QEMU is a FAST! processor emulator
CentOS Sources
2016-11-03 34b32196890e2c41b0aee042e600ba422f29db17
import qemu-kvm-1.5.3-126.el7
100 files added
13 files modified
1 files renamed
16563 ■■■■■ changed files
SOURCES/kvm-Add-skip_dump-flag-to-ignore-memory-region-during-du.patch 129 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-BlockLimits-introduce-max_transfer_length.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-Fix-backport-of-target-i386-add-feature-flags-for-CP.patch 84 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-Make-qemu-io-commands-available-in-HMP.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-acpi-add-function-to-extract-oem_id-and-oem_table_id.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-acpi-expose-oem_id-and-oem_table_id-in-build_rsdt.patch 92 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-acpi-fix-endian-ness-for-table-ids.patch 249 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-acpi-strip-compiler-info-in-built-in-DSDT.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-acpi-support-specified-oem-table-id-for-build_header.patch 154 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-acpi-take-oem_id-in-build_header-optionally.patch 157 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-blkdebug-Add-BLKDBG_FLUSH_TO_OS-DISK-events.patch 100 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-block-backend-expose-bs-bl.max_transfer_length.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch 16 ●●●● patch | view | raw | blame | history
SOURCES/kvm-block-jobs-qemu-kvm-rhel-differentiation.patch 141 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-block-raw-posix-Open-file-descriptor-O_RDWR-to-work-.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-block-vmdk-fixed-sizeof-error.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-block-vmdk-make-ret-variable-usage-clear.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-block-vmdk-move-string-allocations-from-stack-to-the.patch 146 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-check-qjson-Add-test-for-JSON-nesting-depth-limit.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-cutils-Support-P-and-E-suffixes-in-strtosz.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-e1000-eliminate-infinite-loops-on-out-of-bounds-tran.patch 109 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-ehci-clear-suspend-bit-on-detach.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch 7 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-hw-input-hid.c-Fix-capslock-hid-code.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-ide-test-fix-failure-for-test_flush.patch 113 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-json-parser-drop-superfluous-assignment-for-token-va.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-json-streamer-Don-t-leak-tokens-on-incomplete-parse.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-json-streamer-fix-double-free-on-exiting-during-a-pa.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-nbd-Always-call-close_fn-in-nbd_client_new.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-nbd-client_close-on-error-in-nbd_co_client_start.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-nbd-server-Coroutine-based-negotiation.patch 262 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-nbd-server-Set-O_NONBLOCK-on-client-fd.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-net-Make-qmp_query_rx_filter-with-name-argument-more.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-pc-set-the-OEM-fields-in-the-RSDT-and-the-FADT-from-.patch 133 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Check-for-trailing-chars.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Correct-error-messages.patch 218 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Don-t-use-global-bs-in-command-implementatio.patch 737 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Factor-out-qemuio_command.patch 163 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Handle-cvtnum-errors-in-alloc.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Interface-cleanup.patch 240 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Make-cvtnum-a-wrapper-around-strtosz_suffix.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Move-command_loop-and-friends.patch 369 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Move-functions-for-registering-and-running-c.patch 551 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Move-help-function.patch 223 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Move-qemu_strsep-to-cutils.c.patch 107 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Move-quit-function.patch 119 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Move-remaining-helpers-from-cmd.c.patch 330 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Remove-unused-args_command.patch 141 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Split-off-commands-to-qemu-io-cmds.c.patch 3789 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-Use-the-qemu-version-for-V.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-io-fix-cvtnum-lval-types.patch 360 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Apply-nesting-limit-more-sanely.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Convert-to-parser-to-recursive-descent.patch 328 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Don-t-crash-when-input-exceeds-nesting-limit.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Give-each-of-the-six-structural-chars-its-own-.patch 222 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Inline-token_is_escape-and-simplify.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Inline-token_is_keyword-and-simplify.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Limit-number-of-tokens-in-addition-to-total-si.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-Spell-out-some-silent-assumptions.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-replace-QString-in-JSONLexer-with-GString.patch 195 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-store-tokens-in-a-GQueue.patch 332 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qjson-surprise-allocating-6-QObjects-per-token-is-ex.patch 412 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qxl-Fix-new-function-name-for-spice-server-library.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qxl-allow-to-specify-head-limit-to-qxl-driver.patch 120 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qxl-factor-out-qxl_get_check_slot_offset.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qxl-fix-qxl_set_dirty-call-in-qxl_dirty_one_surface.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qxl-fix-surface-migration.patch 124 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qxl-store-memory-region-and-offset-instead-of-pointe.patch 109 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-raw-posix-Fetch-max-sectors-for-host-block-device.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch 12 ●●●● patch | view | raw | blame | history
SOURCES/kvm-rbd-fix-ceph-settings-precedence.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/kvm-rtl8139-Do-not-consume-the-packet-during-overflow-in.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-rtl8139-Fix-receive-buffer-overflow-check.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-scsi-Advertise-limits-by-blocksize-not-512.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-scsi-generic-Merge-block-max-xfer-len-in-INQUIRY-res.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-seccomp-adding-sysinfo-system-call-to-whitelist.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-spice-do-not-require-TCP-ports.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-Add-more-Intel-AVX-512-instructions-supp.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-Add-support-for-FEAT_7_0_ECX.patch 147 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-add-Skylake-Client-cpu-model.patch 92 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-add-feature-flags-for-CPUID-EAX-0xd-ECX-.patch 168 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-get-put-MSR_TSC_AUX-across-reset-and-mig.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-trace-remove-malloc-tracing.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-util-Fix-MIN_NON_ZERO.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-util-introduce-MIN_NON_ZERO.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch 15 ●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-add-sr_vbe-register-set.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-add-vbe_enabled-helper.patch 14 ●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-factor-out-vga-register-setup.patch 14 ●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-fix-banked-access-bounds-checking-CVE-2016-xxxx.patch 15 ●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch 14 ●●●● patch | view | raw | blame | history
SOURCES/kvm-vga-update-vga-register-setup-on-vbe-changes.patch 14 ●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-error-out-if-guest-exceeds-virtqueue-size.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-recalculate-vq-inuse-after-migration.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-scsi-Prevent-assertion-on-missed-events.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-validate-the-existence-of-handle_output-befor.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Check-descriptor-file-length-when-reading-it.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Clean-up-descriptor-file-reading.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Create-streamOptimized-as-version-3.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Fix-calculation-of-block-status-s-offset.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Fix-comment-to-match-code-of-extent-lines.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Fix-converting-to-streamOptimized.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Fix-index_in_cluster-calculation-in-vmdk_co_get.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Fix-next_cluster_sector-for-compressed-write.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Fix-next_cluster_sector-for-compressed-write2.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Leave-bdi-intact-if-ENOTSUP-in-vmdk_get_info.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Remove-unnecessary-initialization.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Set-errp-on-failures-in-vmdk_open_vmdk4.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Use-g_random_int-to-generate-CID.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Use-vmdk_find_index_in_cluster-everywhere.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmdk-Widen-before-shifting-32-bit-header-field.patch 47 ●●●●● patch | view | raw | blame | history
SPECS/qemu-kvm.spec 669 ●●●● patch | view | raw | blame | history
SOURCES/kvm-Add-skip_dump-flag-to-ignore-memory-region-during-du.patch
New file
@@ -0,0 +1,129 @@
From 0ae4c882404b4590c34bb9b03a86f9389413fd1c Mon Sep 17 00:00:00 2001
From: Alex Williamson <alex.williamson@redhat.com>
Date: Wed, 7 Sep 2016 14:09:52 +0200
Subject: [PATCH 2/2] Add skip_dump flag to ignore memory region during dump
RH-Author: Alex Williamson <alex.williamson@redhat.com>
Message-id: <20160907140817.21968.47551.stgit@gimli.home>
Patchwork-id: 72264
O-Subject: [RHEL7.3 qemu-kvm PATCH v2] Add skip_dump flag to ignore memory region during dump
Bugzilla: 1373088
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Auger Eric <eric.auger@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Bugzilla: 1373088
Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11713365
Upstream: e4dc3f5909ab90520bc1a27b381c3017ff65ed68
The PCI MMIO might be disabled or the device in the reset state.
