[Spice-commits] 61 commits - MAINTAINERS VERSION block.c block/vmdk.c configure coroutine-sigaltstack.c gdbstub.c hw/acpi hw/cpu hw/i386 hw/ide hw/intc hw/scsi hw/usb include/block include/hw include/sysemu linux-user/elfload.c linux-user/syscall.c linux-user/syscall_defs.h monitor.c net/slirp.c numa.c pc-bios/bios-256k.bin pc-bios/bios.bin pc-bios/petalogix-s3adsp1800.dtb pc-bios/vgabios-cirrus.bin pc-bios/vgabios-qxl.bin pc-bios/vgabios-stdvga.bin pc-bios/vgabios-vmware.bin pc-bios/vgabios.bin qapi-schema.json qemu-doc.texi qemu-seccomp.c qmp-commands.hx roms/seabios target-i386/cpu.c target-i386/cpu.h target-i386/seg_helper.c target-xtensa/cpu.h target-xtensa/op_helper.c tests/tcg ui/input.c xen-hvm.c

Gerd Hoffmann kraxel at kemper.freedesktop.org
Wed Nov 19 07:31:11 PST 2014


 MAINTAINERS                      |   20 ++
 VERSION                          |    2 
 block.c                          |   10 -
 block/vmdk.c                     |   20 +-
 configure                        |    3 
 coroutine-sigaltstack.c          |    2 
 gdbstub.c                        |    5 
 hw/acpi/core.c                   |    7 -
 hw/cpu/icc_bus.c                 |    4 
 hw/i386/kvm/apic.c               |    3 
 hw/i386/kvm/clock.c              |   14 ++
 hw/i386/smbios.c                 |   10 -
 hw/ide/ahci.c                    |  269 +++++++++++++++++++++------------------
 hw/ide/ahci.h                    |    3 
 hw/ide/core.c                    |   14 +-
 hw/ide/internal.h                |   13 +
 hw/ide/macio.c                   |    7 -
 hw/ide/pci.c                     |   27 +++
 hw/intc/apic_common.c            |   38 +++++
 hw/scsi/esp-pci.c                |    3 
 hw/scsi/esp.c                    |   11 +
 hw/scsi/virtio-scsi-dataplane.c  |    9 +
 hw/scsi/virtio-scsi.c            |   17 ++
 hw/usb/hcd-xhci.c                |    9 +
 hw/usb/host-libusb.c             |   12 +
 include/block/block.h            |    4 
 include/hw/scsi/esp.h            |    1 
 include/hw/sysbus.h              |    2 
 include/hw/virtio/virtio-scsi.h  |    3 
 include/sysemu/sysemu.h          |    1 
 linux-user/elfload.c             |    2 
 linux-user/syscall.c             |   54 +++++--
 linux-user/syscall_defs.h        |    5 
 monitor.c                        |    6 
 net/slirp.c                      |    9 +
 numa.c                           |   38 +++++
 pc-bios/bios-256k.bin            |binary
 pc-bios/bios.bin                 |binary
 pc-bios/petalogix-s3adsp1800.dtb |binary
 pc-bios/vgabios-cirrus.bin       |binary
 pc-bios/vgabios-qxl.bin          |binary
 pc-bios/vgabios-stdvga.bin       |binary
 pc-bios/vgabios-vmware.bin       |binary
 pc-bios/vgabios.bin              |binary
 qapi-schema.json                 |    9 +
 qemu-doc.texi                    |    4 
 qemu-seccomp.c                   |    6 
 qmp-commands.hx                  |    4 
 roms/seabios                     |    2 
 target-i386/cpu.c                |    6 
 target-i386/cpu.h                |    2 
 target-i386/seg_helper.c         |   17 --
 target-xtensa/cpu.h              |    6 
 target-xtensa/op_helper.c        |    6 
 tests/tcg/xtensa/test_windowed.S |   51 +++++++
 ui/input.c                       |   15 +-
 xen-hvm.c                        |    3 
 57 files changed, 562 insertions(+), 226 deletions(-)

New commits:
commit b87dcdd0746dc110fa5a3353cbc257818e618930
Merge: c52e679 5f58330
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Nov 14 11:12:40 2014 +0000

    Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
    
    # gpg: Signature made Fri 14 Nov 2014 11:05:54 GMT using RSA key ID 81AB73C8
    # gpg: Good signature from "Stefan Hajnoczi <stefanha at redhat.com>"
    # gpg:                 aka "Stefan Hajnoczi <stefanha at gmail.com>"
    
    * remotes/stefanha/tags/block-pull-request:
      vmdk: Leave bdi intact if -ENOTSUP in vmdk_get_info
      block: Fix max nb_sectors in bdrv_make_zero
      ahci: factor out FIS decomposition from handle_cmd
      ahci: Check cmd_fis[1] more explicitly
      ahci: Reorder error cases in handle_cmd
      ahci: Fix FIS decomposition
      ahci: add is_ncq predicate helper
      ide: Correct handling of malformed/short PRDTs
      ahci: unify sglist preparation
      ide: repair PIO transfers for cases where nsector > 1
      ahci: Fix byte count regression for ATAPI/PIO
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 5f58330790b72c4705b373ee0646fb3adf800b4e
Author: Fam Zheng <famz at redhat.com>
Date:   Fri Nov 14 12:09:21 2014 +0800

    vmdk: Leave bdi intact if -ENOTSUP in vmdk_get_info
    
    When extent types don't match, we return -ENOTSUP. In this case, be
    polite to the caller and don't modify bdi.
    
    Signed-off-by: Fam Zheng <famz at redhat.com>
    Reviewed-by: Max Reitz <mreitz at redhat.com>
    Message-id: 1415938161-16217-1-git-send-email-famz at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/block/vmdk.c b/block/vmdk.c
index 673d3f5..2cbfd3e 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -2137,23 +2137,29 @@ static ImageInfoSpecific *vmdk_get_specific_info(BlockDriverState *bs)
     return spec_info;
 }
 
+static bool vmdk_extents_type_eq(const VmdkExtent *a, const VmdkExtent *b)
+{
+    return a->flat == b->flat &&
+           a->compressed == b->compressed &&
+           (a->flat || a->cluster_sectors == b->cluster_sectors);
+}
+
 static int vmdk_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
 {
     int i;
     BDRVVmdkState *s = bs->opaque;
     assert(s->num_extents);
-    bdi->needs_compressed_writes = s->extents[0].compressed;
-    if (!s->extents[0].flat) {
-        bdi->cluster_size = s->extents[0].cluster_sectors << BDRV_SECTOR_BITS;
-    }
+
     /* See if we have multiple extents but they have different cases */
     for (i = 1; i < s->num_extents; i++) {
-        if (bdi->needs_compressed_writes != s->extents[i].compressed ||
-            (bdi->cluster_size && bdi->cluster_size !=
-                s->extents[i].cluster_sectors << BDRV_SECTOR_BITS)) {
+        if (!vmdk_extents_type_eq(&s->extents[0], &s->extents[i])) {
             return -ENOTSUP;
         }
     }
+    bdi->needs_compressed_writes = s->extents[0].compressed;
+    if (!s->extents[0].flat) {
+        bdi->cluster_size = s->extents[0].cluster_sectors << BDRV_SECTOR_BITS;
+    }
     return 0;
 }
 
commit f3a9cfddaec127078ac1898de6b063db8ac3bb48
Author: Fam Zheng <famz at redhat.com>
Date:   Mon Nov 10 15:07:44 2014 +0800

    block: Fix max nb_sectors in bdrv_make_zero
    
    In bdrv_rw_co we report -EINVAL for nb_sectors > INT_MAX /
    BDRV_SECTOR_SIZE, so a caller shouldn't exceed it.
    
    Signed-off-by: Fam Zheng <famz at redhat.com>
    Reviewed-by: Markus Armbruster <armbru at redhat.com>
    Message-id: 1415603264-21497-1-git-send-email-famz at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/block.c b/block.c
index c612826..a612594 100644
--- a/block.c
+++ b/block.c
@@ -2790,8 +2790,8 @@ int bdrv_make_zero(BlockDriverState *bs, BdrvRequestFlags flags)
         if (nb_sectors <= 0) {
             return 0;
         }
-        if (nb_sectors > INT_MAX) {
-            nb_sectors = INT_MAX;
+        if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+            nb_sectors = INT_MAX / BDRV_SECTOR_SIZE;
         }
         ret = bdrv_get_block_status(bs, sector_num, nb_sectors, &n);
         if (ret < 0) {
commit 107f0d4677e126b073d9b606788d2c126c520416
Author: John Snow <jsnow at redhat.com>
Date:   Mon Nov 3 18:56:19 2014 -0500

    ahci: factor out FIS decomposition from handle_cmd
    
    In order to make handle_cmd more readable at the macro level,
    the details of how to decompose particular types of FIS packets
    are left to helper functions.
    
    In our case, the only type of FIS packet we currently expect to
    see is a Register H2D FIS packet, but the gory details of its
    decomposition are of no particular interest in handle_cmd.
    
    This patch keeps the receipt of FIS packets and the decomposition
    thereof separated to two different functions.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1415058979-16604-6-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index d6b012c..94f28e6 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -946,10 +946,94 @@ static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
     }
 }
 
+static void handle_reg_h2d_fis(AHCIState *s, int port,
+                               int slot, uint8_t *cmd_fis)
+{
+    IDEState *ide_state = &s->dev[port].port.ifs[0];
+    AHCICmdHdr *cmd = s->dev[port].cur_cmd;
+    uint32_t opts = le32_to_cpu(cmd->opts);
+
+    if (cmd_fis[1] & 0x0F) {
+        DPRINTF(port, "Port Multiplier not supported."
+                " cmd_fis[0]=%02x cmd_fis[1]=%02x cmd_fis[2]=%02x\n",
+                cmd_fis[0], cmd_fis[1], cmd_fis[2]);
+        return;
+    }
+
+    if (cmd_fis[1] & 0x70) {
+        DPRINTF(port, "Reserved flags set in H2D Register FIS."
+                " cmd_fis[0]=%02x cmd_fis[1]=%02x cmd_fis[2]=%02x\n",
+                cmd_fis[0], cmd_fis[1], cmd_fis[2]);
+        return;
+    }
+
+    if (!(cmd_fis[1] & SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER)) {
+        switch (s->dev[port].port_state) {
+        case STATE_RUN:
+            if (cmd_fis[15] & ATA_SRST) {
+                s->dev[port].port_state = STATE_RESET;
+            }
+            break;
+        case STATE_RESET:
+            if (!(cmd_fis[15] & ATA_SRST)) {
+                ahci_reset_port(s, port);
+            }
+            break;
+        }
+        return;
+    }
+
+    /* Check for NCQ command */
+    if (is_ncq(cmd_fis[2])) {
+        process_ncq_command(s, port, cmd_fis, slot);
+        return;
+    }
+
+    /* Decompose the FIS:
+     * AHCI does not interpret FIS packets, it only forwards them.
+     * SATA 1.0 describes how to decode LBA28 and CHS FIS packets.
+     * Later specifications, e.g, SATA 3.2, describe LBA48 FIS packets.
+     *
+     * ATA4 describes sector number for LBA28/CHS commands.
+     * ATA6 describes sector number for LBA48 commands.
+     * ATA8 deprecates CHS fully, describing only LBA28/48.
+     *
+     * We dutifully convert the FIS into IDE registers, and allow the
+     * core layer to interpret them as needed. */
+    ide_state->feature = cmd_fis[3];
+    ide_state->sector = cmd_fis[4];      /* LBA 7:0 */
+    ide_state->lcyl = cmd_fis[5];        /* LBA 15:8  */
+    ide_state->hcyl = cmd_fis[6];        /* LBA 23:16 */
+    ide_state->select = cmd_fis[7];      /* LBA 27:24 (LBA28) */
+    ide_state->hob_sector = cmd_fis[8];  /* LBA 31:24 */
+    ide_state->hob_lcyl = cmd_fis[9];    /* LBA 39:32 */
+    ide_state->hob_hcyl = cmd_fis[10];   /* LBA 47:40 */
+    ide_state->hob_feature = cmd_fis[11];
+    ide_state->nsector = (int64_t)((cmd_fis[13] << 8) | cmd_fis[12]);
+    /* 14, 16, 17, 18, 19: Reserved (SATA 1.0) */
+    /* 15: Only valid when UPDATE_COMMAND not set. */
+
+    /* Copy the ACMD field (ATAPI packet, if any) from the AHCI command
+     * table to ide_state->io_buffer */
+    if (opts & AHCI_CMD_ATAPI) {
+        memcpy(ide_state->io_buffer, &cmd_fis[AHCI_COMMAND_TABLE_ACMD], 0x10);
+        debug_print_fis(ide_state->io_buffer, 0x10);
+        s->dev[port].done_atapi_packet = false;
+        /* XXX send PIO setup FIS */
+    }
+
+    ide_state->error = 0;
+
+    /* Reset transferred byte counter */
+    cmd->status = 0;
+
+    /* We're ready to process the command in FIS byte 2. */
+    ide_exec_cmd(&s->dev[port].port, cmd_fis[2]);
+}
+
 static int handle_cmd(AHCIState *s, int port, int slot)
 {
     IDEState *ide_state;
-    uint32_t opts;
     uint64_t tbl_addr;
     AHCICmdHdr *cmd;
     uint8_t *cmd_fis;
@@ -976,7 +1060,6 @@ static int handle_cmd(AHCIState *s, int port, int slot)
         return -1;
     }
 
-    opts = le32_to_cpu(cmd->opts);
     tbl_addr = le64_to_cpu(cmd->tbl_addr);
     cmd_len = 0x80;
     cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len,
@@ -995,93 +1078,13 @@ static int handle_cmd(AHCIState *s, int port, int slot)
 
     switch (cmd_fis[0]) {
         case SATA_FIS_TYPE_REGISTER_H2D:
+            handle_reg_h2d_fis(s, port, slot, cmd_fis);
             break;
         default:
             DPRINTF(port, "unknown command cmd_fis[0]=%02x cmd_fis[1]=%02x "
                           "cmd_fis[2]=%02x\n", cmd_fis[0], cmd_fis[1],
                           cmd_fis[2]);
-            goto out;
-            break;
-    }
-
-    if (cmd_fis[1] & 0x0F) {
-        DPRINTF(port, "Port Multiplier not supported."
-                " cmd_fis[0]=%02x cmd_fis[1]=%02x cmd_fis[2]=%02x\n",
-                cmd_fis[0], cmd_fis[1], cmd_fis[2]);
-        goto out;
-    }
-
-    if (cmd_fis[1] & 0x70) {
-        DPRINTF(port, "Reserved flags set in H2D Register FIS."
-                " cmd_fis[0]=%02x cmd_fis[1]=%02x cmd_fis[2]=%02x\n",
-                cmd_fis[0], cmd_fis[1], cmd_fis[2]);
-        goto out;
-    }
-
-    if (!(cmd_fis[1] & SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER)) {
-        switch (s->dev[port].port_state) {
-        case STATE_RUN:
-            if (cmd_fis[15] & ATA_SRST) {
-                s->dev[port].port_state = STATE_RESET;
-            }
             break;
-        case STATE_RESET:
-            if (!(cmd_fis[15] & ATA_SRST)) {
-                ahci_reset_port(s, port);
-            }
-            break;
-        }
-    }
-
-    else if (cmd_fis[1] & SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER) {
-
-        /* Check for NCQ command */
-        if (is_ncq(cmd_fis[2])) {
-            process_ncq_command(s, port, cmd_fis, slot);
-            goto out;
-        }
-
-        /* Decompose the FIS:
-         * AHCI does not interpret FIS packets, it only forwards them.
-         * SATA 1.0 describes how to decode LBA28 and CHS FIS packets.
-         * Later specifications, e.g, SATA 3.2, describe LBA48 FIS packets.
-         *
-         * ATA4 describes sector number for LBA28/CHS commands.
-         * ATA6 describes sector number for LBA48 commands.
-         * ATA8 deprecates CHS fully, describing only LBA28/48.
-         *
-         * We dutifully convert the FIS into IDE registers, and allow the
-         * core layer to interpret them as needed. */
-        ide_state->feature = cmd_fis[3];
-        ide_state->sector = cmd_fis[4];     /* LBA 7:0 */
-        ide_state->lcyl = cmd_fis[5];       /* LBA 15:8  */
-        ide_state->hcyl = cmd_fis[6];       /* LBA 23:16 */
-        ide_state->select = cmd_fis[7];     /* LBA 27:24 (LBA28) */
-        ide_state->hob_sector = cmd_fis[8]; /* LBA 31:24 */
-        ide_state->hob_lcyl = cmd_fis[9];   /* LBA 39:32 */
-        ide_state->hob_hcyl = cmd_fis[10];  /* LBA 47:40 */
-        ide_state->hob_feature = cmd_fis[11];
-        ide_state->nsector = (int64_t)((cmd_fis[13] << 8) | cmd_fis[12]);
-        /* 14, 16, 17, 18, 19: Reserved (SATA 1.0) */
-        /* 15: Only valid when UPDATE_COMMAND not set. */
-
-        /* Copy the ACMD field (ATAPI packet, if any) from the AHCI command
-         * table to ide_state->io_buffer
-         */
-        if (opts & AHCI_CMD_ATAPI) {
-            memcpy(ide_state->io_buffer, &cmd_fis[AHCI_COMMAND_TABLE_ACMD], 0x10);
-            debug_print_fis(ide_state->io_buffer, 0x10);
-            s->dev[port].done_atapi_packet = false;
-            /* XXX send PIO setup FIS */
-        }
-
-        ide_state->error = 0;
-
-        /* Reset transferred byte counter */
-        cmd->status = 0;
-
-        /* We're ready to process the command in FIS byte 2. */
-        ide_exec_cmd(&s->dev[port].port, cmd_fis[2]);
     }
 
 out:
commit 102e56254dbf5f789e43d7eb29023f296cb67536
Author: John Snow <jsnow at redhat.com>
Date:   Mon Nov 3 18:56:18 2014 -0500

    ahci: Check cmd_fis[1] more explicitly
    
    Instead of checking for a known byte, inspect the
    fields of this byte explicitly to produce more meaningful
    error messages and improve the readability of this section.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1415058979-16604-5-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 578a93b..d6b012c 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1004,17 +1004,18 @@ static int handle_cmd(AHCIState *s, int port, int slot)
             break;
     }
 
