region_init_ram(&ram_memories[i], NULL, name, bank_size);
-                vmstate_register_ram_global(&ram_memories[i]);
+                memory_region_allocate_system_memory(&ram_memories[i], NULL,
+                                                     name, bank_size);
                 ram_bases[i] = base;
                 ram_sizes[i] = bank_size;
                 base += bank_size;
diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
index aa8717d..f0ef1af 100644
--- a/hw/ppc/prep.c
+++ b/hw/ppc/prep.c
@@ -417,8 +417,7 @@ static void ppc_prep_init(MachineState *machine)
     }
 
     /* allocate RAM */
-    memory_region_init_ram(ram, NULL, "ppc_prep.ram", ram_size);
-    vmstate_register_ram_global(ram);
+    memory_region_allocate_system_memory(ram, NULL, "ppc_prep.ram", ram_size);
     memory_region_add_subregion(sysmem, 0, ram);
 
     if (linux_boot) {
diff --git a/hw/ppc/virtex_ml507.c b/hw/ppc/virtex_ml507.c
index 02b4f82..0de5148 100644
--- a/hw/ppc/virtex_ml507.c
+++ b/hw/ppc/virtex_ml507.c
@@ -222,8 +222,7 @@ static void virtex_init(MachineState *machine)
     env = &cpu->env;
     qemu_register_reset(main_cpu_reset, cpu);
 
-    memory_region_init_ram(phys_ram, NULL, "ram", ram_size);
-    vmstate_register_ram_global(phys_ram);
+    memory_region_allocate_system_memory(phys_ram, NULL, "ram", ram_size);
     memory_region_add_subregion(address_space_mem, ram_base, phys_ram);
 
     dinfo = drive_get(IF_PFLASH, 0, 0);
commit 063cac5326518abfcd4f3f0eaace3fa9b1a97424
Author: Alexey Kardashevskiy <aik at ozlabs.ru>
Date:   Thu Jul 10 00:40:56 2014 +1000

    target-ppc: Fix number of threads per core limit
    
    The number of threads per core is different for POWER6/7/8 CPUs.
    Guest systems do not expect to see more threads per core than
    a specific CPU supports so we need to limit this number.
    This limit is implemented by ppc_get_compat_smt_threads().
    
    However it has a problem as it checks for PCR (Processor Compatibility
    Register) mask, 2.05 means 2 threads per core, 2.06 - 4 threads.
    For POWER8 one would expect PCR_COMPAT_2_07 bit set and
    ppc_get_compat_smt_threads() checking for it to return 8 threads
    per core. But the latest PowerISA spec now is 2.07 and there is
    no 2.07 compatibility mode defined, QEMU does not define it either
    (will be in PowerISA 2.08).
    
    Instead of relying on a PCR mask, this uses kvmppc_smt_threads()
    which returns the maximum supported threads number for KVM or
    1 for TCG.
    
    Signed-off-by: Alexey Kardashevskiy <aik at ozlabs.ru>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 5eacd46..48177ed 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -9098,29 +9098,21 @@ static void ppc_cpu_unrealizefn(DeviceState *dev, Error **errp)
 
 int ppc_get_compat_smt_threads(PowerPCCPU *cpu)
 {
-    int ret = smp_threads;
-    PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
+    int ret = MIN(smp_threads, kvmppc_smt_threads());
 
     switch (cpu->cpu_version) {
     case CPU_POWERPC_LOGICAL_2_05:
-        ret = 2;
+        ret = MIN(ret, 2);
         break;
     case CPU_POWERPC_LOGICAL_2_06:
-        ret = 4;
+        ret = MIN(ret, 4);
         break;
     case CPU_POWERPC_LOGICAL_2_07:
-        ret = 8;
-        break;
-    default:
-        if (pcc->pcr_mask & PCR_COMPAT_2_06) {
-            ret = 4;
-        } else if (pcc->pcr_mask & PCR_COMPAT_2_05) {
-            ret = 2;
-        }
+        ret = MIN(ret, 8);
         break;
     }
 
-    return MIN(ret, smp_threads);
+    return ret;
 }
 
 int ppc_set_compat(PowerPCCPU *cpu, uint32_t cpu_version)
commit b545f63fa974ebffd55d70ca615572d497e543dc
Author: Riku Voipio <riku.voipio at linaro.org>
Date:   Tue Jul 15 17:01:55 2014 +0300

    linux-user: use TARGET_SA_ONSTACK in get_sigframe
    
    As reported by Laurent, which should use TARGET_SA_ONSTACK
    on arm, microblaze and openrisc targets like we do on all
    others. Practical matter is minimal as for almost all archs
    SA_ONSTACK is 0x08000000:
    
    http://lxr.free-electrons.com/ident?i=SA_ONSTACK
    
    Reported-by: Laurent Desnogues <laurent.desnogues at gmail.com>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index f3b4378..1141054 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1305,7 +1305,7 @@ static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
     /*
      * This is the X/Open sanctioned signal stack switching.
      */
-    if ((ka->sa_flags & SA_ONSTACK) && !sas_ss_flags(sp)) {
+    if ((ka->sa_flags & TARGET_SA_ONSTACK) && !sas_ss_flags(sp)) {
         sp = target_sigaltstack_used.ss_sp + target_sigaltstack_used.ss_size;
     }
 