Make sure we do not dump these memory regions.
Signed-off-by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
CC: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/misc/vfio.c        |  1 +
 include/exec/memory.h | 19 +++++++++++++++++++
 memory.c              | 10 ++++++++++
 memory_mapping.c      |  3 ++-
 4 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 36b9832..4fdc09a 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -2596,6 +2596,7 @@ static int vfio_mmap_bar(VFIOBAR *bar, MemoryRegion *mem, MemoryRegion *submem,
         }
         memory_region_init_ram_ptr(submem, name, size, *map);
+        memory_region_set_skip_dump(submem);
     } else {
 empty_region:
         /* Create a zero sized sub-region to make cleanup easy. */
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 3bbe378..448d501 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -126,6 +126,7 @@ struct MemoryRegion {
     bool terminates;
     bool romd_mode;
     bool ram;
+    bool skip_dump;
     bool readonly; /* For RAM regions */
     bool enabled;
     bool rom_device;
@@ -353,6 +354,24 @@ uint64_t memory_region_size(MemoryRegion *mr);
 bool memory_region_is_ram(MemoryRegion *mr);
 /**
+ * memory_region_is_skip_dump: check whether a memory region should not be
+ *                             dumped
+ *
+ * Returns %true is a memory region should not be dumped(e.g. VFIO BAR MMAP).
+ *
+ * @mr: the memory region being queried
+ */
+bool memory_region_is_skip_dump(MemoryRegion *mr);
+
+/**
+ * memory_region_set_skip_dump: Set skip_dump flag, dump will ignore this memory
+ *                              region
+ *
+ * @mr: the memory region being queried
+ */
+void memory_region_set_skip_dump(MemoryRegion *mr);
+
+/**
  * memory_region_is_romd: check whether a memory region is in ROMD mode
  *
  * Returns %true if a memory region is a ROM device and currently set to allow
diff --git a/memory.c b/memory.c
index a71d096..7bd6e87 100644
--- a/memory.c
+++ b/memory.c
@@ -957,6 +957,11 @@ void memory_region_init_ram_ptr(MemoryRegion *mr,
     mr->ram_addr = qemu_ram_alloc_from_ptr(size, ptr, mr);
 }
+void memory_region_set_skip_dump(MemoryRegion *mr)
+{
+    mr->skip_dump = true;
+}
+
 void memory_region_init_alias(MemoryRegion *mr,
                               const char *name,
                               MemoryRegion *orig,
@@ -1047,6 +1052,11 @@ bool memory_region_is_ram(MemoryRegion *mr)
     return mr->ram;
 }
+bool memory_region_is_skip_dump(MemoryRegion *mr)
+{
+    return mr->skip_dump;
+}
+
 bool memory_region_is_logging(MemoryRegion *mr)
 {
     return mr->dirty_log_mask;
diff --git a/memory_mapping.c b/memory_mapping.c
index 65082d8..a4d59b7 100644
--- a/memory_mapping.c
+++ b/memory_mapping.c
@@ -203,7 +203,8 @@ static void guest_phys_blocks_region_add(MemoryListener *listener,
     GuestPhysBlock *predecessor;
     /* we only care about RAM */
-    if (!memory_region_is_ram(section->mr)) {
+    if (!memory_region_is_ram(section->mr) ||
+        memory_region_is_skip_dump(section->mr)) {
         return;
     }
--
1.8.3.1
SOURCES/kvm-BlockLimits-introduce-max_transfer_length.patch
New file
@@ -0,0 +1,66 @@
From fea907b6897cb3e644dcee3c537ce6e64d7850ed Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Mon, 11 Jul 2016 05:33:35 +0200
Subject: [PATCH 2/7] BlockLimits: introduce max_transfer_length
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1468215219-30793-3-git-send-email-famz@redhat.com>
Patchwork-id: 71106
O-Subject: [RHEL-7.3 qemu-kvm PATCH 2/6] BlockLimits: introduce max_transfer_length
Bugzilla: 1318199
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
From: Peter Lieven <pl@kamp.de>
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2647fab57d5d5e38b36f8dbda367d688045e6a2d)
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block.c                   | 4 ++++
 include/block/block_int.h | 3 +++
 2 files changed, 7 insertions(+)
diff --git a/block.c b/block.c
index ecb2b09..ae756aa 100644
--- a/block.c
+++ b/block.c
@@ -481,6 +481,7 @@ void bdrv_refresh_limits(BlockDriverState *bs, Error **errp)
             return;
         }
         bs->bl.opt_transfer_length = bs->file->bl.opt_transfer_length;
+        bs->bl.max_transfer_length = bs->file->bl.max_transfer_length;
         bs->bl.opt_mem_alignment = bs->file->bl.opt_mem_alignment;
     } else {
         bs->bl.opt_mem_alignment = 512;
@@ -495,6 +496,9 @@ void bdrv_refresh_limits(BlockDriverState *bs, Error **errp)
         bs->bl.opt_transfer_length =
             MAX(bs->bl.opt_transfer_length,
                 bs->backing_hd->bl.opt_transfer_length);
+        bs->bl.max_transfer_length =
+            MIN_NON_ZERO(bs->bl.max_transfer_length,
+                         bs->backing_hd->bl.max_transfer_length);
         bs->bl.opt_mem_alignment =
             MAX(bs->bl.opt_mem_alignment,
                 bs->backing_hd->bl.opt_mem_alignment);
diff --git a/include/block/block_int.h b/include/block/block_int.h
index 3f86649..28c34d8 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -240,6 +240,9 @@ typedef struct BlockLimits {
     /* optimal transfer length in sectors */
     int opt_transfer_length;
+    /* maximal transfer length in sectors */
+    int max_transfer_length;
+
     /* memory alignment so that no bounce buffer is needed */
     size_t opt_mem_alignment;
 } BlockLimits;
--
1.8.3.1
SOURCES/kvm-Fix-backport-of-target-i386-add-feature-flags-for-CP.patch
New file
@@ -0,0 +1,84 @@
From 7530a2f3975b76711467226f8b279baf36d92e46 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Tue, 6 Sep 2016 21:45:05 +0200
Subject: [PATCH 1/2] Fix backport of "target-i386: add feature flags for
 CPUID[EAX=0xd, ECX=1]"
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
Message-id: <1473198305-8442-1-git-send-email-ehabkost@redhat.com>
Patchwork-id: 72260
O-Subject: [RHEL-7.3 qemu-kvm PATCH] Fix backport of "target-i386: add feature flags for CPUID[EAX=0xd, ECX=1]"
Bugzilla: 1371619
RH-Acked-by: Bandan Das <bsd@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
Upstream status: commit 0bb0b2d2fe7f645ddaf1f0ff40ac669c9feb4aa1
commit 5fcaf5176d7545518c76f3aa8ea7ce6fb063c62d (the backport of
upstream commit 0bb0b2d2fe7f645ddaf1f0ff40ac669c9feb4aa1) had a
serious bug: as the qemu-kvm-1.5.3 code doesn't have
FeatureWordInfo and loops for assigning cpu->features,
cpu->features[FEAT_XSAVE] was always zero, so that commit
basically cleared all XSAVE feature bits in all CPU models.