-    switch (cmd_fis[1]) {
-        case SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER:
-            break;
-        case 0:
-            break;
-        default:
-            DPRINTF(port, "unknown command cmd_fis[0]=%02x cmd_fis[1]=%02x "
-                          "cmd_fis[2]=%02x\n", cmd_fis[0], cmd_fis[1],
-                          cmd_fis[2]);
-            goto out;
-            break;
+    if (cmd_fis[1] & 0x0F) {
+        DPRINTF(port, "Port Multiplier not supported."
+                " cmd_fis[0]=%02x cmd_fis[1]=%02x cmd_fis[2]=%02x\n",
+                cmd_fis[0], cmd_fis[1], cmd_fis[2]);
+        goto out;
+    }
+
+    if (cmd_fis[1] & 0x70) {
+        DPRINTF(port, "Reserved flags set in H2D Register FIS."
+                " cmd_fis[0]=%02x cmd_fis[1]=%02x cmd_fis[2]=%02x\n",
+                cmd_fis[0], cmd_fis[1], cmd_fis[2]);
+        goto out;
     }
 
     if (!(cmd_fis[1] & SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER)) {
commit 36ab3c3400ac941e4d9afc044be08143ff9eea62
Author: John Snow <jsnow at redhat.com>
Date:   Mon Nov 3 18:56:17 2014 -0500

    ahci: Reorder error cases in handle_cmd
    
    Error checking in ahci's handle_cmd is re-ordered so that we
    initialize as few things as possible before we've done our
    sanity checking. This simplifies returning from this call
    in case of an error.
    
    A check to make sure the DMA memory map succeeds with the
    correct size is also added, and the debug print of the
    command fis is cleaned up with its size corrected.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1415058979-16604-4-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 43da363..578a93b 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -961,38 +961,37 @@ static int handle_cmd(AHCIState *s, int port, int slot)
         return -1;
     }
 
-    cmd = &((AHCICmdHdr *)s->dev[port].lst)[slot];
-
     if (!s->dev[port].lst) {
         DPRINTF(port, "error: lst not given but cmd handled");
         return -1;
     }
-
+    cmd = &((AHCICmdHdr *)s->dev[port].lst)[slot];
     /* remember current slot handle for later */
     s->dev[port].cur_cmd = cmd;
 
+    /* The device we are working for */
+    ide_state = &s->dev[port].port.ifs[0];
+    if (!ide_state->blk) {
+        DPRINTF(port, "error: guest accessed unused port");
+        return -1;
+    }
+
     opts = le32_to_cpu(cmd->opts);
     tbl_addr = le64_to_cpu(cmd->tbl_addr);
-
     cmd_len = 0x80;
     cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len,
                              DMA_DIRECTION_FROM_DEVICE);
-
     if (!cmd_fis) {
         DPRINTF(port, "error: guest passed us an invalid cmd fis\n");
         return -1;
-    }
-
-    /* The device we are working for */
-    ide_state = &s->dev[port].port.ifs[0];
-
-    if (!ide_state->blk) {
-        DPRINTF(port, "error: guest accessed unused port");
+    } else if (cmd_len != 0x80) {
+        ahci_trigger_irq(s, &s->dev[port], PORT_IRQ_HBUS_ERR);
+        DPRINTF(port, "error: dma_memory_map failed: "
+                "(len(%02"PRIx64") != 0x80)\n",
+                cmd_len);
         goto out;
     }
-
-    debug_print_fis(cmd_fis, 0x90);
-    //debug_print_fis(cmd_fis, (opts & AHCI_CMD_HDR_CMD_FIS_LEN) * 4);
+    debug_print_fis(cmd_fis, 0x80);
 
     switch (cmd_fis[0]) {
         case SATA_FIS_TYPE_REGISTER_H2D:
commit 1cbdd96813474de4191b0b37b859a5460373093b
Author: John Snow <jsnow at redhat.com>
Date:   Mon Nov 3 18:56:16 2014 -0500

    ahci: Fix FIS decomposition
    
    This patch introduces a few changes to how FIS packets are
    deciphered in the AHCI virtual device. The summary of
    changes can be grouped into two pieces:
    
    [A] Changes to how we apply a preliminary sieve to FISes,
    [B] Changes in how we internalize a decomposed FIS.
    
    == Changes to how we apply a preliminary sieve to FISes ==
    
    (1) Packets may now either update the Control register or
        the Command register, but not both. This is according
        to the SATA 3.2 specification which states:
        "...the device either initiates processing of the command
        indicated in the Command register or initiates processing
        of the control request indicated [...] depending on the
        state of the C bit in the FIS."
    
        See SATA 3.2 section 10.5.5.4, "Reception" in the 10.5.5
        "Register Host to Device FIS" section.
    
        This change accounts for the first two regions of change
        within the diff. All other changes belong to the following
        changes.
    
    == Changes in how we internalize a decomposed FIS ==
    
    (2) Instead of trying to extract the sector number out of the
        FIS from bytes 4-10 and setting it with ide_set_sector,
        we set the appropriate IDEState registers and trust that
        ide_get_sector can retrieve the correct sector later.
    
        By "constructing" the sector for use with ide_set_sector,
        we are duplicating the mechanisms of ide_get_sector.
        This change makes the FIS decomposition more obvious.
    
        SATA 3.2 as a specification does not make the legacy
        register mapping with respect to the D2H FIS obvious.
        However, SATA 3.2 section 10.5.5.1 "Register Host to
        Device FIS layout" describes all of the "cmd_fis"
        bytes:
    
        0 - FIS Type (0x27)
        1 - Port Multiplier Port and Command Update flag
        2 - ATA Command
        3 - Features_Low
        4 - LBA 7:0
        5 - LBA 15:8
        6 - LBA 23:16
        7 - Device, AKA "Drive Select."
        8 - LBA 31:24
        9 - LBA 39:32
        10 - LBA 47:40
        11 - Features_High
        12 - Count Low
        13 - Count High
        14 - ICC
        15 - Control
        16-19 - Auxiliary (for NCQ, defined per-command)
    
        Most of these registers map to existing IDEState registers
        in obvious ways, especially features, select, hob_features,
        and nsector (count). ICC is reserved in older specifications
        but is not supported in our implementation, and remains
        unused here. The Control register is not valid for a command
        that is trying to update the command register and is to be
        considered reserved at this point.
    
        What is not obvious is the LBA register mappings, but SATA 1.0
        can help inform of us legacy device support, see SATA 1.0 section
        8.5.2 "Register - Host to Device."
    
        LBA 7:0   - Sector Number    (sector)
        LBA 15:8  - Cyl Low          (lcyl)
        LBA 23:16 - Cyl High         (hcyl)
        LBA 31:24 - Sector Num Exp.  (hob_sector)
        LBA 39:32 - Cyl Low Exp.     (hob_lcyl)
        LBA 47:40 - Cyl High Exp.    (hob_hcyl)
    
        These mappings help guide which registers the FIS should be decomposed
        into/towards for CHS, LBA28 and LBA48 commands.
    
        As a note: The prior confusion that can be seen in the documentation
        arises from the fact that CHS and LBA28 commands use the low nybble
        of the drive select register to store LBA 27:24, whereas LNA48 commands
        use the hob_sector, hob_lcyl and hob_hcyl registers as explained above.
    
        The decomposition as it stands now will correctly decompose CHS, LBA28
        and LBA48 commands into their appropriate registers where the core
        IDE/ATAPI layers can deal with them correctly.
    
        See the below point for more information.
    
    (3) We save cmd_fis[7] as ide_state->select, which informs
        decisions about if we are using LBA or CHS.
        This corrects a bug in AHCI wherein we attempt to set and/or
        retrieve the sector number by using ide_set_sector and
        ide_get_sector, which depend on the select register to
        determine if we are using LBA or CHS.
    
        Without this adjustment, LBA48 read/writes are currently
        broken. Thanks to Eniac Zheng @ HP for pointing this out.
    
    (4) Save cmd_fis[11] as ide_state->hob_feature, as defined in SATA 3.2.
    
    (5) For several ATA commands, the sector count register set to 0
        is a magic number that means 256 sectors. For LBA48 commands,
        this means 65,536 sectors. We drop the magic sector correction
        here, and trust the ide core layer to handle the conversion
        appropriately, in ide_cmd_lba48_transform(). As it stands,
        the current AHCI code is only compliant with LBA28 commands.
        By simply removing the magic, it will work with LBA28 and LBA48.
    
    (6) We expand FIS decomposition to include both ATAPI and IDE devices.
        We leave the logic of determining if the fields are valid or not
        to the respective layers.
    
        This change intends to make it clearer that AHCI is only a
        composition mechanism for the FIS packets: the meanings of
        the registers is best left to the implementation layers for
        those devices.
    
    (7) Forcefully setting the feature, hcyl and lcyl registers for ATAPI
        commands is removed.
        - The hcyl and lcyl magic present here is valid at boot only,
          and should not be overridden for every PACKET command.
        - The feature register is defined as valid for the PACKET command,
          so we should not suppress it. The ATAPI layer does not even
          currently depend on or require 0x01 as mandatory.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1415058979-16604-3-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index f2acddb..43da363 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1018,7 +1018,8 @@ static int handle_cmd(AHCIState *s, int port, int slot)
             break;
     }
 
-    switch (s->dev[port].port_state) {
+    if (!(cmd_fis[1] & SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER)) {
+        switch (s->dev[port].port_state) {
         case STATE_RUN:
             if (cmd_fis[15] & ATA_SRST) {
                 s->dev[port].port_state = STATE_RESET;
@@ -1029,9 +1030,10 @@ static int handle_cmd(AHCIState *s, int port, int slot)
                 ahci_reset_port(s, port);
             }
             break;
+        }
     }
 
-    if (cmd_fis[1] == SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER) {
+    else if (cmd_fis[1] & SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER) {
 
         /* Check for NCQ command */
         if (is_ncq(cmd_fis[2])) {
@@ -1039,50 +1041,36 @@ static int handle_cmd(AHCIState *s, int port, int slot)
             goto out;
         }
 
-        /* Decompose the FIS  */
-        ide_state->nsector = (int64_t)((cmd_fis[13] << 8) | cmd_fis[12]);
+        /* Decompose the FIS:
+         * AHCI does not interpret FIS packets, it only forwards them.
+         * SATA 1.0 describes how to decode LBA28 and CHS FIS packets.
+         * Later specifications, e.g, SATA 3.2, describe LBA48 FIS packets.
+         *
+         * ATA4 describes sector number for LBA28/CHS commands.
+         * ATA6 describes sector number for LBA48 commands.
+         * ATA8 deprecates CHS fully, describing only LBA28/48.
+         *
+         * We dutifully convert the FIS into IDE registers, and allow the
+         * core layer to interpret them as needed. */
         ide_state->feature = cmd_fis[3];
-        if (!ide_state->nsector) {
-            ide_state->nsector = 256;
-        }
-
-        if (ide_state->drive_kind != IDE_CD) {
-            /*
-             * We set the sector depending on the sector defined in the FIS.
-             * Unfortunately, the spec isn't exactly obvious on this one.
-             *
-             * Apparently LBA48 commands set fis bytes 10,9,8,6,5,4 to the
-             * 48 bit sector number. ATA_CMD_READ_DMA_EXT is an example for
-             * such a command.
-             *
-             * Non-LBA48 commands however use 7[lower 4 bits],6,5,4 to define a
-             * 28-bit sector number. ATA_CMD_READ_DMA is an example for such
-             * a command.
-             *
-             * Since the spec doesn't explicitly state what each field should
-             * do, I simply assume non-used fields as reserved and OR everything
-             * together, independent of the command.
-             */
-            ide_set_sector(ide_state, ((uint64_t)cmd_fis[10] << 40)
-                                    | ((uint64_t)cmd_fis[9] << 32)
-                                    /* This is used for LBA48 commands */
-                                    | ((uint64_t)cmd_fis[8] << 24)
-                                    /* This is used for non-LBA48 commands */
-                                    | ((uint64_t)(cmd_fis[7] & 0xf) << 24)
-                                    | ((uint64_t)cmd_fis[6] << 16)
-                                    | ((uint64_t)cmd_fis[5] << 8)
-                                    | cmd_fis[4]);
-        }
+        ide_state->sector = cmd_fis[4];     /* LBA 7:0 */
+        ide_state->lcyl = cmd_fis[5];       /* LBA 15:8  */
+        ide_state->hcyl = cmd_fis[6];       /* LBA 23:16 */
+        ide_state->select = cmd_fis[7];     /* LBA 27:24 (LBA28) */
+        ide_state->hob_sector = cmd_fis[8]; /* LBA 31:24 */
+        ide_state->hob_lcyl = cmd_fis[9];   /* LBA 39:32 */
+        ide_state->hob_hcyl = cmd_fis[10];  /* LBA 47:40 */
+        ide_state->hob_feature = cmd_fis[11];
+        ide_state->nsector = (int64_t)((cmd_fis[13] << 8) | cmd_fis[12]);
+        /* 14, 16, 17, 18, 19: Reserved (SATA 1.0) */
+        /* 15: Only valid when UPDATE_COMMAND not set. */
 
         /* Copy the ACMD field (ATAPI packet, if any) from the AHCI command
          * table to ide_state->io_buffer
          */
         if (opts & AHCI_CMD_ATAPI) {
             memcpy(ide_state->io_buffer, &cmd_fis[AHCI_COMMAND_TABLE_ACMD], 0x10);
-            ide_state->lcyl = 0x14;
-            ide_state->hcyl = 0xeb;
             debug_print_fis(ide_state->io_buffer, 0x10);
-            ide_state->feature = IDE_FEATURE_DMA;
             s->dev[port].done_atapi_packet = false;
             /* XXX send PIO setup FIS */
         }
commit 72a065dbb13dd187040c61cdde79476720341cfa
Author: John Snow <jsnow at redhat.com>
Date:   Mon Nov 3 18:56:15 2014 -0500

    ahci: add is_ncq predicate helper
    
    A small helper to determine which S/ATA commands
    are destined to be routed to the NCQ pathways.
    