@@ -3509,8 +3509,9 @@ static abi_ulong get_sigframe(struct target_sigaction *ka,
 {
     abi_ulong sp = env->regs[1];
 
-    if ((ka->sa_flags & SA_ONSTACK) != 0 && !on_sig_stack(sp))
+    if ((ka->sa_flags & TARGET_SA_ONSTACK) != 0 && !on_sig_stack(sp)) {
         sp = target_sigaltstack_used.ss_sp + target_sigaltstack_used.ss_size;
+    }
 
     return ((sp - frame_size) & -8UL);
 }
@@ -3891,7 +3892,7 @@ static inline abi_ulong get_sigframe(struct target_sigaction *ka,
 
     /* redzone */
     /* This is the X/Open sanctioned signal stack switching.  */
-    if ((ka->sa_flags & SA_ONSTACK) != 0 && !onsigstack) {
+    if ((ka->sa_flags & TARGET_SA_ONSTACK) != 0 && !onsigstack) {
         sp = target_sigaltstack_used.ss_sp + target_sigaltstack_used.ss_size;
     }
 
commit 2dd08dfd9a553af3d53c6508e436b0c2aa5a469b
Author: Joakim Tjernlund <joakim.tjernlund at transmode.se>
Date:   Fri Jul 11 17:18:03 2014 +0200

    alloca one extra byte sockets
    
    target_to_host_sockaddr() may increase the lenth with 1 byte
    for AF_UNIX sockets so allocate 1 extra byte.
    
    Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund at transmode.se>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7163ade..a50229d 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1984,7 +1984,7 @@ static abi_long do_connect(int sockfd, abi_ulong target_addr,
         return -TARGET_EINVAL;
     }
 
-    addr = alloca(addrlen);
+    addr = alloca(addrlen+1);
 
     ret = target_to_host_sockaddr(addr, target_addr, addrlen);
     if (ret)
@@ -2005,7 +2005,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct target_msghdr *msgp,
 
     if (msgp->msg_name) {
         msg.msg_namelen = tswap32(msgp->msg_namelen);
-        msg.msg_name = alloca(msg.msg_namelen);
+        msg.msg_name = alloca(msg.msg_namelen+1);
         ret = target_to_host_sockaddr(msg.msg_name, tswapal(msgp->msg_name),
                                 msg.msg_namelen);
         if (ret) {
@@ -2268,7 +2268,7 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
     if (!host_msg)
         return -TARGET_EFAULT;
     if (target_addr) {
-        addr = alloca(addrlen);
+        addr = alloca(addrlen+1);
         ret = target_to_host_sockaddr(addr, target_addr, addrlen);
         if (ret) {
             unlock_user(host_msg, msg, 0);
commit 33a29b51c9fb56abd94d751dd3a51b84b82c8379
Author: Joakim Tjernlund <joakim.tjernlund at transmode.se>
Date:   Sat Jul 12 15:47:07 2014 +0200

    linux-user: handle AF_PACKET sockaddrs in target_to_host_sockaddr
    
    Implement conversion of the AF_PACKET sockaddr subtype
    in target_to_host_sockaddr.
    
    Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund at transmode.se>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index dcf1323..7163ade 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1140,6 +1140,13 @@ static inline abi_long target_to_host_sockaddr(struct sockaddr *addr,
 
     memcpy(addr, target_saddr, len);
     addr->sa_family = sa_family;
+    if (sa_family == AF_PACKET) {
+	struct target_sockaddr_ll *lladdr;
+
+	lladdr = (struct target_sockaddr_ll *)addr;
+	lladdr->sll_ifindex = tswap32(lladdr->sll_ifindex);
+	lladdr->sll_hatype = tswap16(lladdr->sll_hatype);
+    }
     unlock_user(target_saddr, target_addr, 0);
 
     return 0;
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 8563027..c9e6323 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -121,6 +121,16 @@ struct target_sockaddr {
     uint8_t sa_data[14];
 };
 