Fix it by handling FEAT_XSAVE everywhere it matters: in the
plus_features/minus_features handling, in the loading of CPU
model definition, and kvm_cpu_fill_host().
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 target-i386/cpu.c | 8 ++++++++
 1 file changed, 8 insertions(+)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 80106ba..1001c47 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -1201,6 +1201,8 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def)
     } else {
         x86_cpu_def->features[FEAT_7_0_EBX] = 0;
     }
+    x86_cpu_def->features[FEAT_XSAVE] =
+                kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX);
     x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX);
     x86_cpu_def->features[FEAT_8000_0001_EDX] =
@@ -1281,6 +1283,9 @@ static int kvm_check_features_against_host(X86CPU *cpu)
         {&env->features[FEAT_7_0_EBX],
             &host_def.features[FEAT_7_0_EBX],
             FEAT_7_0_EBX },
+        {&env->features[FEAT_XSAVE],
+            &host_def.features[FEAT_XSAVE],
+            FEAT_XSAVE },
         {&env->features[FEAT_SVM],
             &host_def.features[FEAT_SVM],
             FEAT_SVM },
@@ -1819,6 +1824,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
     env->features[FEAT_KVM] |= plus_features[FEAT_KVM];
     env->features[FEAT_SVM] |= plus_features[FEAT_SVM];
     env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX];
+    env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE];
     env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX];
     env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX];
     env->features[FEAT_8000_0001_EDX] &= ~minus_features[FEAT_8000_0001_EDX];
@@ -1827,6 +1833,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp)
     env->features[FEAT_KVM] &= ~minus_features[FEAT_KVM];
     env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM];
     env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX];
+    env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE];
 out:
     return;
@@ -1962,6 +1969,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp)
     env->features[FEAT_SVM] = def->features[FEAT_SVM];
     env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX];
     env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX];
+    env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE];
     env->cpuid_xlevel2 = def->xlevel2;
     object_property_set_str(OBJECT(cpu), def->model_id, "model-id", errp);
--
1.8.3.1
SOURCES/kvm-Make-qemu-io-commands-available-in-HMP.patch
New file
@@ -0,0 +1,132 @@
From 6b7e23d3e8ff46e638c9dcd769681b2e1b9da08e Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Mon, 23 Nov 2015 17:38:35 +0100
Subject: [PATCH 16/27] Make qemu-io commands available in HMP
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1448300320-7772-17-git-send-email-jsnow@redhat.com>
Patchwork-id: 68443
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 16/21] Make qemu-io commands available in HMP
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
It was decided to not make this command available in QMP in order to
make clear that this is not supposed to be a stable API and should be
used only for testing and debugging purposes.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 587da2c39c9ace168f4d01fa446a54ae998a2553)
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 Makefile        |  2 +-
 Makefile.objs   |  1 +
 hmp-commands.hx | 16 ++++++++++++++++
 hmp.c           | 18 ++++++++++++++++++
 hmp.h           |  1 +
 5 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index f403057..76eb694 100644
--- a/Makefile
+++ b/Makefile
@@ -205,7 +205,7 @@ qemu-img.o: qemu-img-cmds.h
 qemu-img$(EXESUF): qemu-img.o $(block-obj-y) libqemuutil.a libqemustub.a
 qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) libqemuutil.a libqemustub.a
-qemu-io$(EXESUF): qemu-io.o qemu-io-cmds.o $(block-obj-y) libqemuutil.a libqemustub.a
+qemu-io$(EXESUF): qemu-io.o $(block-obj-y) libqemuutil.a libqemustub.a
 qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o
diff --git a/Makefile.objs b/Makefile.objs
index f83a5b2..74f722e 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -13,6 +13,7 @@ block-obj-$(CONFIG_POSIX) += aio-posix.o
 block-obj-$(CONFIG_WIN32) += aio-win32.o
 block-obj-y += block/
 block-obj-y += qapi-types.o qapi-visit.o
+block-obj-y += qemu-io-cmds.o
 block-obj-y += qemu-coroutine.o qemu-coroutine-lock.o qemu-coroutine-io.o
 block-obj-y += qemu-coroutine-sleep.o
diff --git a/hmp-commands.hx b/hmp-commands.hx
index 58498f7..7e1855a 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1592,6 +1592,22 @@ Removes the chardev @var{id}.
 ETEXI
     {
+        .name       = "qemu-io",
+        .args_type  = "device:B,command:s",
+        .params     = "[device] \"[command]\"",
+        .help       = "run a qemu-io command on a block device",
+        .mhandler.cmd = hmp_qemu_io,
+    },
+
+STEXI
+@item qemu-io @var{device} @var{command}
+@findex qemu-io
+
+Executes a qemu-io command on the given block device.