    This references SATA 3.2 section 13.6,
    Native Command Queueing. See sections 13.6.4,
    13.6.5, 13.6.6, 13.6.7 and 13.6.8 for all
    SATA commands considered to be part of the
    NCQ feature set. This is summarized in a small
    list in section 13.6.3.1 and again in 13.6.3.2.
    
    Not all of these NCQ commands are currently supported,
    so the error pathways are adjusted slightly to be more
    informative in the case they are encountered.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1415058979-16604-2-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 9647d94..f2acddb 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -854,6 +854,21 @@ static void ncq_cb(void *opaque, int ret)
     ncq_tfs->used = 0;
 }
 
+static int is_ncq(uint8_t ata_cmd)
+{
+    /* Based on SATA 3.2 section 13.6.3.2 */
+    switch (ata_cmd) {
+    case READ_FPDMA_QUEUED:
+    case WRITE_FPDMA_QUEUED:
+    case NCQ_NON_DATA:
+    case RECEIVE_FPDMA_QUEUED:
+    case SEND_FPDMA_QUEUED:
+        return 1;
+    default:
+        return 0;
+    }
+}
+
 static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
                                 int slot)
 {
@@ -919,9 +934,15 @@ static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
                                            ncq_cb, ncq_tfs);
             break;
         default:
-            DPRINTF(port, "error: tried to process non-NCQ command as NCQ\n");
+            if (is_ncq(cmd_fis[2])) {
+                DPRINTF(port,
+                        "error: unsupported NCQ command (0x%02x) received\n",
+                        cmd_fis[2]);
+            } else {
+                DPRINTF(port,
+                        "error: tried to process non-NCQ command as NCQ\n");
+            }
             qemu_sglist_destroy(&ncq_tfs->sglist);
-            break;
     }
 }
 
@@ -1013,8 +1034,7 @@ static int handle_cmd(AHCIState *s, int port, int slot)
     if (cmd_fis[1] == SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER) {
 
         /* Check for NCQ command */
-        if ((cmd_fis[2] == READ_FPDMA_QUEUED) ||
-            (cmd_fis[2] == WRITE_FPDMA_QUEUED)) {
+        if (is_ncq(cmd_fis[2])) {
             process_ncq_command(s, port, cmd_fis, slot);
             goto out;
         }
diff --git a/hw/ide/ahci.h b/hw/ide/ahci.h
index b123237..e0d2eb8 100644
--- a/hw/ide/ahci.h
+++ b/hw/ide/ahci.h
@@ -186,6 +186,9 @@
 
 #define READ_FPDMA_QUEUED                  0x60
 #define WRITE_FPDMA_QUEUED                 0x61
+#define NCQ_NON_DATA                       0x63
+#define RECEIVE_FPDMA_QUEUED               0x65
+#define SEND_FPDMA_QUEUED                  0x64
 
 #define RES_FIS_DSFIS                      0x00
 #define RES_FIS_PSFIS                      0x20
commit 3251bdcf1c67427d964517053c3d185b46e618e8
Author: John Snow <jsnow at redhat.com>
Date:   Fri Oct 31 16:03:39 2014 -0400

    ide: Correct handling of malformed/short PRDTs
    
    This impacts both BMDMA and AHCI HBA interfaces for IDE.
    Currently, we confuse the difference between a PRDT having
    "0 bytes" and a PRDT having "0 complete sectors."
    
    When we receive an incomplete sector, inconsistent error checking
    leads to an infinite loop wherein the call succeeds, but it
    didn't give us enough bytes -- leading us to re-call the
    DMA chain over and over again. This leads to, in the BMDMA case,
    leaked memory for short PRDTs, and infinite loops and resource
    usage in the AHCI case.
    
    The .prepare_buf() callback is reworked to return the number of
    bytes that it successfully prepared. 0 is a valid, non-error
    answer that means the table was empty and described no bytes.
    -1 indicates an error.
    
    Our current implementation uses the io_buffer in IDEState to
    ultimately describe the size of a prepared scatter-gather list.
    Even though the AHCI PRDT/SGList can be as large as 256GiB, the
    AHCI command header limits transactions to just 4GiB. ATA8-ACS3,
    however, defines the largest transaction to be an LBA48 command
    that transfers 65,536 sectors. With a 512 byte sector size, this
    is just 32MiB.
    
    Since our current state structures use the int type to describe
    the size of the buffer, and this state is migrated as int32, we
    are limited to describing 2GiB buffer sizes unless we change the
    migration protocol.
    
    For this reason, this patch begins to unify the assertions in the
    IDE pathways that the scatter-gather list provided by either the
    AHCI PRDT or the PCI BMDMA PRDs can only describe, at a maximum,
    2GiB. This should be resilient enough unless we need a sector
    size that exceeds 32KiB.
    
    Further, the likelihood of any guest operating system actually
    attempting to transfer this much data in a single operation is
    very slim.
    
    To this end, the IDEState variables have been updated to more
    explicitly clarify our maximum supported size. Callers to the
    prepare_buf callback have been reworked to understand the new
    return code, and all versions of the prepare_buf callback have
    been adjusted accordingly.
    
    Lastly, the ahci_populate_sglist helper, relied upon by the
    AHCI implementation of .prepare_buf() as well as the PCI
    implementation of the callback have had overflow assertions
    added to help make clear the reasonings behind the various
    type changes.
    
    [Added %d -> %"PRId64" fix John sent because off_pos changed from int to
    int64_t.
    --Stefan]
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1414785819-26209-4-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 28aa105..9647d94 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -730,7 +730,8 @@ static int prdt_tbl_entry_size(const AHCI_SG *tbl)
     return (le32_to_cpu(tbl->flags_size) & AHCI_PRDT_SIZE_MASK) + 1;
 }
 
-static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset)
+static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist,
+                                int32_t offset)
 {
     AHCICmdHdr *cmd = ad->cur_cmd;
     uint32_t opts = le32_to_cpu(cmd->opts);
@@ -741,13 +742,21 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset)
     uint8_t *prdt;
     int i;
     int r = 0;
-    int sum = 0;
+    uint64_t sum = 0;
     int off_idx = -1;
-    int off_pos = -1;
+    int64_t off_pos = -1;
     int tbl_entry_size;
     IDEBus *bus = &ad->port;
     BusState *qbus = BUS(bus);
 
+    /*
+     * Note: AHCI PRDT can describe up to 256GiB. SATA/ATA only support
+     * transactions of up to 32MiB as of ATA8-ACS3 rev 1b, assuming a
+     * 512 byte sector size. We limit the PRDT in this implementation to
+     * a reasonably large 2GiB, which can accommodate the maximum transfer
+     * request for sector sizes up to 32K.
+     */
+
     if (!sglist_alloc_hint) {
         DPRINTF(ad->port_no, "no sg list given by guest: 0x%08x\n", opts);
         return -1;
@@ -782,7 +791,7 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset)
         }
         if ((off_idx == -1) || (off_pos < 0) || (off_pos > tbl_entry_size)) {
             DPRINTF(ad->port_no, "%s: Incorrect offset! "
-                            "off_idx: %d, off_pos: %d\n",
+                            "off_idx: %d, off_pos: %"PRId64"\n",
                             __func__, off_idx, off_pos);
             r = -1;
             goto out;
@@ -797,6 +806,13 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, int offset)
             /* flags_size is zero-based */
             qemu_sglist_add(sglist, le64_to_cpu(tbl[i].addr),
                             prdt_tbl_entry_size(&tbl[i]));
+            if (sglist->size > INT32_MAX) {
+                error_report("AHCI Physical Region Descriptor Table describes "
+                             "more than 2 GiB.\n");
+                qemu_sglist_destroy(sglist);
+                r = -1;
+                goto out;
+            }
         }
     }
 
@@ -1140,16 +1156,19 @@ static void ahci_start_dma(IDEDMA *dma, IDEState *s,
  * Not currently invoked by PIO R/W chains,
  * which invoke ahci_populate_sglist via ahci_start_transfer.
  */
-static int ahci_dma_prepare_buf(IDEDMA *dma, int is_write)
+static int32_t ahci_dma_prepare_buf(IDEDMA *dma, int is_write)
 {
     AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
     IDEState *s = &ad->port.ifs[0];
 
-    ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset);
+    if (ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset) == -1) {
+        DPRINTF(ad->port_no, "ahci_dma_prepare_buf failed.\n");
+        return -1;
+    }
     s->io_buffer_size = s->sg.size;
 
     DPRINTF(ad->port_no, "len=%#x\n", s->io_buffer_size);
-    return s->io_buffer_size != 0;
+    return s->io_buffer_size;
 }
 
 /**
diff --git a/hw/ide/core.c b/hw/ide/core.c
index dab21f0..00e21cf 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -731,10 +731,11 @@ void ide_dma_cb(void *opaque, int ret)
     n = s->nsector;
     s->io_buffer_index = 0;
     s->io_buffer_size = n * 512;
-    if (s->bus->dma->ops->prepare_buf(s->bus->dma, ide_cmd_is_read(s)) == 0) {
+    if (s->bus->dma->ops->prepare_buf(s->bus->dma, ide_cmd_is_read(s)) < 512) {
         /* The PRDs were too short. Reset the Active bit, but don't raise an
          * interrupt. */
         s->status = READY_STAT | SEEK_STAT;
+        dma_buf_commit(s, 0);
         goto eot;
     }
 
@@ -2313,12 +2314,17 @@ static int ide_nop_int(IDEDMA *dma, int x)
     return 0;
 }
 
+static int32_t ide_nop_int32(IDEDMA *dma, int x)
+{
+    return 0;
+}
+
 static void ide_nop_restart(void *opaque, int x, RunState y)
 {
 }
 
 static const IDEDMAOps ide_dma_nop_ops = {
-    .prepare_buf    = ide_nop_int,
+    .prepare_buf    = ide_nop_int32,
     .rw_buf         = ide_nop_int,
     .set_unit       = ide_nop_int,
     .restart_cb     = ide_nop_restart,
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 907493d..8a3eca4 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -322,6 +322,7 @@ typedef void EndTransferFunc(IDEState *);
 typedef void DMAStartFunc(IDEDMA *, IDEState *, BlockCompletionFunc *);
 typedef void DMAVoidFunc(IDEDMA *);
 typedef int DMAIntFunc(IDEDMA *, int);
+typedef int32_t DMAInt32Func(IDEDMA *, int);
 typedef void DMAu32Func(IDEDMA *, uint32_t);
 typedef void DMAStopFunc(IDEDMA *, bool);
 typedef void DMARestartFunc(void *, int, RunState);
@@ -385,7 +386,7 @@ struct IDEState {
     uint8_t cdrom_changed;
     int packet_transfer_size;
     int elementary_transfer_size;
-    int io_buffer_index;
+    int32_t io_buffer_index;
     int lba;
     int cd_sector_size;
     int atapi_dma; /* true if dma is requested for the packet cmd */
@@ -394,8 +395,8 @@ struct IDEState {
     struct iovec iov;
     QEMUIOVector qiov;
     /* ATA DMA state */
-    int io_buffer_offset;
-    int io_buffer_size;
+    int32_t io_buffer_offset;
+    int32_t io_buffer_size;
     QEMUSGList sg;
     /* PIO transfer handling */
     int req_nb_sectors; /* number of sectors per interrupt */
@@ -405,8 +406,8 @@ struct IDEState {
     uint8_t *io_buffer;
     /* PIO save/restore */
     int32_t io_buffer_total_len;
-    int cur_io_buffer_offset;
-    int cur_io_buffer_len;
+    int32_t cur_io_buffer_offset;
+    int32_t cur_io_buffer_len;
     uint8_t end_transfer_fn_idx;
     QEMUTimer *sector_write_timer; /* only used for win2k install hack */
     uint32_t irq_count; /* counts IRQs when using win2k install hack */
@@ -430,7 +431,7 @@ struct IDEState {
 struct IDEDMAOps {
     DMAStartFunc *start_dma;
     DMAVoidFunc *start_transfer;
-    DMAIntFunc *prepare_buf;
+    DMAInt32Func *prepare_buf;
     DMAu32Func *commit_buf;
     DMAIntFunc *rw_buf;
     DMAIntFunc *set_unit;
diff --git a/hw/ide/macio.c b/hw/ide/macio.c
index 9a55407..f6074f2 100644
--- a/hw/ide/macio.c
+++ b/hw/ide/macio.c
@@ -553,6 +553,11 @@ static int ide_nop_int(IDEDMA *dma, int x)
     return 0;
 }
 
+static int32_t ide_nop_int32(IDEDMA *dma, int x)
+{
+    return 0;
+}
+
 static void ide_nop_restart(void *opaque, int x, RunState y)
 {
 }
@@ -569,7 +574,7 @@ static void ide_dbdma_start(IDEDMA *dma, IDEState *s,
 
 static const IDEDMAOps dbdma_ops = {
     .start_dma      = ide_dbdma_start,
-    .prepare_buf    = ide_nop_int,
+    .prepare_buf    = ide_nop_int32,
     .rw_buf         = ide_nop_int,
     .set_unit       = ide_nop_int,
     .restart_cb     = ide_nop_restart,
diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index 2dad50e..bee5ad3 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -28,7 +28,7 @@
 #include <hw/isa/isa.h>
 #include "sysemu/block-backend.h"
 #include "sysemu/dma.h"
-
+#include "qemu/error-report.h"
 #include <hw/ide/pci.h>
 
 #define BMDMA_PAGE_SIZE 4096
@@ -55,8 +55,11 @@ static void bmdma_start_dma(IDEDMA *dma, IDEState *s,
     }
 }
 
-/* return 0 if buffer completed */
-static int bmdma_prepare_buf(IDEDMA *dma, int is_write)
+/**
+ * Return the number of bytes successfully prepared.
+ * -1 on error.
+ */
+static int32_t bmdma_prepare_buf(IDEDMA *dma, int is_write)
 {
     BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
     IDEState *s = bmdma_active_if(bm);
@@ -74,8 +77,9 @@ static int bmdma_prepare_buf(IDEDMA *dma, int is_write)
         if (bm->cur_prd_len == 0) {
             /* end of table (with a fail safe of one page) */
             if (bm->cur_prd_last ||
-                (bm->cur_addr - bm->addr) >= BMDMA_PAGE_SIZE)
-                return s->io_buffer_size != 0;
+                (bm->cur_addr - bm->addr) >= BMDMA_PAGE_SIZE) {
+                return s->io_buffer_size;
+            }
             pci_dma_read(pci_dev, bm->cur_addr, &prd, 8);
             bm->cur_addr += 8;
             prd.addr = le32_to_cpu(prd.addr);
@@ -90,12 +94,23 @@ static int bmdma_prepare_buf(IDEDMA *dma, int is_write)
         l = bm->cur_prd_len;
         if (l > 0) {
             qemu_sglist_add(&s->sg, bm->cur_prd_addr, l);
+
+            /* Note: We limit the max transfer to be 2GiB.
+             * This should accommodate the largest ATA transaction
+             * for LBA48 (65,536 sectors) and 32K sector sizes. */
+            if (s->sg.size > INT32_MAX) {
+                error_report("IDE: sglist describes more than 2GiB.\n");
+                break;
+            }
             bm->cur_prd_addr += l;
             bm->cur_prd_len -= l;
             s->io_buffer_size += l;
         }
     }
-    return 1;
+
+    qemu_sglist_destroy(&s->sg);
+    s->io_buffer_size = 0;
+    return -1;
 }
 
 /* return 0 if buffer completed */
commit bef1301acb74d177b42890116e4eeaf26047b9e3
Author: John Snow <jsnow at redhat.com>
Date:   Fri Oct 31 16:03:38 2014 -0400

    ahci: unify sglist preparation
    
    The intent of this patch is to further unify the creation and
    deletion of the sglist used for all AHCI transfers, including
    emulated PIO, ATAPI R/W, and native DMA R/W.
    