+struct target_sockaddr_ll {
+    uint16_t sll_family;   /* Always AF_PACKET */
+    uint16_t sll_protocol; /* Physical layer protocol */
+    int      sll_ifindex;  /* Interface number */
+    uint16_t sll_hatype;   /* ARP hardware type */
+    uint8_t  sll_pkttype;  /* Packet type */
+    uint8_t  sll_halen;    /* Length of address */
+    uint8_t  sll_addr[8];  /* Physical layer address */
+};
+
 struct target_sock_filter {
     abi_ushort code;
     uint8_t jt;
commit 451aaf688c709c91a0d511c24624104677cc754e
Author: Joakim Tjernlund <joakim.tjernlund at transmode.se>
Date:   Sat Jul 12 15:47:06 2014 +0200

    qemu-user: Impl. setsockopt(SO_BINDTODEVICE)
    
    Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund at transmode.se>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 5a272d3..dcf1323 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1497,6 +1497,25 @@ set_timeout:
                 unlock_user_struct(tfprog, optval_addr, 1);
                 return ret;
         }
+	case TARGET_SO_BINDTODEVICE:
+	{
+		char *dev_ifname, *addr_ifname;
+
+		if (optlen > IFNAMSIZ - 1) {
+		    optlen = IFNAMSIZ - 1;
+		}
+		dev_ifname = lock_user(VERIFY_READ, optval_addr, optlen, 1);
+		if (!dev_ifname) {
+		    return -TARGET_EFAULT;
+		}
+		optname = SO_BINDTODEVICE;
+		addr_ifname = alloca(IFNAMSIZ);
+		memcpy(addr_ifname, dev_ifname, optlen);
+		addr_ifname[optlen] = 0;
+		ret = get_errno(setsockopt(sockfd, level, optname, addr_ifname, optlen));
+		unlock_user (dev_ifname, optval_addr, 0);
+		return ret;
+	}
             /* Options with 'int' argument.  */
         case TARGET_SO_DEBUG:
 		optname = SO_DEBUG;
commit 27a07827c4a56b65744c061fff78f7ca76cd934e
Author: Joakim Tjernlund <joakim.tjernlund at transmode.se>
Date:   Fri Jul 11 03:02:02 2014 +0200

    SIOCGIFINDEX: fix typo
    
    Wrong type was used in ioctl definition.
    
    Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund at transmode.se>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 07a00da..609b27c 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -118,7 +118,7 @@
   IOCTL(SIOCSIFMEM, IOC_W, MK_PTR(MK_STRUCT(STRUCT_ptr_ifreq)))
   IOCTL(SIOCADDMULTI, IOC_W, MK_PTR(MK_STRUCT(STRUCT_sockaddr_ifreq)))
   IOCTL(SIOCDELMULTI, IOC_W, MK_PTR(MK_STRUCT(STRUCT_sockaddr_ifreq)))
-  IOCTL(SIOCGIFINDEX, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_sockaddr_ifreq)))
+  IOCTL(SIOCGIFINDEX, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_int_ifreq)))
   IOCTL(SIOCSIFLINK, 0, TYPE_NULL)
   IOCTL_SPECIAL(SIOCGIFCONF, IOC_W | IOC_R, do_ioctl_ifconf,
                 MK_PTR(MK_STRUCT(STRUCT_ifconf)))
commit 0e3cd8334aa800b947e2511720a8dcb792f68871
Author: Nikolay Nikolaev <n.nikolaev at virtualopensystems.com>
Date:   Wed Jul 9 18:06:32 2014 +0300

    qtest: fix vhost-user-test compilation with old GLib
    
    Mising G_TIME_SPAN_SECOND definition breaks the RHEL6 compilation as GLib
    version before 2.26 does not have it. In such case just define it.
    
    Reported-by: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Nikolay Nikolaev <n.nikolaev at virtualopensystems.com>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/tests/vhost-user-test.c b/tests/vhost-user-test.c
index 2af2381..406ba70 100644
--- a/tests/vhost-user-test.c
+++ b/tests/vhost-user-test.c
@@ -22,6 +22,10 @@
 #include <qemu/sockets.h>
 
 /* GLIB version compatibility flags */
+#if !GLIB_CHECK_VERSION(2, 26, 0)
+#define G_TIME_SPAN_SECOND              (G_GINT64_CONSTANT(1000000))
+#endif
+
 #if GLIB_CHECK_VERSION(2, 28, 0)
 #define HAVE_MONOTONIC_TIME
 #endif
commit 75902802c26267b7d1d6948d81c907e2432f0a94
Author: Hu Tao <hutao at cn.fujitsu.com>
Date:   Thu Jun 13 18:51:48 2013 +0800

    fix typo: apci -> acpi
    
    Signed-off-by: Hu Tao <hutao at cn.fujitsu.com>
    Reviewed-by: Andreas Färber <afaerber at suse.de>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    
    MST: rebase

diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c
index e7d6c77..7b14bbb 100644
--- a/hw/acpi/ich9.c
+++ b/hw/acpi/ich9.c
@@ -232,11 +232,11 @@ void ich9_pm_init(PCIDevice *lpc_pci, ICH9LPCPMRegs *pm,
 
     acpi_gpe_init(&pm->acpi_regs, ICH9_PMIO_GPE0_LEN);
     memory_region_init_io(&pm->io_gpe, OBJECT(lpc_pci), &ich9_gpe_ops, pm,
-                          "apci-gpe0", ICH9_PMIO_GPE0_LEN);
+                          "acpi-gpe0", ICH9_PMIO_GPE0_LEN);
     memory_region_add_subregion(&pm->io, ICH9_PMIO_GPE0_STS, &pm->io_gpe);
 
     memory_region_init_io(&pm->io_smi, OBJECT(lpc_pci), &ich9_smi_ops, pm,
-                          "apci-smi", 8);
+                          "acpi-smi", 8);
     memory_region_add_subregion(&pm->io, ICH9_PMIO_SMI_EN, &pm->io_smi);
 
     pm->irq = sci_irq;
commit faab4597973573852bbddadef21c9e788ce732b3
Author: Eduardo Habkost <ehabkost at redhat.com>
Date:   Mon Jul 7 15:30:52 2014 -0300

    pc_piix: Reuse pc_compat_1_2() for pc-0.1[0123]
    
    pc-0.13 and older were missing some compat code that was present on
    newer machine-types:
    
    * x86_cpu_compat_disable_kvm_features(FEAT_1_ECX, CPUID_EXT_X2APIC);
      (pc-i440fx-1.7 and older)
      (added by commit ef02ef5f4536dba090b12360a6c862ef0e57e3bc)
    * x86_cpu_compat_set_features("n270", FEAT_1_ECX, 0, CPUID_EXT_MOVBE);
      (pc-i440fx-1.4 and older)
      (added by commit 4458c23672904fa131e69897007eeb7c953be7e5
    * x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
      (pc-i440fx-1.4 and older)
      (added by commit 56383703c060777fd01aaf8d63d5f46d660e9fb9)
    
    Instead of duplicating the code from the previous pc_compat_*()
    functions, we can now reuse pc_compat_1_2() and fix those issues.
    
    Signed-off-by: Eduardo Habkost <ehabkost at redhat.com>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 2dccb34..ec8ccdb 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -386,19 +386,10 @@ static void pc_init_pci_1_2(MachineState *machine)
     pc_init_pci(machine);
 }
 
-/* PC init function for pc-0.10 to pc-0.13, and reused by xenfv */
+/* PC init function for pc-0.10 to pc-0.13 */
 static void pc_init_pci_no_kvmclock(MachineState *machine)
 {
-    has_pci_info = false;
-    has_acpi_build = false;
-    smbios_defaults = false;
-    gigabyte_align = false;
-    smbios_legacy_mode = true;
-    has_reserved_memory = false;
-    option_rom_has_mr = true;
-    rom_file_has_mr = false;
-    x86_cpu_compat_disable_kvm_features(FEAT_KVM, KVM_FEATURE_PV_EOI);
-    enable_compat_apic_id_mode();
+    pc_compat_1_2(machine);
     pc_init1(machine, 1, 0);
 }
 
commit 4ec6ee5acef8092ec64e183694aba2a1cfce8d80
Author: Igor Mammedov <imammedo at redhat.com>
Date:   Tue Jul 8 15:29:46 2014 +0200

    pc: fix qemu exiting with error when -m X < 128 with old machines types
    
    If machine doesn't support memory hotplug then staring QEMU
    with initial memory less than default will make QEMU exit with
    following error message:
    
    $QEMU -m 16  -M isapc
    qemu-system-i386: "-memory 'slots|maxmem'" is not supported by: isapc
    
    Set maxram_size to initial memory value before parsing
    'maxmem' option allows to keep maxmem in sync with initial
    memory size if no maxmem option was specified.
    
    Signed-off-by: Igor Mammedov <imammedo at redhat.com>
    CC: Bruce Rogers <brogers at suse.com>
    Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/vl.c b/vl.c
index 6e084c2..6abedcf 100644
--- a/vl.c
+++ b/vl.c
@@ -3315,6 +3315,7 @@ int main(int argc, char **argv, char **envp)
                     error_report("ram size too large");
                     exit(EXIT_FAILURE);
                 }
+                maxram_size = ram_size;
 
                 maxmem_str = qemu_opt_get(opts, "maxmem");
                 slots_str = qemu_opt_get(opts, "slots");