+
+ETEXI
+
+    {
         .name       = "info",
         .args_type  = "item:s?",
         .params     = "[subcommand]",
diff --git a/hmp.c b/hmp.c
index 1805926..e1d92f4 100644
--- a/hmp.c
+++ b/hmp.c
@@ -22,6 +22,7 @@
 #include "qemu/sockets.h"
 #include "monitor/monitor.h"
 #include "ui/console.h"
+#include "qemu-io.h"
 static void hmp_handle_error(Monitor *mon, Error **errp)
 {
@@ -1448,3 +1449,20 @@ void hmp_chardev_remove(Monitor *mon, const QDict *qdict)
     qmp_chardev_remove(qdict_get_str(qdict, "id"), &local_err);
     hmp_handle_error(mon, &local_err);
 }
+
+void hmp_qemu_io(Monitor *mon, const QDict *qdict)
+{
+    BlockDriverState *bs;
+    const char* device = qdict_get_str(qdict, "device");
+    const char* command = qdict_get_str(qdict, "command");
+    Error *err = NULL;
+
+    bs = bdrv_find(device);
+    if (bs) {
+        qemuio_command(bs, command);
+    } else {
+        error_set(&err, QERR_DEVICE_NOT_FOUND, device);
+    }
+
+    hmp_handle_error(mon, &err);
+}
diff --git a/hmp.h b/hmp.h
index 9b2c9ce..b27ef3d 100644
--- a/hmp.h
+++ b/hmp.h
@@ -86,5 +86,6 @@ void hmp_nbd_server_add(Monitor *mon, const QDict *qdict);
 void hmp_nbd_server_stop(Monitor *mon, const QDict *qdict);
 void hmp_chardev_add(Monitor *mon, const QDict *qdict);
 void hmp_chardev_remove(Monitor *mon, const QDict *qdict);
+void hmp_qemu_io(Monitor *mon, const QDict *qdict);
 #endif
--
1.8.3.1
SOURCES/kvm-acpi-add-function-to-extract-oem_id-and-oem_table_id.patch
New file
@@ -0,0 +1,89 @@
From 5ccdcc1c49246cce9b1536e28a4977c65d72531c Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:47 +0200
Subject: [PATCH 08/10] acpi: add function to extract oem_id and oem_table_id
 from the user's SLIC
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-7-git-send-email-lersek@redhat.com>
Patchwork-id: 70383
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 6/7] acpi: add function to extract oem_id and oem_table_id from the user's SLIC
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
The acpi_get_slic_oem() function stores pointers to these fields in the
(first) SLIC table that the user passes in with the -acpitable switch.
Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Richard W.M. Jones <rjones@redhat.com>
Cc: Aleksei Kovura <alex3kov@zoho.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Cc: Steven Newbury <steve@snewbury.org.uk>
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758
LP: https://bugs.launchpad.net/qemu/+bug/1533848
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Steven Newbury <steve@snewbury.org.uk>
(cherry picked from commit 88594e4fd1e916b778968b2bdd8d7375ca2fe8d8)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 include/hw/acpi/acpi.h |  7 +++++++
 hw/acpi/core.c         | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/acpi/core.c         | 16 ++++++++++++++++
 include/hw/acpi/acpi.h |  7 +++++++
 2 files changed, 23 insertions(+)
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 88efba7..99c5918 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -349,6 +349,22 @@ uint8_t *acpi_table_next(uint8_t *current)
     }
 }
+int acpi_get_slic_oem(AcpiSlicOem *oem)
+{
+    uint8_t *u;
+
+    for (u = acpi_table_first(); u; u = acpi_table_next(u)) {
+        struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
+
+        if (memcmp(hdr->sig, "SLIC", 4) == 0) {
+            oem->id = hdr->oem_id;
+            oem->table_id = hdr->oem_table_id;
+            return 0;
+        }
+    }
+    return -1;
+}
+
 static void acpi_notify_wakeup(Notifier *notifier, void *data)
 {
     ACPIREGS *ar = container_of(notifier, ACPIREGS, wakeup);
diff --git a/include/hw/acpi/acpi.h b/include/hw/acpi/acpi.h
index bb7136d..1e59ec9 100644
--- a/include/hw/acpi/acpi.h
+++ b/include/hw/acpi/acpi.h
@@ -171,4 +171,11 @@ unsigned acpi_table_len(void *current);
 void acpi_table_add(const QemuOpts *opts, Error **errp);
 void acpi_table_add_builtin(const QemuOpts *opts, Error **errp);
+typedef struct AcpiSlicOem AcpiSlicOem;
+struct AcpiSlicOem {
+  char *id;
+  char *table_id;
+};
+int acpi_get_slic_oem(AcpiSlicOem *oem);
+
 #endif /* !QEMU_HW_ACPI_H */
--
1.8.3.1
SOURCES/kvm-acpi-expose-oem_id-and-oem_table_id-in-build_rsdt.patch
New file
@@ -0,0 +1,92 @@
From 39f2d80c57f648afd2eab27816e8f93cf48e718d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:46 +0200
Subject: [PATCH 07/10] acpi: expose oem_id and oem_table_id in build_rsdt()
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-6-git-send-email-lersek@redhat.com>
Patchwork-id: 70382
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 5/7] acpi: expose oem_id and oem_table_id in build_rsdt()
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
Since build_rsdt() is implemented as common utility code (in
"hw/acpi/aml-build.c"), it should expose -- and forward -- the oem_id and
oem_table_id parameters between board code and the generic build_header()
function.
Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Shannon Zhao <zhaoshenglong@huawei.com> (maintainer:ARM ACPI Subsystem)
Cc: Paolo Bonzini <pbonzini@redhat.com> (maintainer:X86)
Cc: Richard W.M. Jones <rjones@redhat.com>
Cc: Aleksei Kovura <alex3kov@zoho.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Cc: Steven Newbury <steve@snewbury.org.uk>
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758
LP: https://bugs.launchpad.net/qemu/+bug/1533848
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
(cherry picked from commit 5151355898699eb66fad0a710b8b6011690a0dfc)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    hw/acpi/aml-build.c
    hw/arm/virt-acpi-build.c
    hw/i386/acpi-build.c
    include/hw/acpi/aml-build.h
RHEL-7 backport note: this is actually a manual reimplementation of the
upstream patch, which is mostly mechanic. A clean cherry-pick would depend
on a lot of reorganizatorial upstream patches (e.g., 658c27181bf3
("hw/i386/acpi-build: move generic acpi building helpers into dedictated
file")), and many new features that overlap with ACPI generation (e.g.,
the "virt" machtype of the arm/aarch64 targets).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 hw/i386/acpi-build.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
---
 hw/i386/acpi-build.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 4839b0e..d9433e6 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -951,7 +951,8 @@ build_dsdt(GArray *table_data, GArray *linker, AcpiMiscInfo *misc)
 /* Build final rsdt table */
 static void
-build_rsdt(GArray *table_data, GArray *linker, GArray *table_offsets)
+build_rsdt(GArray *table_data, GArray *linker, GArray *table_offsets,
+           const char *oem_id, const char *oem_table_id)
 {
     AcpiRsdtDescriptorRev1 *rsdt;
     size_t rsdt_len;
@@ -970,7 +971,7 @@ build_rsdt(GArray *table_data, GArray *linker, GArray *table_offsets)
                                        sizeof(uint32_t));
     }
     build_header(linker, table_data,
-                 (void *)rsdt, "RSDT", rsdt_len, 1, NULL, NULL);
+                 (void *)rsdt, "RSDT", rsdt_len, 1, oem_id, oem_table_id);
 }
 static GArray *
@@ -1126,7 +1127,7 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     /* RSDT is pointed to by RSDP */
     rsdt = tables->table_data->len;
-    build_rsdt(tables->table_data, tables->linker, table_offsets);
+    build_rsdt(tables->table_data, tables->linker, table_offsets, NULL, NULL);
     /* RSDP is in FSEG memory, so allocate it separately */
     build_rsdp(tables->rsdp, tables->linker, rsdt);
--
1.8.3.1
SOURCES/kvm-acpi-fix-endian-ness-for-table-ids.patch
New file
@@ -0,0 +1,249 @@
From 87f01cd69488bf39e80c422b92717029fed0bef6 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:43 +0200
Subject: [PATCH 04/10] acpi: fix endian-ness for table ids
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-3-git-send-email-lersek@redhat.com>
Patchwork-id: 70379
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 2/7] acpi: fix endian-ness for table ids
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: "Michael S. Tsirkin" <mst@redhat.com>
when using signature for table ID, we forgot to byte-swap it.