    By replacing ahci_start_transfer's call to ahci_populate_sglist
    with ahci_dma_prepare_buf, we reduce the number of direct calls
    where we manipulate the scatter-gather list in the AHCI code.
    
    To make this switch, the constant "0" passed as an offset
    in ahci_dma_prepare_buf is adjusted to use io_buffer_offset.
    
    For DMA pathways, this has no effect: io_buffer_offset is always
    updated to 0 at the beginning of a DMA transfer loop regardless.
    DMA pathways through ide_dma_cb() update the io_buffer_offset
    accordingly, and for circumstances where we might make several
    trips through this loop, this may actually correct a design flaw.
    
    For PIO pathways, the newly updated ahci_dma_prepare_buf will
    now prepare the sglist at the correct offset. It will also set
    io_buffer_size, but this is not used in the cmd_read_pio or
    cmd_write_pio pathways.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1414785819-26209-3-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index dbd6773..28aa105 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1093,7 +1093,7 @@ static void ahci_start_transfer(IDEDMA *dma)
         goto out;
     }
 
-    if (!ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset)) {
+    if (ahci_dma_prepare_buf(dma, is_write)) {
         has_sglist = 1;
     }
 
@@ -1145,7 +1145,7 @@ static int ahci_dma_prepare_buf(IDEDMA *dma, int is_write)
     AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
     IDEState *s = &ad->port.ifs[0];
 
-    ahci_populate_sglist(ad, &s->sg, 0);
+    ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset);
     s->io_buffer_size = s->sg.size;
 
     DPRINTF(ad->port_no, "len=%#x\n", s->io_buffer_size);
commit 36334faf35ccc48d61ca3431a5c0787b125dd306
Author: John Snow <jsnow at redhat.com>
Date:   Fri Oct 31 16:03:37 2014 -0400

    ide: repair PIO transfers for cases where nsector > 1
    
    Currently, for emulated PIO transfers through the AHCI device,
    any attempt made to request more than a single sector's worth
    of data will result in the same sector being transferred over
    and over.
    
    For example, if we request 8 sectors via PIO READ SECTORS, the
    AHCI device will give us the same sector eight times.
    
    This patch adds offset tracking into the PIO pathways so that
    we can fulfill these requests appropriately.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Message-id: 1414785819-26209-2-git-send-email-jsnow at redhat.com
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 1f3f951..dbd6773 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1093,7 +1093,7 @@ static void ahci_start_transfer(IDEDMA *dma)
         goto out;
     }
 
-    if (!ahci_populate_sglist(ad, &s->sg, 0)) {
+    if (!ahci_populate_sglist(ad, &s->sg, s->io_buffer_offset)) {
         has_sglist = 1;
     }
 
diff --git a/hw/ide/core.c b/hw/ide/core.c
index d316ccf..dab21f0 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -592,6 +592,7 @@ static void ide_sector_read_cb(void *opaque, int ret)
 
     ide_set_sector(s, ide_get_sector(s) + n);
     s->nsector -= n;
+    s->io_buffer_offset += 512 * n;
 }
 
 void ide_sector_read(IDEState *s)
@@ -832,6 +833,8 @@ static void ide_sector_write_cb(void *opaque, int ret)
         n = s->req_nb_sectors;
     }
     s->nsector -= n;
+    s->io_buffer_offset += 512 * n;
+
     if (s->nsector == 0) {
         /* no more sectors to write */
         ide_transfer_stop(s);
@@ -1824,6 +1827,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
 
     s->status = READY_STAT | BUSY_STAT;
     s->error = 0;
+    s->io_buffer_offset = 0;
 
     complete = ide_cmd_table[val].handler(s, val);
     if (complete) {
commit a395f3fa2f26c94dac03b37e3dfb1074bfe2ddea
Author: John Snow <jsnow at redhat.com>
Date:   Mon Nov 10 19:41:40 2014 -0500

    ahci: Fix byte count regression for ATAPI/PIO
    
    This patch fixes a regression caused by commit
    659142ecf71a0da240ab0ff7cf929ee25c32b9bc.
    The problem occurs when we wish to return early
    from the ahci_start_transfer function, but are now
    updating the transferred byte count in the AHCI
    command header via ahci_commit_buf.
    
    This will cause problems in the Windows 8 installer.
    
    Don't update the byte count in the command header
    for the transmission of ATAPI packets: These commands
    will distort the final byte count of the actual data
    payload.
    
    The call to ahci_commit_buf remains in the "out"
    portion of the call in order to clean up the sglist.
    The byte count is maintained by forcing size to be 0.
    
    Signed-off-by: John Snow <jsnow at redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 61dbed1..1f3f951 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1089,6 +1089,7 @@ static void ahci_start_transfer(IDEDMA *dma)
     if (is_atapi && !ad->done_atapi_packet) {
         /* already prepopulated iobuffer */
         ad->done_atapi_packet = true;
+        size = 0;
         goto out;
     }
 
commit c52e67924fbdadfa00668248f5c075542943c54c
Merge: b56cb28 3ef0eab
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Nov 13 15:44:16 2014 +0000

    Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
    
    x86 and SCSI fixes.  I left out the APIC device model
    patches, pending confirmation from the submitter that they really
    fix QNX.
    
    # gpg: Signature made Thu 13 Nov 2014 15:13:38 GMT using RSA key ID 78C7AE83
    # gpg: Good signature from "Paolo Bonzini <bonzini at gnu.org>"
    # gpg:                 aka "Paolo Bonzini <pbonzini at redhat.com>"
    # gpg: WARNING: This key is not certified with sufficiently trusted signatures!
    # gpg:          It is not certain that the signature belongs to the owner.
    # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
    #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83
    
    * remotes/bonzini/tags/for-upstream:
      acpi: accurate overflow check
      smbios: change 'ram_addr_t' variables to 'uint64_t'
      kvmclock: Add comment explaining why we need cpu_clean_all_dirty()
      target-i386: fix Coverity complaints about overflows
      apic_common: migrate missing fields
      target-i386: eliminate dead code and hoist common code out of "if"
      virtio-scsi: Fix comment for VirtIOSCSIReq
      virtio-scsi: dataplane: suppress guest notification
      esp: Do not overwrite ESP_TCHI after reset
      virtio-scsi: dataplane: fix allocation for 'cmd_vrings'
      esp: fix coding standards
      virtio-scsi: work around bug in old BIOSes
      esp-pci: fixup deadlock with linux
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 3ef0eab178e5120a0e1c079d163d5c71689d9b71
Author: Pavel Dovgalyuk <Pavel.Dovgaluk at ispras.ru>
Date:   Fri Nov 7 13:31:33 2014 +0300

    acpi: accurate overflow check
    
    Compare clock in ns, because acpi_pm_tmr_update uses rounded
    to ns value instead of ticks.
    
    Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk at ispras.ru>
    [This lets Windows boot in icount mode. - Paolo]
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index a7368fb..51913d6 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -376,8 +376,11 @@ static void acpi_notify_wakeup(Notifier *notifier, void *data)
 /* ACPI PM1a EVT */
 uint16_t acpi_pm1_evt_get_sts(ACPIREGS *ar)
 {
-    int64_t d = acpi_pm_tmr_get_clock();
-    if (d >= ar->tmr.overflow_time) {
+    /* Compare ns-clock, not PM timer ticks, because
+       acpi_pm_tmr_update function uses ns for setting the timer. */
+    int64_t d = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+    if (d >= muldiv64(ar->tmr.overflow_time,
+                      get_ticks_per_sec(), PM_TIMER_FREQUENCY)) {
         ar->pm1.evt.sts |= ACPI_BITMASK_TIMER_STATUS;
     }
     return ar->pm1.evt.sts;
commit f4ec5cd29d1f0d3a265039767399d2cf3e75950b
Author: SeokYeon Hwang <syeon.hwang at samsung.com>
Date:   Wed Nov 5 15:19:54 2014 +0900

    smbios: change 'ram_addr_t' variables to 'uint64_t'
    
    ram_addr_t should not be used except if referring to a RAMBlobk.
    Using 'uint64_t' avoids a -Wconstant-conversion warning, which
    clang >= 3.4 produces in "smbios_get_tables()".
    
    Signed-off-by: SeokYeon Hwang <syeon.hwang at samsung.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/i386/smbios.c b/hw/i386/smbios.c
index 8a7ad48..024e594 100644
--- a/hw/i386/smbios.c
+++ b/hw/i386/smbios.c
@@ -645,7 +645,7 @@ static void smbios_build_type_4_table(unsigned instance)
 
 static void smbios_build_type_16_table(unsigned dimm_cnt)
 {
-    ram_addr_t size_kb;
+    uint64_t size_kb;
 
     SMBIOS_BUILD_TABLE_PRE(16, 0x1000, true); /* required */
 
@@ -669,10 +669,10 @@ static void smbios_build_type_16_table(unsigned dimm_cnt)
 #define MAX_T17_STD_SZ 0x7FFF /* (32G - 1M), in Megabytes */
 #define MAX_T17_EXT_SZ 0x80000000 /* 2P, in Megabytes */
 
-static void smbios_build_type_17_table(unsigned instance, ram_addr_t size)
+static void smbios_build_type_17_table(unsigned instance, uint64_t size)
 {
     char loc_str[128];
-    ram_addr_t size_mb;
+    uint64_t size_mb;
 
     SMBIOS_BUILD_TABLE_PRE(17, 0x1100 + instance, true); /* required */
 
@@ -711,9 +711,9 @@ static void smbios_build_type_17_table(unsigned instance, ram_addr_t size)
 }
 
 static void smbios_build_type_19_table(unsigned instance,
-                                       ram_addr_t start, ram_addr_t size)
+                                       uint64_t start, uint64_t size)
 {
-    ram_addr_t end, start_kb, end_kb;
+    uint64_t end, start_kb, end_kb;
 
     SMBIOS_BUILD_TABLE_PRE(19, 0x1300 + instance, true); /* required */
 
commit 1154d84dcc5f46e83db94281d071775819dd8884
Author: Eduardo Habkost <ehabkost at redhat.com>
Date:   Mon Nov 3 15:45:34 2014 -0200

    kvmclock: Add comment explaining why we need cpu_clean_all_dirty()
    
    Try to explain why commit 317b0a6d8ba44e9bf8f9c3dbd776c4536843d82c
    needed a cpu_clean_all_dirty() call just after calling
    cpu_synchronize_all_states().
    
    Signed-off-by: Eduardo Habkost <ehabkost at redhat.com>
    Cc: Andrey Korolyov <andrey at xdel.ru>
    Cc: Marcin Gibuła <m.gibula at beyond.pl>
    Cc: Marcelo Tosatti <mtosatti at redhat.com>
    Cc: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index 1ac60d6..58be2bd 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -127,7 +127,21 @@ static void kvmclock_vm_state_change(void *opaque, int running,
         }
 
         cpu_synchronize_all_states();
+        /* In theory, the cpu_synchronize_all_states() call above wouldn't
+         * affect the rest of the code, as the VCPU state inside CPUState
+         * is supposed to always match the VCPU state on the kernel side.
+         *
+         * In practice, calling cpu_synchronize_state() too soon will load the
+         * kernel-side APIC state into X86CPU.apic_state too early, APIC state
+         * won't be reloaded later because CPUState.vcpu_dirty==true, and
+         * outdated APIC state may be migrated to another host.
+         *
+         * The real fix would be to make sure outdated APIC state is read
+         * from the kernel again when necessary. While this is not fixed, we
+         * need the cpu_clean_all_dirty() call below.
+         */
         cpu_clean_all_dirty();
+
         ret = kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, &data);
         if (ret < 0) {
             fprintf(stderr, "KVM_GET_CLOCK failed: %s\n", strerror(ret));
commit e6a33e45c270ea024929f4afb49283d610577af3
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Wed Nov 12 12:16:58 2014 +0100

    target-i386: fix Coverity complaints about overflows
    
    sipi_vector is an int; it is shifted by 12 and passed as a 64-bit value,
    which makes Coverity think that we wanted (uint64_t)sipi_vector << 12.
    
    But actually it must be between 0 and 255.  Make this explicit.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 1b2c12a..015f5b5 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -1104,7 +1104,7 @@ static inline void cpu_x86_load_seg_cache(CPUX86State *env,
 }
 
 static inline void cpu_x86_load_seg_cache_sipi(X86CPU *cpu,
-                                               int sipi_vector)
+                                               uint8_t sipi_vector)
 {
     CPUState *cs = CPU(cpu);
     CPUX86State *env = &cpu->env;
commit c2c00148ec54f77c9432fec16585834e1d677fda
Author: Pavel Dovgalyuk <Pavel.Dovgaluk at ispras.ru>
Date:   Thu Aug 28 15:18:57 2014 +0400

    apic_common: migrate missing fields
    
    This patch adds missed sipi_vector and wait_for_sipi fields to a new
    subsection of the vmstate of the apic_common module. Saving and loading
    of these fields makes migration of the apic state deterministic.
    
    Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk at ispras.ru>
    [Initialize the field in pre_load and kvm_apic_realize. - Paolo]
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
index e873b50..271e97f 100644
--- a/hw/i386/kvm/apic.c
+++ b/hw/i386/kvm/apic.c
@@ -175,6 +175,9 @@ static void kvm_apic_realize(DeviceState *dev, Error **errp)
 {
     APICCommonState *s = APIC_COMMON(dev);
 
+    /* Not used by KVM, which uses the CPU mp_state instead.  */
+    s->wait_for_sipi = 0;
+
     memory_region_init_io(&s->io_memory, NULL, &kvm_apic_io_ops, s, "kvm-apic-msi",
                           APIC_SPACE_SIZE);
 
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index ce3d903..4e62f25 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -324,6 +324,19 @@ static void apic_common_realize(DeviceState *dev, Error **errp)
 
 }
 
+static int apic_pre_load(void *opaque)
+{
+    APICCommonState *s = APIC_COMMON(opaque);
+
+    /* The default is !cpu_is_bsp(s->cpu), but the common value is 0
+     * so that's what apic_common_sipi_needed checks for.  Reset to
+     * the value that is assumed when the apic_sipi subsection is
+     * absent.
+     */
+    s->wait_for_sipi = 0;
+    return 0;
+}
+
 static void apic_dispatch_pre_save(void *opaque)
 {
     APICCommonState *s = APIC_COMMON(opaque);
@@ -345,12 +358,30 @@ static int apic_dispatch_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool apic_common_sipi_needed(void *opaque)
+{
+    APICCommonState *s = APIC_COMMON(opaque);
+    return s->wait_for_sipi != 0;
+}
+
+static const VMStateDescription vmstate_apic_common_sipi = {
+    .name = "apic_sipi",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_INT32(sipi_vector, APICCommonState),
+        VMSTATE_INT32(wait_for_sipi, APICCommonState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_apic_common = {
     .name = "apic",
     .version_id = 3,
     .minimum_version_id = 3,
     .minimum_version_id_old = 1,
     .load_state_old = apic_load_old,
+    .pre_load = apic_pre_load,
     .pre_save = apic_dispatch_pre_save,
     .post_load = apic_dispatch_post_load,
     .fields = (VMStateField[]) {
@@ -375,6 +406,13 @@ static const VMStateDescription vmstate_apic_common = {
         VMSTATE_INT64(timer_expiry,
                       APICCommonState), /* open-coded timer state */
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (VMStateSubsection[]) {
+        {
+            .vmsd = &vmstate_apic_common_sipi,
+            .needed = apic_common_sipi_needed,
+        },
+        VMSTATE_END_OF_LIST()
     }
 };
 
commit b56cb288954d900dec79cc55128efa61bebf6178
Merge: e08d300 953ea14
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Nov 13 13:02:31 2014 +0000

    Merge remote-tracking branch 'remotes/kraxel/tags/pull-seabios-1.7.5.1-20141113-1' into staging
    
    update seabios to 1.7.5.1 stable release
    
    # gpg: Signature made Thu 13 Nov 2014 11:03:05 GMT using RSA key ID D3E87138
    # gpg: Good signature from "Gerd Hoffmann (work) <kraxel at redhat.com>"
    # gpg:                 aka "Gerd Hoffmann <gerd at kraxel.org>"
    # gpg:                 aka "Gerd Hoffmann (private) <kraxel at gmail.com>"
    