signatures are really ASCII strings, let's treat them as such.
While at it, get rid of most of _SIGNATURE macros.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 821e3227863ea8db057190e578efa0f1f57ed9de)
RHEL-7 backport notes: this patch is being backported only to decrease the
number of conflicts in the upcoming patches; we only support x86_64 hosts,
which is unaffected by the endianness issue described in the upstream
commit message.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 hw/i386/acpi-defs.h  | 14 --------------
 hw/i386/acpi-build.c | 31 ++++++++++++++++---------------
 2 files changed, 16 insertions(+), 29 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/i386/acpi-build.c | 31 ++++++++++++++++---------------
 hw/i386/acpi-defs.h  | 14 --------------
 2 files changed, 16 insertions(+), 29 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a3a4c3b..be32bc3 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -243,14 +243,14 @@ static void acpi_get_pci_info(PcPciInfo *info)
 static void
 build_header(GArray *linker, GArray *table_data,
-             AcpiTableHeader *h, uint32_t sig, int len, uint8_t rev)
+             AcpiTableHeader *h, const char *sig, int len, uint8_t rev)
 {
-    h->signature = cpu_to_le32(sig);
+    memcpy(&h->signature, sig, 4);
     h->length = cpu_to_le32(len);
     h->revision = rev;
     memcpy(h->oem_id, ACPI_BUILD_APPNAME6, 6);
     memcpy(h->oem_table_id, ACPI_BUILD_APPNAME4, 4);
-    memcpy(h->oem_table_id + 4, (void *)&sig, 4);
+    memcpy(h->oem_table_id + 4, sig, 4);
     h->oem_revision = cpu_to_le32(1);
     memcpy(h->asl_compiler_id, ACPI_BUILD_APPNAME4, 4);
     h->asl_compiler_revision = cpu_to_le32(1);
@@ -463,7 +463,7 @@ static void
 build_facs(GArray *table_data, GArray *linker, PcGuestInfo *guest_info)
 {
     AcpiFacsDescriptorRev1 *facs = acpi_data_push(table_data, sizeof *facs);
-    facs->signature = cpu_to_le32(ACPI_FACS_SIGNATURE);
+    memcpy(&facs->signature, "FACS", 4);
     facs->length = cpu_to_le32(sizeof(*facs));
 }
@@ -520,7 +520,7 @@ build_fadt(GArray *table_data, GArray *linker, AcpiPmInfo *pm,
     fadt_setup(fadt, pm);
     build_header(linker, table_data,
-                 (void *)fadt, ACPI_FACP_SIGNATURE, sizeof(*fadt), 1);
+                 (void *)fadt, "FACP", sizeof(*fadt), 1);
 }
 static void
@@ -589,7 +589,7 @@ build_madt(GArray *table_data, GArray *linker, AcpiCpuInfo *cpu,
     local_nmi->lint         = 1; /* ACPI_LINT1 */
     build_header(linker, table_data,
-                 (void *)(table_data->data + madt_start), ACPI_APIC_SIGNATURE,
+                 (void *)(table_data->data + madt_start), "APIC",
                  table_data->len - madt_start, 1);
 }
@@ -782,7 +782,7 @@ build_ssdt(GArray *table_data, GArray *linker,
     build_header(linker, table_data,
                  (void *)(table_data->data + ssdt_start),
-                 ACPI_SSDT_SIGNATURE, table_data->len - ssdt_start, 1);
+                 "SSDT", table_data->len - ssdt_start, 1);
 }
 static void
@@ -797,7 +797,7 @@ build_hpet(GArray *table_data, GArray *linker)
     hpet->timer_block_id = cpu_to_le32(0x8086a201);
     hpet->addr.address = cpu_to_le64(HPET_BASE);
     build_header(linker, table_data,
-                 (void *)hpet, ACPI_HPET_SIGNATURE, sizeof(*hpet), 1);
+                 (void *)hpet, "HPET", sizeof(*hpet), 1);
 }
 static void
@@ -889,7 +889,7 @@ build_srat(GArray *table_data, GArray *linker,
     build_header(linker, table_data,
                  (void *)(table_data->data + srat_start),
-                 ACPI_SRAT_SIGNATURE,
+                 "SRAT",
                  table_data->len - srat_start, 1);
 }
@@ -897,7 +897,7 @@ static void
 build_mcfg_q35(GArray *table_data, GArray *linker, AcpiMcfgInfo *info)
 {
     AcpiTableMcfg *mcfg;
-    uint32_t sig;
+    const char *sig;
     int len = sizeof(*mcfg) + 1 * sizeof(mcfg->allocation[0]);
     mcfg = acpi_data_push(table_data, len);
@@ -914,9 +914,10 @@ build_mcfg_q35(GArray *table_data, GArray *linker, AcpiMcfgInfo *info)
      * ACPI spec requires OSPMs to ignore such tables.