    * remotes/kraxel/tags/pull-seabios-1.7.5.1-20141113-1:
      update seabios to 1.7.5.1 stable release
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit e08d3004506e39cf25b3e1fa01f69bd1934d2846
Merge: 410bd78 51fc447
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Nov 13 11:52:11 2014 +0000

    Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20141113-1' into staging
    
    QMP/input-send-event: make console parameter optional
    
    # gpg: Signature made Thu 13 Nov 2014 10:07:26 GMT using RSA key ID D3E87138
    # gpg: Good signature from "Gerd Hoffmann (work) <kraxel at redhat.com>"
    # gpg:                 aka "Gerd Hoffmann <gerd at kraxel.org>"
    # gpg:                 aka "Gerd Hoffmann (private) <kraxel at gmail.com>"
    
    * remotes/kraxel/tags/pull-input-20141113-1:
      QMP/input-send-event: make console parameter optional
      QMP/input-send-event: update document of union InputEvent
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 953ea14d66371f239f80e5d14191467b00d82439
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 13 11:56:02 2014 +0100

    update seabios to 1.7.5.1 stable release
    
    git shortlog since 1.7.5:
    
    Hannes Reinecke (1):
          megasas: read addional PCI I/O bar
    
    Kevin O'Connor (5):
          boot: Change ":rom%d" boot order rom instance to ":rom%x"
          vgabios: Return from handle_1011() if handler found.
          Don't enable thread preemption during S3 resume vga option rom execution.
          build: Avoid absolute paths during "whole-program" compiling.
          ehci: Fix bug in hub port assignment
    
    Marcel Apfelbaum (1):
          hw/pci: reserve IO and mem for pci express downstream ports with no devices attached
    
    Markus Armbruster (1):
          boot: Fix boot order for SCSI target, lun > 9
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/pc-bios/bios-256k.bin b/pc-bios/bios-256k.bin
index 09686a3..fab9da2 100644
Binary files a/pc-bios/bios-256k.bin and b/pc-bios/bios-256k.bin differ
diff --git a/pc-bios/bios.bin b/pc-bios/bios.bin
index 2314027..8c718e1 100644
Binary files a/pc-bios/bios.bin and b/pc-bios/bios.bin differ
diff --git a/pc-bios/vgabios-cirrus.bin b/pc-bios/vgabios-cirrus.bin
index 57a5f95..0c4d253 100644
Binary files a/pc-bios/vgabios-cirrus.bin and b/pc-bios/vgabios-cirrus.bin differ
diff --git a/pc-bios/vgabios-qxl.bin b/pc-bios/vgabios-qxl.bin
index ed79993..4e08e13 100644
Binary files a/pc-bios/vgabios-qxl.bin and b/pc-bios/vgabios-qxl.bin differ
diff --git a/pc-bios/vgabios-stdvga.bin b/pc-bios/vgabios-stdvga.bin
index d3579b4..e5e5b14 100644
Binary files a/pc-bios/vgabios-stdvga.bin and b/pc-bios/vgabios-stdvga.bin differ
diff --git a/pc-bios/vgabios-vmware.bin b/pc-bios/vgabios-vmware.bin
index f89845e..cf2576d 100644
Binary files a/pc-bios/vgabios-vmware.bin and b/pc-bios/vgabios-vmware.bin differ
diff --git a/pc-bios/vgabios.bin b/pc-bios/vgabios.bin
index d3038f4..bad187d 100644
Binary files a/pc-bios/vgabios.bin and b/pc-bios/vgabios.bin differ
diff --git a/roms/seabios b/roms/seabios
index e51488c..8936dbb 160000
--- a/roms/seabios
+++ b/roms/seabios
@@ -1 +1 @@
-Subproject commit e51488c5f8800a52ac5c8da7a31b85cca5cc95d2
+Subproject commit 8936dbb2cd5403c9a8279c849f7f4b0ccc0796ac
commit 410bd787bf44ef95192507802967a0edce19955f
Merge: e0d0041 79ae25a
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Nov 13 10:54:05 2014 +0000

    Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20141112-1' into staging
    
    usb bugfixes for 2.2
    
    # gpg: Signature made Wed 12 Nov 2014 14:35:09 GMT using RSA key ID D3E87138
    # gpg: Good signature from "Gerd Hoffmann (work) <kraxel at redhat.com>"
    # gpg:                 aka "Gerd Hoffmann <gerd at kraxel.org>"
    # gpg:                 aka "Gerd Hoffmann (private) <kraxel at gmail.com>"
    
    * remotes/kraxel/tags/pull-usb-20141112-1:
      usb-host: fix usb_host_speed_compat tyops
      xhci: add sanity checks to xhci_lookup_uport
      Provide the missing LIBUSB_LOG_LEVEL_* for older libusb or FreeBSD. Providing just the needed value as a defined.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 51fc44768a5b71ad78fa40e609a58f71ed62775a
Author: Amos Kong <akong at redhat.com>
Date:   Fri Nov 7 12:41:25 2014 +0800

    QMP/input-send-event: make console parameter optional
    
    The 'QemuConsole' is the input source for handler, we share some
    input handlers to process the input events from different QemuConsole.
    
    Normally we only have one set of keyboard, mouse, usbtablet, etc.
    The devices have different mask, it's fine to just checking mask to
    insure that the handler has the ability to process the event.
    
    I saw we try to bind console to handler in usb/dev-hid.c, but display
    always isn't available at that time.
    
    If we have multiseat setup (as Gerd said), we only have 'problem' in
    this case. Actually event from different devices have the same effect
    for system, it's fine to always use the first available handler
    without caring about the console.
    
    For send-key command, we just pass a NULL for console parameter in
    calling qemu_input_event_send_key(NULL, ..), but 'input-send-event'
    needs to care more devices.
    
    Conclusion:
    Generally assigning the special console is meanless, and we can't
    directly remove the QMP parameter for compatibility.
    
    So we can make the parameter optional. The parameter might be useful
    for some special condition: we have multiple devices without binding
    console and they all have the ability(mask) to process events, and
    we don't want to use the first one.
    
    Cc: Gerd Hoffmann <kraxel at redhat.com>
    Cc: Markus Armbruster <armbru at redhat.com>
    Cc: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Amos Kong <akong at redhat.com>
    Reviewed-by: Eric Blake <eblake at redhat.com>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/qapi-schema.json b/qapi-schema.json
index 7e7468f..d0926d9 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3249,7 +3249,7 @@
 #
 # Send input event(s) to guest.
 #
-# @console: Which console to send event(s) to.
+# @console: #optional console to send event(s) to.
 #
 # @events: List of InputEvent union.
 #
@@ -3259,7 +3259,7 @@
 #
 ##
 { 'command': 'input-send-event',
-  'data': { 'console':'int', 'events': [ 'InputEvent' ] } }
+  'data': { '*console':'int', 'events': [ 'InputEvent' ] } }
 
 ##
 # @NumaOptions
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 1abd619..8812401 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -3792,7 +3792,7 @@ EQMP
 
     {
         .name       = "input-send-event",
-        .args_type  = "console:i,events:q",
+        .args_type  = "console:i?,events:q",
         .mhandler.cmd_new = qmp_marshal_input_input_send_event,
     },
 
@@ -3804,7 +3804,7 @@ Send input event to guest.
 
 Arguments:
 
-- "console": console index.
+- "console": console index. (json-int, optional)
 - "events": list of input events.
 
 The consoles are visible in the qom tree, under
diff --git a/ui/input.c b/ui/input.c
index 002831e..37ff46f 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -122,16 +122,19 @@ qemu_input_find_handler(uint32_t mask, QemuConsole *con)
     return NULL;
 }
 
-void qmp_input_send_event(int64_t console, InputEventList *events,
-                          Error **errp)
+void qmp_input_send_event(bool has_console, int64_t console,
+                          InputEventList *events, Error **errp)
 {
     InputEventList *e;
     QemuConsole *con;
 
-    con = qemu_console_lookup_by_index(console);
-    if (!con) {
-        error_setg(errp, "console %" PRId64 " not found", console);
-        return;
+    con = NULL;
+    if (has_console) {
+        con = qemu_console_lookup_by_index(console);
+        if (!con) {
+            error_setg(errp, "console %" PRId64 " not found", console);
+            return;
+        }
     }
 
     if (!runstate_is_running() && !runstate_check(RUN_STATE_SUSPENDED)) {
commit 935fb9152208fd98d99ffb91e719606b0c8e76b5
Author: Amos Kong <akong at redhat.com>
Date:   Fri Nov 7 12:41:24 2014 +0800

    QMP/input-send-event: update document of union InputEvent
    
    Signed-off-by: Amos Kong <akong at redhat.com>
    Reviewed-by: Eric Blake <eblake at redhat.com>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/qapi-schema.json b/qapi-schema.json
index 24379ab..7e7468f 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3231,6 +3231,11 @@
 #
 # Input event union.
 #
+# @key: Input event of Keyboard
+# @btn: Input event of pointer buttons
+# @rel: Input event of relative pointer motion
+# @abs: Input event of absolute pointer motion
+#
 # Since: 2.0
 ##
 { 'union' : 'InputEvent',
commit 79ae25af1569a50a0ec799901a1bb280c088f121
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Nov 10 12:14:22 2014 +0100

    usb-host: fix usb_host_speed_compat tyops
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Reviewed-by: Gonglei <arei.gonglei at huawei.com>

diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
index 032a0e4..a5f9dab 100644
--- a/hw/usb/host-libusb.c
+++ b/hw/usb/host-libusb.c
@@ -749,13 +749,13 @@ static void usb_host_speed_compat(USBHostDevice *s)
 
     udev->speedmask = (1 << udev->speed);
     if (udev->speed == USB_SPEED_SUPER && compat_high) {
-        udev->speedmask |= USB_SPEED_HIGH;
+        udev->speedmask |= USB_SPEED_MASK_HIGH;
     }
     if (udev->speed == USB_SPEED_SUPER && compat_full) {
-        udev->speedmask |= USB_SPEED_FULL;
+        udev->speedmask |= USB_SPEED_MASK_FULL;
     }
     if (udev->speed == USB_SPEED_HIGH && compat_full) {
-        udev->speedmask |= USB_SPEED_FULL;
+        udev->speedmask |= USB_SPEED_MASK_FULL;
     }
 }
 
commit ae67dc72e4f19238941894227d96b6201d71a70a
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Wed Nov 12 12:04:56 2014 +0100

    target-i386: eliminate dead code and hoist common code out of "if"
    
    ist != 0 is checked in the first "if", so it cannot be true in
    the "else if" part.  While at it, simplify the code and move
    the ESP alignment out of the conditionals.
    
    Reported by Coverity.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/target-i386/seg_helper.c b/target-i386/seg_helper.c
index af5c1c6..c98eeb4 100644
--- a/target-i386/seg_helper.c
+++ b/target-i386/seg_helper.c
@@ -883,32 +883,23 @@ static void do_interrupt64(CPUX86State *env, int intno, int is_int,
     }
     if ((!(e2 & DESC_C_MASK) && dpl < cpl) || ist != 0) {
         /* to inner privilege */
-        if (ist != 0) {
-            esp = get_rsp_from_tss(env, ist + 3);
-        } else {
-            esp = get_rsp_from_tss(env, dpl);
-        }
-        esp &= ~0xfLL; /* align stack */
-        ss = 0;
         new_stack = 1;
+        esp = get_rsp_from_tss(env, ist != 0 ? ist + 3 : dpl);
+        ss = 0;
     } else if ((e2 & DESC_C_MASK) || dpl == cpl) {
         /* to same privilege */
         if (env->eflags & VM_MASK) {
             raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
         }
         new_stack = 0;
-        if (ist != 0) {
-            esp = get_rsp_from_tss(env, ist + 3);
-        } else {
-            esp = env->regs[R_ESP];
-        }
-        esp &= ~0xfLL; /* align stack */
+        esp = env->regs[R_ESP];
         dpl = cpl;
     } else {
         raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
         new_stack = 0; /* avoid warning */
         esp = 0; /* avoid warning */
     }
+    esp &= ~0xfLL; /* align stack */
 
     PUSHQ(esp, env->segs[R_SS].selector);
     PUSHQ(esp, env->regs[R_ESP]);
commit f69c11158509e91c29f01e48ace8af227827411a
Author: Fam Zheng <famz at redhat.com>
Date:   Wed Nov 12 19:29:55 2014 +0800

    virtio-scsi: Fix comment for VirtIOSCSIReq
    
    The cdb is not zeroed by virtio_scsi_init_req, so fix the misleading
    comment.
    
    Suggested-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Fam Zheng <famz at redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
index 9e1a49c..bf17cc9 100644
--- a/include/hw/virtio/virtio-scsi.h
+++ b/include/hw/virtio/virtio-scsi.h
@@ -209,7 +209,8 @@ typedef struct VirtIOSCSIReq {
     /* Note:
      * - fields before elem are initialized by virtio_scsi_init_req;
      * - elem is uninitialized at the time of allocation.
-     * - fields after elem are zeroed by virtio_scsi_init_req.
+     * - fields after elem (except the ending cdb[]) are zeroed by
+     *   virtio_scsi_init_req.
      * */
 
     VirtQueueElement elem;
commit 6012ca8159a7f78e6fc5122a8e9f22d82e9723e9
Author: Ming Lei <ming.lei at canonical.com>
Date:   Wed Nov 12 11:24:35 2014 +0800

    virtio-scsi: dataplane: suppress guest notification
    
    This patch uses vring_should_notify() to suppress
    guest notification, and looks notification frequency
    can be decreased from ~33K/sec to ~2K/sec in my test
    environment.
    
    Suggested-by: Stefan Hajnoczi <stefanha at redhat.com>
    Signed-off-by: Ming Lei <ming.lei at canonical.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/scsi/virtio-scsi-dataplane.c b/hw/scsi/virtio-scsi-dataplane.c
index 969b931..03a1e8c 100644
--- a/hw/scsi/virtio-scsi-dataplane.c
+++ b/hw/scsi/virtio-scsi-dataplane.c
@@ -92,9 +92,14 @@ VirtIOSCSIReq *virtio_scsi_pop_req_vring(VirtIOSCSI *s,
 
 void virtio_scsi_vring_push_notify(VirtIOSCSIReq *req)
 {
+    VirtIODevice *vdev = VIRTIO_DEVICE(req->vring->parent);
+
     vring_push(&req->vring->vring, &req->elem,
                req->qsgl.size + req->resp_iov.size);
-    event_notifier_set(&req->vring->guest_notifier);
+
+    if (vring_should_notify(vdev, &req->vring->vring)) {
+        event_notifier_set(&req->vring->guest_notifier);
+    }
 }
 
 static void virtio_scsi_iothread_handle_ctrl(EventNotifier *notifier)
commit c9cf45c1a475e594c560862d9df35b16e3a42702
Author: Hannes Reinecke <hare at suse.de>
Date:   Mon Nov 10 16:52:55 2014 +0100

    esp: Do not overwrite ESP_TCHI after reset
    
    After a reset ESP_TCHI should contain the unique ID
    of the chip. This value will be overwritten with the
    current tranfer count if the transfer count has
    previously been set.
    So we should always return the chip id if ESP_TCHI
    has never been written to.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 5ab44d8..272d13d 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -364,7 +364,7 @@ void esp_hard_reset(ESPState *s)
 {
     memset(s->rregs, 0, ESP_REGS);
     memset(s->wregs, 0, ESP_REGS);
-    s->rregs[ESP_TCHI] = s->chip_id;
+    s->tchi_written = 0;
     s->ti_size = 0;
     s->ti_rptr = 0;
     s->ti_wptr = 0;
@@ -422,6 +422,11 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
         esp_lower_irq(s);
 
         return old_val;
+    case ESP_TCHI:
+        /* Return the unique id if the value has never been written */
+        if (!s->tchi_written) {
+            return s->chip_id;
+        }
     default:
         break;
     }
@@ -432,9 +437,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
 {
     trace_esp_mem_writeb(saddr, s->wregs[saddr], val);
     switch (saddr) {
+    case ESP_TCHI:
+        s->tchi_written = true;
+        /* fall through */
     case ESP_TCLO:
     case ESP_TCMID:
-    case ESP_TCHI:
         s->rregs[ESP_RSTAT] &= ~STAT_TC;
         break;
     case ESP_FIFO:
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
index e079fb8..6c79527 100644
--- a/include/hw/scsi/esp.h
+++ b/include/hw/scsi/esp.h
@@ -22,6 +22,7 @@ struct ESPState {
     uint8_t wregs[ESP_REGS];
     qemu_irq irq;
     uint8_t chip_id;
+    bool tchi_written;
     int32_t ti_size;
     uint32_t ti_rptr, ti_wptr;
     uint32_t status;
commit e0d0041ec6dce1b8bfb3f66e9e4b8b9cd7e34806
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Nov 11 17:25:11 2014 +0000

    Update version for v2.2.0-rc1 release
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/VERSION b/VERSION
index a323c9e..40e6c8e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.90
+2.1.91
commit 7f06a3b14df50d85118d8a7439dcd3229822e19c
Merge: 776346c 4cc47f8
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Nov 11 16:23:02 2014 +0000

    Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20141111' into staging
    
    seccomp branch queue
    
    # gpg: Signature made Tue 11 Nov 2014 16:12:48 GMT using RSA key ID 12F8BD2F
    # gpg: Can't check signature: public key not found
    
    * remotes/otubo/tags/pull-seccomp-20141111:
      seccomp: change configure to avoid arm 32 to break
      seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 4cc47f8b3cc4f32586ba2f7fce1dc267da774a69
Author: Eduardo Otubo <eduardo.otubo at profitbricks.com>
Date:   Fri Nov 7 10:05:44 2014 +0100

    seccomp: change configure to avoid arm 32 to break
    
    Current stable version of libseccomp (2.1.1) only supports i386 and
    x86_64 archs correctly. This patch limits the usage of the syscall
    filter for those archs and updates to the correct last version of
    libseccomp.
    