      */
     if (info->mcfg_base == PCIE_BASE_ADDR_UNMAPPED) {
-        sig = ACPI_RSRV_SIGNATURE;
+        /* Reserved signature: ignored by OSPM */
+        sig = "QEMU";
     } else {
-        sig = ACPI_MCFG_SIGNATURE;
+        sig = "MCFG";
     }
     build_header(linker, table_data, (void *)mcfg, sig, len, 1);
 }
@@ -932,7 +933,7 @@ build_dsdt(GArray *table_data, GArray *linker, AcpiMiscInfo *misc)
     memcpy(dsdt, misc->dsdt_code, misc->dsdt_size);
     memset(dsdt, 0, sizeof *dsdt);
-    build_header(linker, table_data, dsdt, ACPI_DSDT_SIGNATURE,
+    build_header(linker, table_data, dsdt, "DSDT",
                  misc->dsdt_size, 1);
 }
@@ -957,7 +958,7 @@ build_rsdt(GArray *table_data, GArray *linker, GArray *table_offsets)
                                        sizeof(uint32_t));
     }
     build_header(linker, table_data,
-                 (void *)rsdt, ACPI_RSDT_SIGNATURE, rsdt_len, 1);
+                 (void *)rsdt, "RSDT", rsdt_len, 1);
 }
 static GArray *
@@ -968,7 +969,7 @@ build_rsdp(GArray *rsdp_table, GArray *linker, unsigned rsdt)
     bios_linker_loader_alloc(linker, ACPI_BUILD_RSDP_FILE, 1,
                              true /* fseg memory */);
-    rsdp->signature = cpu_to_le64(ACPI_RSDP_SIGNATURE);
+    memcpy(&rsdp->signature, "RSD PTR ", 8);
     memcpy(rsdp->oem_id, ACPI_BUILD_APPNAME6, 6);
     rsdp->rsdt_physical_address = cpu_to_le32(rsdt);
     /* Address to be filled by Guest linker */
diff --git a/hw/i386/acpi-defs.h b/hw/i386/acpi-defs.h
index 78ca204..e93babb 100644
--- a/hw/i386/acpi-defs.h
+++ b/hw/i386/acpi-defs.h
@@ -52,8 +52,6 @@ struct Acpi20GenericAddress {
 } QEMU_PACKED;
 typedef struct Acpi20GenericAddress Acpi20GenericAddress;
-#define ACPI_RSDP_SIGNATURE 0x2052545020445352LL // "RSD PTR "
-
 struct AcpiRsdpDescriptor {        /* Root System Descriptor Pointer */
     uint64_t signature;              /* ACPI signature, contains "RSD PTR " */
     uint8_t  checksum;               /* To make sum of struct == 0 */
@@ -92,7 +90,6 @@ typedef struct AcpiTableHeader AcpiTableHeader;
 /*
  * ACPI 1.0 Fixed ACPI Description Table (FADT)
  */
-#define ACPI_FACP_SIGNATURE 0x50434146 // FACP
 struct AcpiFadtDescriptorRev1
 {
     ACPI_TABLE_HEADER_DEF     /* ACPI common table header */
@@ -141,7 +138,6 @@ typedef struct AcpiFadtDescriptorRev1 AcpiFadtDescriptorRev1;
 /*
  * ACPI 1.0 Root System Description Table (RSDT)
  */
-#define ACPI_RSDT_SIGNATURE 0x54445352 // RSDT
 struct AcpiRsdtDescriptorRev1
 {
     ACPI_TABLE_HEADER_DEF       /* ACPI common table header */
@@ -153,7 +149,6 @@ typedef struct AcpiRsdtDescriptorRev1 AcpiRsdtDescriptorRev1;
 /*
  * ACPI 1.0 Firmware ACPI Control Structure (FACS)
  */
-#define ACPI_FACS_SIGNATURE 0x53434146 // FACS
 struct AcpiFacsDescriptorRev1
 {
     uint32_t signature;           /* ACPI Signature */
@@ -169,7 +164,6 @@ typedef struct AcpiFacsDescriptorRev1 AcpiFacsDescriptorRev1;
 /*
  * Differentiated System Description Table (DSDT)
  */
-#define ACPI_DSDT_SIGNATURE 0x54445344 // DSDT
 /*
  * MADT values and structures
@@ -182,7 +176,6 @@ typedef struct AcpiFacsDescriptorRev1 AcpiFacsDescriptorRev1;
 /* Master MADT */
-#define ACPI_APIC_SIGNATURE 0x43495041 // APIC
 struct AcpiMultipleApicTable
 {
     ACPI_TABLE_HEADER_DEF     /* ACPI common table header */
@@ -253,7 +246,6 @@ typedef struct AcpiMadtLocalNmi AcpiMadtLocalNmi;
 /*
  * HPET Description Table
  */
-#define ACPI_HPET_SIGNATURE 0x54455048 // HPET
 struct Acpi20Hpet {
     ACPI_TABLE_HEADER_DEF                    /* ACPI common table header */
     uint32_t           timer_block_id;
@@ -268,7 +260,6 @@ typedef struct Acpi20Hpet Acpi20Hpet;
  * SRAT (NUMA topology description) table
  */
-#define ACPI_SRAT_SIGNATURE 0x54415253 // SRAT
 struct AcpiSystemResourceAffinityTable
 {
     ACPI_TABLE_HEADER_DEF
@@ -316,11 +307,6 @@ struct AcpiMcfgAllocation {
 } QEMU_PACKED;
 typedef struct AcpiMcfgAllocation AcpiMcfgAllocation;
-#define ACPI_MCFG_SIGNATURE 0x4746434d       // MCFG
-
-/* Reserved signature: ignored by OSPM */
-#define ACPI_RSRV_SIGNATURE 0x554d4551       // QEMU
-
 struct AcpiTableMcfg {
     ACPI_TABLE_HEADER_DEF;
     uint8_t reserved[8];
--
1.8.3.1
SOURCES/kvm-acpi-strip-compiler-info-in-built-in-DSDT.patch
New file
@@ -0,0 +1,61 @@
From 464ceecd1e9c070e613624fb896df54b7e4a3e38 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:42 +0200
Subject: [PATCH 03/10] acpi: strip compiler info in built-in DSDT
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-2-git-send-email-lersek@redhat.com>
Patchwork-id: 70378
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 1/7] acpi: strip compiler info in built-in DSDT
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: "Michael S. Tsirkin" <mst@redhat.com>
IASL stores it's revision in each table header it generates.
That's not nice since guests will see a change each time they move
between hypervisors.  We generally fill our own info for tables, but we
(and seabios) forgot to do this for the built-in DSDT.