    This patch also fixes the bug:
    https://bugs.launchpad.net/qemu/+bug/1363641
    
    Signed-off-by: Eduardo Otubo <eduardo.otubo at profitbricks.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Acked-by: Paul Moore <pmoore at redhat.com>

diff --git a/configure b/configure
index 2f17bf3..47048f0 100755
--- a/configure
+++ b/configure
@@ -1823,7 +1823,8 @@ fi
 # libseccomp check
 
 if test "$seccomp" != "no" ; then
-    if $pkg_config --atleast-version=2.1.0 libseccomp; then
+    if test "$cpu" = "i386" || test "$cpu" = "x86_64" &&
+        $pkg_config --atleast-version=2.1.1 libseccomp; then
         libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
         QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
 	seccomp="yes"
commit f73adec7097ebdbc7168453e638735391a6f7112
Author: Philipp Gesang <philipp.gesang at intra2net.com>
Date:   Fri Sep 5 18:29:31 2014 +0200

    seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
    
    fallocate() is needed for snapshotting. If it isn’t whitelisted
    
        $ qemu-img create -f qcow2 x.qcow 1G
        Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
        $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
        QEMU 2.1.50 monitor - type 'help' for more information
        (qemu) savevm foo
        (qemu) loadvm foo
    
    will fail, as will subsequent savevm commands on the same image.
    
    fadvise64(), inotify_init1(), inotify_add_watch() are needed by
    the SDL display. Without the whitelist entries,
    
        qemu-kvm -sandbox on
    
    fails immediately.
    
    In my tests fadvise64() is called 50--51 times per VM run. That
    number seems independent of the duration of the run. fallocate(),
    inotify_init1(), inotify_add_watch() are called once each.
    Accordingly, they are added to the whitelist at a very low
    priority.
    
    Signed-off-by: Philipp Gesang <philipp.gesang at intra2net.com>
    Signed-off-by: Eduardo Otubo <eduardo.otubo at profitbricks.com>

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 0503764..af6a375 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,7 +231,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(shmctl), 240 },
     { SCMP_SYS(mlock), 240 },
     { SCMP_SYS(munlock), 240 },
-    { SCMP_SYS(semctl), 240 }
+    { SCMP_SYS(semctl), 240 },
+    { SCMP_SYS(fallocate), 240 },
+    { SCMP_SYS(fadvise64), 240 },
+    { SCMP_SYS(inotify_init1), 240 },
+    { SCMP_SYS(inotify_add_watch), 240 }
 };
 
 int seccomp_start(void)
commit 776346cd63e5a1ceeeb4d81fa111d911abb73a69
Merge: 8447414 705be72
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Nov 11 14:50:10 2014 +0000

    Merge remote-tracking branch 'remotes/mjt/tags/pull-trivial-patches-2014-11-11' into staging
    
    trivial patches for 2014-11-11
    
    # gpg: Signature made Tue 11 Nov 2014 14:38:39 GMT using RSA key ID A4C3D7DB
    # gpg: Good signature from "Michael Tokarev <mjt at tls.msk.ru>"
    # gpg:                 aka "Michael Tokarev <mjt at corpit.ru>"
    # gpg:                 aka "Michael Tokarev <mjt at debian.org>"
    
    * remotes/mjt/tags/pull-trivial-patches-2014-11-11:
      block: Fix comment for bdrv_co_get_block_status
      sysbus: Correct SYSTEM_BUS(obj) defines
      target-i386: cpu: keeping function parameters alignment on new line
      xen-hvm: Remove redundant variable 'xstate'
      coroutine-sigaltstack: Change jmp_buf to sigjmp_buf
      pc-bios: petalogix-s3adsp1800.dtb: Use 'xlnx, xps-ethernetlite-2.00.a' instead of 'xlnx, xps-ethernetlite-2.00.b'
      gdbstub: Add a missing case of signal number translation in gdbstub
      numa: make 'info numa' take into account hotplugged memory
      slirp/smbd: modify/set several parameters in generated smbd.conf
      qemu-doc.texi: fix typos in x509 examples
      icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 705be728c0b5546da10d8ef4239a112d1616bb97
Author: Fam Zheng <famz at redhat.com>
Date:   Mon Nov 10 17:10:38 2014 +0800

    block: Fix comment for bdrv_co_get_block_status
    
    It returns more information than binary, fix the comment.
    
    Signed-off-by: Fam Zheng <famz at redhat.com>
    Reviewed-by: Max Reitz <mreitz at redhat.com>
    Reviewed-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/block.c b/block.c
index 88f6d9b..5f5b244 100644
--- a/block.c
+++ b/block.c
@@ -3877,9 +3877,9 @@ typedef struct BdrvCoGetBlockStatusData {
 } BdrvCoGetBlockStatusData;
 
 /*
- * Returns true iff the specified sector is present in the disk image. Drivers
- * not implementing the functionality are assumed to not support backing files,
- * hence all their sectors are reported as allocated.
+ * Returns the allocation status of the specified sectors.
+ * Drivers not implementing the functionality are assumed to not support
+ * backing files, hence all their sectors are reported as allocated.
  *
  * If 'sector_num' is beyond the end of the disk image the return value is 0
  * and 'pnum' is set to 0.
diff --git a/include/block/block.h b/include/block/block.h
index 341054d..603d4b4 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -83,7 +83,9 @@ typedef enum {
 #define BDRV_SECTOR_SIZE   (1ULL << BDRV_SECTOR_BITS)
 #define BDRV_SECTOR_MASK   ~(BDRV_SECTOR_SIZE - 1)
 
-/* BDRV_BLOCK_DATA: data is read from bs->file or another file
+/*
+ * Allocation status flags
+ * BDRV_BLOCK_DATA: data is read from bs->file or another file
  * BDRV_BLOCK_ZERO: sectors read as zero
  * BDRV_BLOCK_OFFSET_VALID: sector stored in bs->file as raw data
  * BDRV_BLOCK_ALLOCATED: the content of the block is determined by this
commit 00c2275c95edb3c355fce7e1128bdef845b9fe34
Author: Gonglei <arei.gonglei at huawei.com>
Date:   Tue Nov 11 17:37:59 2014 +0800

    sysbus: Correct SYSTEM_BUS(obj) defines
    
    Signed-off-by: Gonglei <arei.gonglei at huawei.com>
    Reviewed-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h
index 9fb1782..9bddfde 100644
--- a/include/hw/sysbus.h
+++ b/include/hw/sysbus.h
@@ -10,7 +10,7 @@
 #define QDEV_MAX_PIO 32
 
 #define TYPE_SYSTEM_BUS "System"
-#define SYSTEM_BUS(obj) OBJECT_CHECK(IDEBus, (obj), TYPE_IDE_BUS)
+#define SYSTEM_BUS(obj) OBJECT_CHECK(BusState, (obj), TYPE_SYSTEM_BUS)
 
 typedef struct SysBusDevice SysBusDevice;
 
commit 8f9d989cac7bd92fb976d65d0aada2d4c6d8ecf9
Author: Chen Fan <chen.fan.fnst at cn.fujitsu.com>
Date:   Wed Nov 5 16:40:33 2014 +0800

    target-i386: cpu: keeping function parameters alignment on new line
    
    Signed-off-by: Chen Fan <chen.fan.fnst at cn.fujitsu.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index e4ccee1..236bbee 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -533,8 +533,8 @@ void host_cpuid(uint32_t function, uint32_t count,
  * otherwise the string is assumed to sized by a terminating nul.
  * Return lexical ordering of *s1:*s2.
  */
-static int sstrcmp(const char *s1, const char *e1, const char *s2,
-    const char *e2)
+static int sstrcmp(const char *s1, const char *e1,
+                   const char *s2, const char *e2)
 {
     for (;;) {
         if (!*s1 || !*s2 || *s1 != *s2)
@@ -1845,7 +1845,7 @@ static void x86_cpu_parse_featurestr(CPUState *cs, char *features,
  * if flags, suppress names undefined in featureset.
  */
 static void listflags(char *buf, int bufsize, uint32_t fbits,
-    const char **featureset, uint32_t flags)
+                      const char **featureset, uint32_t flags)
 {
     const char **p = &featureset[31];
     char *q, *b, bit;
commit d208a85f1568ab8aec238cb91367581c61350008
Author: Chen Gang <gang.chen.5i5j at gmail.com>
Date:   Tue Nov 11 17:23:40 2014 +0800

    xen-hvm: Remove redundant variable 'xstate'
    
    In xen_hvm_change_state_handler(), we can pass 'opaque' with type cast
    to xen_main_loop_prepare() directly, there's no need to use additional
    variable for it.
    
    Signed-off-by: Chen Gang <gang.chen.5i5j at gmail.com>
    Acked-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/xen-hvm.c b/xen-hvm.c
index 21f1cbb..7548794 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -993,9 +993,8 @@ static void xen_main_loop_prepare(XenIOState *state)
 static void xen_hvm_change_state_handler(void *opaque, int running,
                                          RunState rstate)
 {
-    XenIOState *xstate = opaque;
     if (running) {
-        xen_main_loop_prepare(xstate);
+        xen_main_loop_prepare((XenIOState *)opaque);
     }
 }
 
commit 844741451001cf1aadecde7e5c7b556b8fc4b70b
Merge: 59c4f2e c0787c8
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Nov 11 11:05:54 2014 +0000

    Merge remote-tracking branch 'remotes/armbru/tags/for-upstream' into staging
    
    Patches to MAINTAINERS that haven't been picked up
    
    # gpg: Signature made Tue 11 Nov 2014 08:46:55 GMT using RSA key ID EB918653
    # gpg: Good signature from "Markus Armbruster <armbru at redhat.com>"
    # gpg:                 aka "Markus Armbruster <armbru at pond.sub.org>"
    
    * remotes/armbru/tags/for-upstream:
      Add Migration maintainer
      MAINTAINERS: add section for QEMU Guest Agent
      MAINTAINERS: add myself as bootdevice.c maintainer
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit ed4b43265d4d0c7ecfbbcb4001f61700756f22b9
Author: Ming Lei <ming.lei at canonical.com>
Date:   Tue Nov 11 09:17:09 2014 +0800

    virtio-scsi: dataplane: fix allocation for 'cmd_vrings'
    
    The size of each element should be sizeof(VirtIOSCSIVring *).
    
    Signed-off-by: Ming Lei <ming.lei at canonical.com>
    Reviewed-by: Fam Zheng <famz at redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/scsi/virtio-scsi-dataplane.c b/hw/scsi/virtio-scsi-dataplane.c
index 9651e6f..969b931 100644
--- a/hw/scsi/virtio-scsi-dataplane.c
+++ b/hw/scsi/virtio-scsi-dataplane.c
@@ -230,7 +230,7 @@ void virtio_scsi_dataplane_start(VirtIOSCSI *s)
     if (!s->event_vring) {
         goto fail_vrings;
     }
-    s->cmd_vrings = g_malloc0(sizeof(VirtIOSCSIVring) * vs->conf.num_queues);
+    s->cmd_vrings = g_new(VirtIOSCSIVring *, vs->conf.num_queues);
     for (i = 0; i < vs->conf.num_queues; i++) {
         s->cmd_vrings[i] =
             virtio_scsi_vring_init(s, vs->cmd_vqs[i],
commit 59c4f2ecefe33878bc23219a51d0bd913d46aa97
Merge: 9df9835 aecc886
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Nov 11 10:09:31 2014 +0000

    Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20141111' into staging
    
    linux-user pull for 2.2
    
    Two last minute fixes uncovered and fixed by Tom Musta
    and Alexander Graf, thanks
    
    # gpg: Signature made Tue 11 Nov 2014 06:36:02 GMT using RSA key ID DE3C9BC0
    # gpg: Good signature from "Riku Voipio <riku.voipio at iki.fi>"
    # gpg:                 aka "Riku Voipio <riku.voipio at linaro.org>"
    
    * remotes/riku/tags/pull-linux-user-20141111:
      linux-user: Fix up timer id handling
      linux-user: Do not subtract offset from end address
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit c0787c8dd1906522c9e760cde5e4f74438d0a911
Author: Juan Quintela <quintela at trasno.org>
Date:   Wed Oct 15 10:34:50 2014 +0200

    Add Migration maintainer
    
    Signed-off-by: Juan Quintela <quintela at trasno.org>
    Reviewed-by: Amit Shah <amit.shah at redhat.com>
    Signed-off-by: Markus Armbruster <armbru at redhat.com>

diff --git a/MAINTAINERS b/MAINTAINERS
index 1faf45f..bcb69e8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -926,6 +926,15 @@ M: Blue Swirl <blauwirbel at gmail.com>
 S: Odd Fixes
 F: scripts/checkpatch.pl
 
+Migration
+M: Juan Quintela <quintela at redhat.com>
+S: Maintained
+F: include/migration/
+F: migration*
+F: savevm.c
+F: arch_init.c
+F: vmstate.c
+
 Seccomp
 M: Eduardo Otubo <eduardo.otubo at profitbricks.com>
 S: Supported
commit f05d9999f42209a19c6bd82b09b47df8ca4f565c
Author: Michael Roth <mdroth at linux.vnet.ibm.com>
Date:   Wed Oct 22 07:05:36 2014 -0500

    MAINTAINERS: add section for QEMU Guest Agent
    
    Signed-off-by: Michael Roth <mdroth at linux.vnet.ibm.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
    Signed-off-by: Markus Armbruster <armbru at redhat.com>

diff --git a/MAINTAINERS b/MAINTAINERS
index 2287b18..1faf45f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -880,6 +880,12 @@ S: Maintained
 F: qobject/
 T: git git://repo.or.cz/qemu/qmp-unstable.git queue/qmp
 
+QEMU Guest Agent
+M: Michael Roth <mdroth at linux.vnet.ibm.com>
+S: Maintained
+F: qga/
+T: git git://github.com/mdroth/qemu.git qga
+
 QOM
 M: Anthony Liguori <aliguori at amazon.com>
 M: Andreas Färber <afaerber at suse.de>
commit b5e9476c0fb865864dd12a9132cb2ebdceed3476
Author: Gonglei <arei.gonglei at huawei.com>
Date:   Wed Oct 22 11:07:57 2014 +0800

    MAINTAINERS: add myself as bootdevice.c maintainer
    
    bootdevice.c was created by me, and I wrote most of
    the code in this file. And now I can maintain it,
    I'd hope nobody object this.
    
    Cc: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Gonglei <arei.gonglei at huawei.com>
    Signed-off-by: Markus Armbruster <armbru at redhat.com>

diff --git a/MAINTAINERS b/MAINTAINERS
index dd02d96..2287b18 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1078,3 +1078,8 @@ M: Chrysostomos Nanakos <cnanakos at grnet.gr>
 M: Chrysostomos Nanakos <chris at include.gr>
 S: Maintained
 F: block/archipelago.c
+
+Bootdevice
+M: Gonglei <arei.gonglei at huawei.com>
+S: Maintained
+F: bootdevice.c
commit 7f151e6f718f2edaf8661c4dedf6fcdb30b10e1b
Author: Willem Pinckaers <willem_qemu at lekkertech.net>
Date:   Fri Nov 7 19:51:59 2014 -0800

    coroutine-sigaltstack: Change jmp_buf to sigjmp_buf
    
    This is a simple patch to change the type of old_env from jmp_buf
    to sigjmp_buf.  old_env is used by sigsetjmp and as such should be
    a sigjmp_buf.
    
    This fixes a stack_chk fail in a OSX 32bit build. Since at least on
    OSX sigjmp_buf is four bytes larger then a jmpbuf, resulting in an
    overflow in sigsetjmp. Due to variable reordering this overwrites
    the stack cookie.
    
    Signed-off-by: Willem Pinckaers <willem_qemu at lekkertech.net>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Peter: I think I must have missed this one when I converted
           all the jmp_buf to sigjmp_buf in commit 6ab7e546.
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/coroutine-sigaltstack.c b/coroutine-sigaltstack.c
index 3de0bb3..63519ff 100644
--- a/coroutine-sigaltstack.c
+++ b/coroutine-sigaltstack.c
@@ -155,7 +155,7 @@ Coroutine *qemu_coroutine_new(void)
     stack_t oss;
     sigset_t sigs;
     sigset_t osigs;
-    jmp_buf old_env;
+    sigjmp_buf old_env;
 
     /* The way to manipulate stack is with the sigaltstack function. We
      * prepare a stack, with it delivering a signal to ourselves and then
commit f2ad97ff81da51c064b9e87720ff48a0874f45d4
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 7 10:41:25 2014 +0100

    xhci: add sanity checks to xhci_lookup_uport
    
    Also catch xhci_lookup_uport failures in post_load.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1074219
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 2930b72..9a942cf 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -2262,6 +2262,9 @@ static USBPort *xhci_lookup_uport(XHCIState *xhci, uint32_t *slot_ctx)
     int i, pos, port;
 
     port = (slot_ctx[1]>>16) & 0xFF;
+    if (port < 1 || port > xhci->numports) {
+        return NULL;
+    }
     port = xhci->ports[port-1].uport->index+1;
     pos = snprintf(path, sizeof(path), "%d", port);
     for (i = 0; i < 5; i++) {
@@ -3706,6 +3709,12 @@ static int usb_xhci_post_load(void *opaque, int version_id)
             xhci_mask64(ldq_le_pci_dma(pci_dev, dcbaap + 8 * slotid));
         xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
         slot->uport = xhci_lookup_uport(xhci, slot_ctx);
+        if (!slot->uport) {
+            /* should not happen, but may trigger on guest bugs */
+            slot->enabled = 0;
+            slot->addressed = 0;
+            continue;
+        }
         assert(slot->uport && slot->uport->dev);
 
         for (epid = 1; epid <= 31; epid++) {
commit 1e03e407845c5d698f82a262312bca5aa2406d59
Author: Chris Johns <chrisj at rtems.org>
Date:   Wed Nov 5 19:35:22 2014 +1100

    Provide the missing LIBUSB_LOG_LEVEL_* for older libusb or FreeBSD. Providing just the needed value as a defined.
    
    Signed-off-by: Chris Johns <chrisj at rtems.org>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c
index d2d161b..032a0e4 100644
--- a/hw/usb/host-libusb.c
+++ b/hw/usb/host-libusb.c
@@ -143,6 +143,12 @@ static void usb_host_attach_kernel(USBHostDevice *s);
 
 /* ------------------------------------------------------------------------ */
 
+#ifndef LIBUSB_LOG_LEVEL_WARNING /* older libusb didn't define these */
+#define LIBUSB_LOG_LEVEL_WARNING 2
+#endif
+
+/* ------------------------------------------------------------------------ */
+
 #define CONTROL_TIMEOUT  10000        /* 10 sec    */
 #define BULK_TIMEOUT         0        /* unlimited */
 #define INTR_TIMEOUT         0        /* unlimited */
commit aecc88616a64a4e0a1ae0d6986de0054ea9f37d2
Author: Alexander Graf <agraf at suse.de>
Date:   Mon Nov 10 21:33:03 2014 +0100

    linux-user: Fix up timer id handling
    
    When creating a timer handle, we give the timer id a special magic offset
    of 0xcafe0000. However, we never mask that offset out of the timer id before
    we start using it to dereference our timer array. So we always end up aborting
    timer operations because the timer id is out of bounds.
    
    This was not an issue before my patch e52a99f756e ("linux-user: Simplify
    timerid checks on g_posix_timers range") because before we would blindly mask
    anything above the first 16 bits.
    
    This patch simplifies the code around timer id creation by introducing a proper
    target_timer_id typedef that is s32, just like Linux has it. It also changes the
    magic offset to a value that makes all timer ids be positive.
    
    Reported-by: Tom Musta <tommusta at gmail.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Tom Musta <tommusta at gmail.com>
    Tested-by: Tom Musta <tommusta at gmail.com>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index a175cc1..aaac6a2 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5473,6 +5473,27 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
     return get_errno(sys_openat(dirfd, path(pathname), flags, mode));
 }
 
+#define TIMER_MAGIC 0x0caf0000
+#define TIMER_MAGIC_MASK 0xffff0000
+
+/* Convert QEMU provided timer ID back to internal 16bit index format */
+static target_timer_t get_timer_id(abi_long arg)
+{
+    target_timer_t timerid = arg;
+
+    if ((timerid & TIMER_MAGIC_MASK) != TIMER_MAGIC) {
+        return -TARGET_EINVAL;
+    }
+
+    timerid &= 0xffff;
+
+    if (timerid >= ARRAY_SIZE(g_posix_timers)) {
+        return -TARGET_EINVAL;
+    }
+
+    return timerid;
+}
+
 /* do_syscall() should always have a single exit point at the end so
    that actions, such as logging of syscall results, can be performed.
    All errnos that do_syscall() returns must be -TARGET_<errcode>. */
@@ -9579,7 +9600,6 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
         /* args: clockid_t clockid, struct sigevent *sevp, timer_t *timerid */
 
         struct sigevent host_sevp = { {0}, }, *phost_sevp = NULL;
-        struct target_timer_t *ptarget_timer;
 
         int clkid = arg1;
         int timer_index = next_free_host_timer();
@@ -9601,11 +9621,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             if (ret) {
                 phtimer = NULL;
             } else {
-                if (!lock_user_struct(VERIFY_WRITE, ptarget_timer, arg3, 1)) {
+                if (put_user(TIMER_MAGIC | timer_index, arg3, target_timer_t)) {
                     goto efault;
                 }
-                ptarget_timer->ptr = tswap32(0xcafe0000 | timer_index);
-                unlock_user_struct(ptarget_timer, arg3, 1);
             }
         }
         break;
@@ -9617,9 +9635,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     {
         /* args: timer_t timerid, int flags, const struct itimerspec *new_value,
          * struct itimerspec * old_value */
-        target_ulong timerid = arg1;
+        target_timer_t timerid = get_timer_id(arg1);
 
-        if (arg3 == 0 || timerid >= ARRAY_SIZE(g_posix_timers)) {
+        if (timerid < 0) {
+            ret = timerid;
+        } else if (arg3 == 0) {
             ret = -TARGET_EINVAL;
         } else {
             timer_t htimer = g_posix_timers[timerid];
@@ -9638,12 +9658,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     case TARGET_NR_timer_gettime:
     {
         /* args: timer_t timerid, struct itimerspec *curr_value */
-        target_ulong timerid = arg1;
+        target_timer_t timerid = get_timer_id(arg1);
 
-        if (!arg2) {
-            return -TARGET_EFAULT;
-        } else if (timerid >= ARRAY_SIZE(g_posix_timers)) {
-            ret = -TARGET_EINVAL;
+        if (timerid < 0) {
+            ret = timerid;
+        } else if (!arg2) {
+            ret = -TARGET_EFAULT;
         } else {
             timer_t htimer = g_posix_timers[timerid];
             struct itimerspec hspec;
@@ -9661,10 +9681,10 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     case TARGET_NR_timer_getoverrun:
     {
         /* args: timer_t timerid */
-        target_ulong timerid = arg1;
+        target_timer_t timerid = get_timer_id(arg1);
 
-        if (timerid >= ARRAY_SIZE(g_posix_timers)) {
-            ret = -TARGET_EINVAL;
+        if (timerid < 0) {
+            ret = timerid;
         } else {
             timer_t htimer = g_posix_timers[timerid];
             ret = get_errno(timer_getoverrun(htimer));
@@ -9677,10 +9697,10 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     case TARGET_NR_timer_delete:
     {
         /* args: timer_t timerid */
-        target_ulong timerid = arg1;
+        target_timer_t timerid = get_timer_id(arg1);
 
-        if (timerid >= ARRAY_SIZE(g_posix_timers)) {
-            ret = -TARGET_EINVAL;
+        if (timerid < 0) {
+            ret = timerid;
         } else {
             timer_t htimer = g_posix_timers[timerid];
             ret = get_errno(timer_delete(htimer));
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index c9e6323..ebb3be1 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2564,10 +2564,7 @@ struct target_ucred {
 
 #endif
 
-
-struct target_timer_t {
-    abi_ulong ptr;
-};
+typedef int32_t target_timer_t;
 
 #define TARGET_SIGEV_MAX_SIZE 64
 
commit ccf661f827faf700b03a30076b5f944e8f787280
Author: Tom Musta <tommusta at gmail.com>
Date:   Thu Nov 6 13:43:13 2014 -0600

    linux-user: Do not subtract offset from end address
    
    When computing the upper address of a program segment, do not subtract the
    offset from the virtual address; instead compute the sum of the virtual address
    and the memory size.
    
    Signed-off-by: Tom Musta <tommusta at gmail.com>
    Signed-off-by: Riku Voipio <riku.voipio at linaro.org>

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 84123ba..e2596a4 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -1824,7 +1824,7 @@ static void load_elf_image(const char *image_name, int image_fd,
             if (a < loaddr) {
                 loaddr = a;
             }
-            a += phdr[i].p_memsz;
+            a = phdr[i].p_vaddr + phdr[i].p_memsz;
             if (a > hiaddr) {
                 hiaddr = a;
             }
commit c21fd2c79e1fcaf45582f2dd4deb491c257aa9f2
Author: Chen Gang <gang.chen.5i5j at gmail.com>
Date:   Mon Nov 3 17:26:30 2014 +0800

    pc-bios: petalogix-s3adsp1800.dtb: Use 'xlnx, xps-ethernetlite-2.00.a' instead of 'xlnx, xps-ethernetlite-2.00.b'
    
    For Linux upstream kernel (e.g. 3.17-rc7), the related compatible string
    'xlnx,xps-ethernetlite-2.00.a' is supported, but 'b' is not supported,
    so change qemu dtb file to match kernel driver.
    
    The related operation for qemu (after this patch):
    
       yum install libvirt
       yum install tunctl
       tunctl -b
       ip link set tap0 up
       brctl addif virbr0 tap0
    
       ./configure
       make
       ./microblaze-softmmu/qemu-system-microblaze -M petalogix-s3adsp1800 \
         -kernel ../linux-stable.microblaze/arch/microblaze/boot/linux.bin \
         -no-reboot -append "console=ttyUL0,115200 doreboot" -nographic \
         -net nic,vlan=0,model=xlnx.xps-ethernetlite,macaddr=00:16:35:AF:94:00 \
         -net tap,vlan=0,ifname=tap0,script=no,downscript=no
    
       in microblaze qemu bash (guest machine):
    
         ifconfig eth0 add 192.168.122.2 netmask 255.255.255.0
         ifconfig eth0 up
    
       Then can telnet 192.168.122.2 directly without password from the host
       machine.
    
    The related operation for generating new dtb:
    
       building Linux kernel firstly, then get dts tool "./scripts/dts/dts".
       "./scripts/dtc/dtc -I dtb -O dts  -o ../work.dts ../qemu/petalogix-s3adsp1800.dtb"
       edit work.dts (replace 'xlnx,xps-ethernetlite-2.00.b')
       "./scripts/dtc/dtc -I dts -O dtb  -o ..qemu/petalogix-s3adsp1800.dtb ../work.dts"
    
    (Since I am not quite sure whether can read this patch or not, I put the
    related dtb file in attachment, please check, thanks).
    
    Signed-off-by: Chen Gang <gang.chen.5i5j at gmail.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/pc-bios/petalogix-s3adsp1800.dtb b/pc-bios/petalogix-s3adsp1800.dtb
index 93c5973..8ac80f2 100644
Binary files a/pc-bios/petalogix-s3adsp1800.dtb and b/pc-bios/petalogix-s3adsp1800.dtb differ
commit f17b06901049e54dbfa8b01c278cdc2e3ae5d62d
Author: Martin Simmons <martin at lispworks.com>
Date:   Wed Nov 5 14:47:39 2014 +0000

    gdbstub: Add a missing case of signal number translation in gdbstub
    
    While using qemu with gdb "target remote" to debug an application that uses
    fork and exec, the qemu process receives SIGSTOP every time the forked process
    terminates (sending SIGCHLD).
    
    This is caused by a missing call to gdb_signal_to_target in gdbstub.c, which
    is fixed by this patch:
    
    Signed-off-by: Martin Simmons <martin at lispworks.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/gdbstub.c b/gdbstub.c
index d1b5afd..0faca56 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -823,7 +823,10 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
                 action = *p++;
                 signal = 0;
                 if (action == 'C' || action == 'S') {
-                    signal = strtoul(p, (char **)&p, 16);
+                    signal = gdb_signal_to_target(strtoul(p, (char **)&p, 16));
+                    if (signal == -1) {
+                        signal = 0;
+                    }
                 } else if (action != 'c' && action != 's') {
                     res = 0;
                     break;
commit 5b009e400809523e71f1b72bdaa2b681e2a5b1c7
Author: zhanghailiang <zhang.zhanghailiang at huawei.com>
Date:   Tue Nov 4 19:49:30 2014 +0800

    numa: make 'info numa' take into account hotplugged memory
    
    When do memory hotplug, if there is numa node, we should add
    the memory size to the corresponding node memory size.
    
    It affects the result of hmp command "info numa".
    
    Reviewed-by: Igor Mammedov <imammedo at redhat.com>
    Signed-off-by: zhanghailiang <zhang.zhanghailiang at huawei.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index 0037a69..50de1d3 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -161,6 +161,7 @@ typedef struct node_info {
 extern NodeInfo numa_info[MAX_NODES];
 void set_numa_nodes(void);
 void set_numa_modes(void);
+void query_numa_node_mem(uint64_t node_mem[]);
 extern QemuOptsList qemu_numa_opts;
 int numa_init_func(QemuOpts *opts, void *opaque);
 
diff --git a/monitor.c b/monitor.c
index 1fc201a..32db7ee 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1948,7 +1948,10 @@ static void do_info_numa(Monitor *mon, const QDict *qdict)
 {
     int i;
     CPUState *cpu;
+    uint64_t *node_mem;
 
+    node_mem = g_new0(uint64_t, nb_numa_nodes);
+    query_numa_node_mem(node_mem);
     monitor_printf(mon, "%d nodes\n", nb_numa_nodes);
     for (i = 0; i < nb_numa_nodes; i++) {
         monitor_printf(mon, "node %d cpus:", i);
@@ -1959,8 +1962,9 @@ static void do_info_numa(Monitor *mon, const QDict *qdict)
         }
         monitor_printf(mon, "\n");
         monitor_printf(mon, "node %d size: %" PRId64 " MB\n", i,
-            numa_info[i].node_mem >> 20);
+                       node_mem[i] >> 20);
     }
+    g_free(node_mem);
 }
 
 #ifdef CONFIG_PROFILER
diff --git a/numa.c b/numa.c
index 3b98135..afd2866 100644
--- a/numa.c
+++ b/numa.c
@@ -35,6 +35,7 @@
 #include "hw/boards.h"
 #include "sysemu/hostmem.h"
 #include "qmp-commands.h"
+#include "hw/mem/pc-dimm.h"
 
 QemuOptsList qemu_numa_opts = {
     .name = "numa",
@@ -315,6 +316,43 @@ void memory_region_allocate_system_memory(MemoryRegion *mr, Object *owner,
     }
 }
 
+static void numa_stat_memory_devices(uint64_t node_mem[])
+{
+    MemoryDeviceInfoList *info_list = NULL;
+    MemoryDeviceInfoList **prev = &info_list;
+    MemoryDeviceInfoList *info;
+
+    qmp_pc_dimm_device_list(qdev_get_machine(), &prev);
+    for (info = info_list; info; info = info->next) {
+        MemoryDeviceInfo *value = info->value;
+
+        if (value) {
+            switch (value->kind) {
+            case MEMORY_DEVICE_INFO_KIND_DIMM:
+                node_mem[value->dimm->node] += value->dimm->size;
+                break;
+            default:
+                break;
+            }
+        }
+    }
+    qapi_free_MemoryDeviceInfoList(info_list);
+}
+
+void query_numa_node_mem(uint64_t node_mem[])
+{
+    int i;
+
+    if (nb_numa_nodes <= 0) {
+        return;
+    }
+
+    numa_stat_memory_devices(node_mem);
+    for (i = 0; i < nb_numa_nodes; i++) {
+        node_mem[i] += numa_info[i].node_mem;
+    }
+}
+
 static int query_memdev(Object *obj, void *opaque)
 {
     MemdevList **list = opaque;
commit 7912d04be6322b16cfece6b698361ae6ed036ba9
Author: Peter Wu <peter at lekensteyn.nl>
Date:   Mon Nov 3 11:52:10 2014 +0100

    slirp/smbd: modify/set several parameters in generated smbd.conf
    
    The file sharing module should not handle printers, so disable it.
    The options 'load printers' and 'printing' have been available since the
    beginning (May 1996, commit 0e8fd3398771da2f016d72830179507f3edda51b).
    Option 'disable spoolss' is available since Samba 2.0.4, commit
    de5f42c9d9172592779fa2504d44544e3b6b1c0d).
    
    Next, "socket address" was reported as deprecated, use a combination of
    "interfaces" and "bind interfaces only" instead (available since October
    1997, commit 79f4fb52c1ed56fd843f81b4eb0cdd2991d4d0f4).
    
    Override cache directory to avoid writing to a global directory. Option
    available since Samba 3.4.0, Jan 2009, commit
    19a05bf2f485023b11b41dfae3f6459847d55ef7.
    
    Set "usershare max shared=0" to prevent a global directory from being
    used. Option available since Samba 3.0.23, February 2006, commit
    5831715049f2d460ce42299963a5defdc160891b.
    
    The last option was introduced with Samba 3.4.0, but previously
    "state directory" was already added which exists in Samba 3.4.0. As
    unknown parameters are ignored (while printing a warning), it should be
    safe to add another option.
    
    Signed-off-by: Peter Wu <peter at lekensteyn.nl>
    Cc: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/net/slirp.c b/net/slirp.c
index 920af30..dc89e6b 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -523,15 +523,21 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
     fprintf(f,
             "[global]\n"
             "private dir=%s\n"
-            "socket address=127.0.0.1\n"
+            "interfaces=127.0.0.1\n"
+            "bind interfaces only=yes\n"
             "pid directory=%s\n"
             "lock directory=%s\n"
             "state directory=%s\n"
+            "cache directory=%s\n"
             "ncalrpc dir=%s/ncalrpc\n"
             "log file=%s/log.smbd\n"
             "smb passwd file=%s/smbpasswd\n"
             "security = user\n"
             "map to guest = Bad User\n"
+            "load printers = no\n"
+            "printing = bsd\n"
+            "disable spoolss = yes\n"
+            "usershare max shares = 0\n"
             "[qemu]\n"
             "path=%s\n"
             "read only=no\n"
@@ -544,6 +550,7 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
             s->smb_dir,
             s->smb_dir,
             s->smb_dir,
+            s->smb_dir,
             exported_dir,
             passwd->pw_name
             );
commit 9df98352b700bdf31ee18cd956393a07f427d829
Merge: 558c2c8 09c7fbe
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Nov 10 20:50:36 2014 +0000

    Merge remote-tracking branch 'remotes/xtensa/tags/20141110-xtensa' into staging
    
    Xtensa fixes for 2.2:
    - fix entry opcode register window checking and add unit test.
    
    # gpg: Signature made Mon 10 Nov 2014 15:01:47 GMT using RSA key ID F83FA044
    # gpg: Good signature from "Max Filippov <max.filippov at cogentembedded.com>"
    # gpg:                 aka "Max Filippov <jcmvbkbc at gmail.com>"
    
    * remotes/xtensa/tags/20141110-xtensa:
      target-xtensa: add entry overflow test
      target-xtensa: add missing window check for entry
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

commit 09c7fbef766b43f6edb46b30546bd1b32ee12921
Author: Max Filippov <jcmvbkbc at gmail.com>
Date:   Fri Nov 7 22:55:53 2014 +0300

    target-xtensa: add entry overflow test
    
    Check that entry instruction raises window overflow exception when
    PS.CALLINC points to live registers.
    
    Signed-off-by: Max Filippov <jcmvbkbc at gmail.com>

diff --git a/tests/tcg/xtensa/test_windowed.S b/tests/tcg/xtensa/test_windowed.S
index 3de6d37..d851e8f 100644
--- a/tests/tcg/xtensa/test_windowed.S
+++ b/tests/tcg/xtensa/test_windowed.S
@@ -299,4 +299,55 @@ test entry
     entry_test 12
 test_end
 
+.macro entry_overflow_test window, free, next_window
+    set_vector window_overflow_4, 0
+    set_vector window_overflow_8, 0
+    set_vector window_overflow_12, 0
+    set_vector window_overflow_\next_window, 10f
+
+    movi    a2, \window
+    movi    a2, \free
+    movi    a2, \next_window
+    reset_window %(1 | ((1 | (1 << ((\next_window) / 4))) << ((\free) / 4)))
+    reset_ps
+    movi    a2, 0x4000f | ((\window) << 14)
+    wsr     a2, ps
+    isync
+    movi    a3, 0x12345678
+    j       1f
+    .align  4
+1:
+    entry   a3, 0x5678
+    test_fail
+    .align  4
+10:
+    rsr     a2, epc1
+    movi    a3, 1b
+    assert  eq, a2, a3
+    movi    a2, 2f
+    wsr     a2, epc1
+
+    rsr     a2, windowbase
+    movi    a3, (\free) / 4
+    assert  eq, a2, a3
+    rfwo
+2:
+.endm
+
+.macro all_entry_overflow_tests
+    .irp window, 4, 8, 12
+    .irp next_window, 4, 8, 12
+    .irp free, 4, 8, 12
+    .if \free <= \window
+    entry_overflow_test \window, \free, \next_window
+    .endif
+    .endr
+    .endr
+    .endr
+.endm
+
+test entry_overflow
+    all_entry_overflow_tests
+test_end
+
 test_suite_end
commit 1b3e71f8ee17ced609213d9b41758110f3c026e9
Author: Max Filippov <jcmvbkbc at gmail.com>
Date:   Fri Nov 7 21:11:07 2014 +0300

    target-xtensa: add missing window check for entry
    
    Entry opcode needs to check if moving to new register frame would cause
    register window overflow. Entry used in function prologue never
    overflows because preceding windowed call* opcode writes return address
    to the target register window frame, causing overflow exceptions at the
    point of call. But when a sequence of entry opcodes is used for register
    window spilling there may not be a call or other opcode that would cause
    window check between entries and they would not raise overflow exception
    themselves resulting in data corruption.
    
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Max Filippov <jcmvbkbc at gmail.com>

diff --git a/target-xtensa/cpu.h b/target-xtensa/cpu.h
index beb5486..ac463f2 100644
--- a/target-xtensa/cpu.h
+++ b/target-xtensa/cpu.h
@@ -472,6 +472,12 @@ static inline xtensa_tlb_entry *xtensa_tlb_get_entry(CPUXtensaState *env,
         env->itlb[wi] + ei;
 }
 
+static inline uint32_t xtensa_replicate_windowstart(CPUXtensaState *env)
+{
+    return env->sregs[WINDOW_START] |
+        (env->sregs[WINDOW_START] << env->config->nareg / 4);
+}
+
 /* MMU modes definitions */
 #define MMU_MODE0_SUFFIX _ring0
 #define MMU_MODE1_SUFFIX _ring1
diff --git a/target-xtensa/op_helper.c b/target-xtensa/op_helper.c
index dae1386..872e5a8 100644
--- a/target-xtensa/op_helper.c
+++ b/target-xtensa/op_helper.c
@@ -235,6 +235,12 @@ void HELPER(entry)(CPUXtensaState *env, uint32_t pc, uint32_t s, uint32_t imm)
                 pc, env->sregs[PS]);
         HELPER(exception_cause)(env, pc, ILLEGAL_INSTRUCTION_CAUSE);
     } else {
+        uint32_t windowstart = xtensa_replicate_windowstart(env) >>
+            (env->sregs[WINDOW_BASE] + 1);
+
+        if (windowstart & ((1 << callinc) - 1)) {
+            HELPER(window_check)(env, pc, callinc);
+        }
         env->regs[(callinc << 2) | (s & 3)] = env->regs[s] - (imm << 3);
         rotate_window(env, callinc);
         env->sregs[WINDOW_START] |=
commit 25aaa2c568a11bd79b7b83c857278232f6fa7be6
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Mon Nov 10 13:58:14 2014 +0100

    esp: fix coding standards
    
    Reported-by: Mark Cave-Ayland <mark.cave-ayland at ilande.co.uk>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index 77b8647..00b7297 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -268,8 +268,9 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len,
     /* update status registers */
     pci->dma_regs[DMA_WBC] -= len;
     pci->dma_regs[DMA_WAC] += len;
-    if (pci->dma_regs[DMA_WBC] == 0)
+    if (pci->dma_regs[DMA_WBC] == 0) {
         pci->dma_regs[DMA_STAT] |= DMA_STAT_DONE;
+    }
 }
 
 static void esp_pci_dma_memory_read(void *opaque, uint8_t *buf, int len)
commit 55783a5521a3b1f93ee6a072e414a27c6cfa15f0
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Nov 7 14:00:02 2014 +0100

    virtio-scsi: work around bug in old BIOSes
    
    Old BIOSes left some padding by mistake after the req_size/resp_size.
    New QEMU does not like it, thinking it is a bidirectional command.
    
    As a workaround, we can check if the ANY_LAYOUT bit is set; if not, we
    always consider the first buffer as the virtio-scsi request/response,
    because, back when QEMU did not support ANY_LAYOUT, it expected the
    payload to start at the second element of the iovec.
    
    This can show up during migration.
    
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index fdcacfd..ef48550 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -118,6 +118,7 @@ static size_t qemu_sgl_concat(VirtIOSCSIReq *req, struct iovec *iov,
 static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
                                  unsigned req_size, unsigned resp_size)
 {
+    VirtIODevice *vdev = (VirtIODevice *) req->dev;
     size_t in_size, out_size;
 
     if (iov_to_buf(req->elem.out_sg, req->elem.out_num, 0,
@@ -130,8 +131,24 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
                               resp_size) < resp_size) {
         return -EINVAL;
     }
+
     req->resp_size = resp_size;
 
+    /* Old BIOSes left some padding by mistake after the req_size/resp_size.
+     * As a workaround, always consider the first buffer as the virtio-scsi
+     * request/response, making the payload start at the second element
+     * of the iovec.
+     *
+     * The actual length of the response header, stored in req->resp_size,
+     * does not change.
+     *
+     * TODO: always disable this workaround for virtio 1.0 devices.
+     */
+    if ((vdev->guest_features & VIRTIO_F_ANY_LAYOUT) == 0) {
+        req_size = req->elem.out_sg[0].iov_len;
+        resp_size = req->elem.in_sg[0].iov_len;
+    }
+
     out_size = qemu_sgl_concat(req, req->elem.out_sg,
                                &req->elem.out_addr[0], req->elem.out_num,
                                req_size);
commit c3543fb5fe4520f03dd4fef04fab7745eeca1c96
Author: Hannes Reinecke <hare at suse.de>
Date:   Fri Nov 7 13:22:32 2014 +0100

    esp-pci: fixup deadlock with linux
    
    A linux guest will be issuing messages:
    
    [   32.124042] DC390: Deadlock in DataIn_0: DMA aborted unfinished: 000000 bytes remain!!
    [   32.126348] DC390: DataIn_0: DMA State: 0
    
    and the HBA will fail to work properly.
    Reason is the emulation is not setting the 'DMA transfer done'
    status correctly.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Cc: qemu-stable at nongnu.org
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index 82795e6..77b8647 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -268,6 +268,8 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len,
     /* update status registers */
     pci->dma_regs[DMA_WBC] -= len;
     pci->dma_regs[DMA_WAC] += len;
+    if (pci->dma_regs[DMA_WBC] == 0)
+        pci->dma_regs[DMA_STAT] |= DMA_STAT_DONE;
 }
 
 static void esp_pci_dma_memory_read(void *opaque, uint8_t *buf, int len)
commit 63c693f8d0182fddc411572916e460144ac71689
Author: Gonglei <arei.gonglei at huawei.com>
Date:   Mon Nov 3 20:48:30 2014 +0800

    qemu-doc.texi: fix typos in x509 examples
    
    Signed-off-by: Gonglei <arei.gonglei at huawei.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 9973090..ad418f8 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -1631,7 +1631,7 @@ EOF
 # certtool --generate-certificate \
            --load-ca-certificate ca-cert.pem \
            --load-ca-privkey ca-key.pem \
-           --load-privkey server server-key.pem \
+           --load-privkey server-key.pem \
            --template server.info \
            --outfile server-cert.pem
 @end example
@@ -1654,7 +1654,7 @@ the secure CA private key:
 country = GB
 state = London
 locality = London
-organiazation = Name of your organization
+organization = Name of your organization
 cn = client.foo.example.com
 tls_www_client
 encryption_key
commit 3a0614c6c782cb760ec925f1662037c1c6038f0c
Author: Zhu Guihua <zhugh.fnst at cn.fujitsu.com>
Date:   Mon Nov 3 13:51:34 2014 +0800

    icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE
    
    Rename ICC_BRIGDE for better readability.
    
    Signed-off-by: Zhu Guihua <zhugh.fnst at cn.fujitsu.com>
    Reviewed-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

diff --git a/hw/cpu/icc_bus.c b/hw/cpu/icc_bus.c
index 9575fd6..6646ea2 100644
--- a/hw/cpu/icc_bus.c
+++ b/hw/cpu/icc_bus.c
@@ -73,11 +73,11 @@ typedef struct ICCBridgeState {
     MemoryRegion apic_container;
 } ICCBridgeState;
 
-#define ICC_BRIGDE(obj) OBJECT_CHECK(ICCBridgeState, (obj), TYPE_ICC_BRIDGE)
+#define ICC_BRIDGE(obj) OBJECT_CHECK(ICCBridgeState, (obj), TYPE_ICC_BRIDGE)
 
 static void icc_bridge_init(Object *obj)
 {
-    ICCBridgeState *s = ICC_BRIGDE(obj);
+    ICCBridgeState *s = ICC_BRIDGE(obj);
     SysBusDevice *sb = SYS_BUS_DEVICE(obj);
 
     qbus_create_inplace(&s->icc_bus, sizeof(s->icc_bus), TYPE_ICC_BUS,


More information about the Spice-commits mailing list