Modifications in DSDT table:
 OEM ID:            "BXPC" -> "BOCHS "
 OEM Table ID:      "BXDSDT" -> "BXPCDSDT"
 Compiler ID:       "INTL" -> "BXPC"
 Compiler Version:  0x20130823 -> 0x00000001
Tested-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 53db092ad1c81c30a617f44e83e8fb9e27c001ba)
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/i386/acpi-build.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 8be1286..a3a4c3b 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -924,10 +924,16 @@ build_mcfg_q35(GArray *table_data, GArray *linker, AcpiMcfgInfo *info)
 static void
 build_dsdt(GArray *table_data, GArray *linker, AcpiMiscInfo *misc)
 {
-    void *dsdt;
+    AcpiTableHeader *dsdt;
+
     assert(misc->dsdt_code && misc->dsdt_size);
+
     dsdt = acpi_data_push(table_data, misc->dsdt_size);
     memcpy(dsdt, misc->dsdt_code, misc->dsdt_size);
+
+    memset(dsdt, 0, sizeof *dsdt);
+    build_header(linker, table_data, dsdt, ACPI_DSDT_SIGNATURE,
+                 misc->dsdt_size, 1);
 }
 /* Build final rsdt table */
--
1.8.3.1
SOURCES/kvm-acpi-support-specified-oem-table-id-for-build_header.patch
New file
@@ -0,0 +1,154 @@
From b36e60614f9c4a6eb3f417422c3cb99402b82963 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:44 +0200
Subject: [PATCH 05/10] acpi: support specified oem table id for build_header
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-4-git-send-email-lersek@redhat.com>
Patchwork-id: 70380
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 3/7] acpi: support specified oem table id for build_header
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Let build_header() support specified OEM table id so that we can build
multiple SSDT later
If the oem table id is not specified (aka, NULL), we use the default id
instead as the previous behavior
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8870ca0e94f2524644812dd759863c0851ffb870)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    hw/acpi/aml-build.c
    hw/arm/virt-acpi-build.c
    hw/i386/acpi-build.c
    include/hw/acpi/aml-build.h
RHEL-7 backport note: this is actually a manual reimplementation of the
upstream patch, which is mostly mechanic. A clean cherry-pick would depend
on a lot of reorganizatorial upstream patches (e.g., 658c27181bf3
("hw/i386/acpi-build: move generic acpi building helpers into dedictated
file")), and many new features that overlap with ACPI generation (e.g.,
the "virt" machtype of the arm/aarch64 targets).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 hw/i386/acpi-build.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
---
 hw/i386/acpi-build.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index be32bc3..a9d9f97 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -243,14 +243,21 @@ static void acpi_get_pci_info(PcPciInfo *info)
 static void
 build_header(GArray *linker, GArray *table_data,
-             AcpiTableHeader *h, const char *sig, int len, uint8_t rev)
+             AcpiTableHeader *h, const char *sig, int len, uint8_t rev,
+             const char *oem_table_id)
 {
     memcpy(&h->signature, sig, 4);
     h->length = cpu_to_le32(len);
     h->revision = rev;
     memcpy(h->oem_id, ACPI_BUILD_APPNAME6, 6);
-    memcpy(h->oem_table_id, ACPI_BUILD_APPNAME4, 4);
-    memcpy(h->oem_table_id + 4, sig, 4);
+
+    if (oem_table_id) {
+        strncpy((char *)h->oem_table_id, oem_table_id, sizeof(h->oem_table_id));
+    } else {
+        memcpy(h->oem_table_id, ACPI_BUILD_APPNAME4, 4);
+        memcpy(h->oem_table_id + 4, sig, 4);
+    }
+
     h->oem_revision = cpu_to_le32(1);
     memcpy(h->asl_compiler_id, ACPI_BUILD_APPNAME4, 4);
     h->asl_compiler_revision = cpu_to_le32(1);
@@ -520,7 +527,7 @@ build_fadt(GArray *table_data, GArray *linker, AcpiPmInfo *pm,
     fadt_setup(fadt, pm);
     build_header(linker, table_data,
-                 (void *)fadt, "FACP", sizeof(*fadt), 1);
+                 (void *)fadt, "FACP", sizeof(*fadt), 1, NULL);
 }
 static void
@@ -590,7 +597,7 @@ build_madt(GArray *table_data, GArray *linker, AcpiCpuInfo *cpu,
     build_header(linker, table_data,
                  (void *)(table_data->data + madt_start), "APIC",
-                 table_data->len - madt_start, 1);
+                 table_data->len - madt_start, 1, NULL);
 }
 /* Encode a hex value */
@@ -782,7 +789,7 @@ build_ssdt(GArray *table_data, GArray *linker,
     build_header(linker, table_data,
                  (void *)(table_data->data + ssdt_start),
-                 "SSDT", table_data->len - ssdt_start, 1);
+                 "SSDT", table_data->len - ssdt_start, 1, NULL);
 }
 static void
@@ -797,7 +804,7 @@ build_hpet(GArray *table_data, GArray *linker)
     hpet->timer_block_id = cpu_to_le32(0x8086a201);
     hpet->addr.address = cpu_to_le64(HPET_BASE);
     build_header(linker, table_data,
-                 (void *)hpet, "HPET", sizeof(*hpet), 1);
+                 (void *)hpet, "HPET", sizeof(*hpet), 1, NULL);
 }
 static void
@@ -890,7 +897,7 @@ build_srat(GArray *table_data, GArray *linker,
     build_header(linker, table_data,
                  (void *)(table_data->data + srat_start),
                  "SRAT",
-                 table_data->len - srat_start, 1);
+                 table_data->len - srat_start, 1, NULL);
 }
 static void
@@ -919,7 +926,7 @@ build_mcfg_q35(GArray *table_data, GArray *linker, AcpiMcfgInfo *info)
     } else {
         sig = "MCFG";
     }
-    build_header(linker, table_data, (void *)mcfg, sig, len, 1);
+    build_header(linker, table_data, (void *)mcfg, sig, len, 1, NULL);
 }
 static void
@@ -934,7 +941,7 @@ build_dsdt(GArray *table_data, GArray *linker, AcpiMiscInfo *misc)
     memset(dsdt, 0, sizeof *dsdt);
     build_header(linker, table_data, dsdt, "DSDT",
-                 misc->dsdt_size, 1);
+                 misc->dsdt_size, 1, NULL);
 }
 /* Build final rsdt table */
@@ -958,7 +965,7 @@ build_rsdt(GArray *table_data, GArray *linker, GArray *table_offsets)
                                        sizeof(uint32_t));
     }
     build_header(linker, table_data,
-                 (void *)rsdt, "RSDT", rsdt_len, 1);
+                 (void *)rsdt, "RSDT", rsdt_len, 1, NULL);
 }
 static GArray *
--
1.8.3.1
SOURCES/kvm-acpi-take-oem_id-in-build_header-optionally.patch
New file
@@ -0,0 +1,157 @@
From 0decede8a51451da8f5913b0ad13c8e3bdcef582 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:45 +0200
Subject: [PATCH 06/10] acpi: take oem_id in build_header(), optionally
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-5-git-send-email-lersek@redhat.com>
Patchwork-id: 70381
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 4/7] acpi: take oem_id in build_header(), optionally
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
This patch is the continuation of commit 8870ca0e94f2 ("acpi: support
specified oem table id for build_header"). It will allow us to control the
OEM ID field too in the SDT header.
Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com> (maintainer:NVDIMM)
Cc: Shannon Zhao <zhaoshenglong@huawei.com> (maintainer:ARM ACPI Subsystem)
Cc: Paolo Bonzini <pbonzini@redhat.com> (maintainer:X86)
Cc: Richard W.M. Jones <rjones@redhat.com>
Cc: Aleksei Kovura <alex3kov@zoho.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Cc: Steven Newbury <steve@snewbury.org.uk>
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758
LP: https://bugs.launchpad.net/qemu/+bug/1533848
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
(cherry picked from commit 37ad223c515da2fe9f1c679768cb5ccaa42e57e1)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    hw/acpi/aml-build.c
    hw/acpi/nvdimm.c
    hw/arm/virt-acpi-build.c
    hw/i386/acpi-build.c
    include/hw/acpi/aml-build.h
RHEL-7 backport note: this is actually a manual reimplementation of the
upstream patch, which is mostly mechanic. A clean cherry-pick would depend
on a lot of reorganizatorial upstream patches (e.g., 658c27181bf3
("hw/i386/acpi-build: move generic acpi building helpers into dedictated
file")), and many new features that overlap with ACPI generation (e.g.,
the "virt" machtype of the arm/aarch64 targets).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 hw/i386/acpi-build.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)
---
 hw/i386/acpi-build.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a9d9f97..4839b0e 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -244,12 +244,17 @@ static void acpi_get_pci_info(PcPciInfo *info)
 static void
 build_header(GArray *linker, GArray *table_data,
              AcpiTableHeader *h, const char *sig, int len, uint8_t rev,
-             const char *oem_table_id)
+             const char *oem_id, const char *oem_table_id)
 {
     memcpy(&h->signature, sig, 4);
     h->length = cpu_to_le32(len);
     h->revision = rev;
-    memcpy(h->oem_id, ACPI_BUILD_APPNAME6, 6);
+
+    if (oem_id) {
+        strncpy((char *)h->oem_id, oem_id, sizeof h->oem_id);
+    } else {
+        memcpy(h->oem_id, ACPI_BUILD_APPNAME6, 6);
+    }
     if (oem_table_id) {
         strncpy((char *)h->oem_table_id, oem_table_id, sizeof(h->oem_table_id));
@@ -527,7 +532,7 @@ build_fadt(GArray *table_data, GArray *linker, AcpiPmInfo *pm,
     fadt_setup(fadt, pm);
     build_header(linker, table_data,
-                 (void *)fadt, "FACP", sizeof(*fadt), 1, NULL);
+                 (void *)fadt, "FACP", sizeof(*fadt), 1, NULL, NULL);
 }
 static void
@@ -597,7 +602,7 @@ build_madt(GArray *table_data, GArray *linker, AcpiCpuInfo *cpu,
     build_header(linker, table_data,
                  (void *)(table_data->data + madt_start), "APIC",
-                 table_data->len - madt_start, 1, NULL);
+                 table_data->len - madt_start, 1, NULL, NULL);
 }
 /* Encode a hex value */
@@ -789,7 +794,7 @@ build_ssdt(GArray *table_data, GArray *linker,
     build_header(linker, table_data,
                  (void *)(table_data->data + ssdt_start),
-                 "SSDT", table_data->len - ssdt_start, 1, NULL);
+                 "SSDT", table_data->len - ssdt_start, 1, NULL, NULL);
 }
 static void
@@ -804,7 +809,7 @@ build_hpet(GArray *table_data, GArray *linker)
     hpet->timer_block_id = cpu_to_le32(0x8086a201);
     hpet->addr.address = cpu_to_le64(HPET_BASE);
     build_header(linker, table_data,
-                 (void *)hpet, "HPET", sizeof(*hpet), 1, NULL);
+                 (void *)hpet, "HPET", sizeof(*hpet), 1, NULL, NULL);
 }
 static void
@@ -897,7 +902,7 @@ build_srat(GArray *table_data, GArray *linker,
     build_header(linker, table_data,
                  (void *)(table_data->data + srat_start),
                  "SRAT",
-                 table_data->len - srat_start, 1, NULL);
+                 table_data->len - srat_start, 1, NULL, NULL);
 }
 static void
@@ -926,7 +931,7 @@ build_mcfg_q35(GArray *table_data, GArray *linker, AcpiMcfgInfo *info)
     } else {
         sig = "MCFG";
     }
-    build_header(linker, table_data, (void *)mcfg, sig, len, 1, NULL);
+    build_header(linker, table_data, (void *)mcfg, sig, len, 1, NULL, NULL);
 }
 static void
@@ -941,7 +946,7 @@ build_dsdt(GArray *table_data, GArray *linker, AcpiMiscInfo *misc)
     memset(dsdt, 0, sizeof *dsdt);
     build_header(linker, table_data, dsdt, "DSDT",
-                 misc->dsdt_size, 1, NULL);
+                 misc->dsdt_size, 1, NULL, NULL);
 }
 /* Build final rsdt table */
@@ -965,7 +970,7 @@ build_rsdt(GArray *table_data, GArray *linker, GArray *table_offsets)
                                        sizeof(uint32_t));
     }
     build_header(linker, table_data,
-                 (void *)rsdt, "RSDT", rsdt_len, 1, NULL);
+                 (void *)rsdt, "RSDT", rsdt_len, 1, NULL, NULL);
 }
 static GArray *
--
1.8.3.1
SOURCES/kvm-blkdebug-Add-BLKDBG_FLUSH_TO_OS-DISK-events.patch
New file
@@ -0,0 +1,100 @@
From 89f3f5eafd6aed8a79b4570553af711dffc3a1d6 Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Mon, 23 Nov 2015 17:38:36 +0100
Subject: [PATCH 17/27] blkdebug: Add BLKDBG_FLUSH_TO_OS/DISK events
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1448300320-7772-18-git-send-email-jsnow@redhat.com>
Patchwork-id: 68448
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 17/21] blkdebug: Add BLKDBG_FLUSH_TO_OS/DISK events
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit bf736fe34caba0688c9095c31b9d097ea15c1296)
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
  block/blkdebug.c:      debug event ordering
  include/block/block.h: debug event ordering
Signed-off-by: John Snow <jsnow@redhat.com>
---
 block.c               | 8 ++++----
 block/blkdebug.c      | 3 +++
 include/block/block.h | 3 +++
 3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/block.c b/block.c
index bc6e75c..ecb2b09 100644
--- a/block.c
+++ b/block.c
@@ -4026,13 +4026,11 @@ int bdrv_load_vmstate(BlockDriverState *bs, uint8_t *buf,
 void bdrv_debug_event(BlockDriverState *bs, BlkDebugEvent event)
 {
-    BlockDriver *drv = bs->drv;
-
-    if (!drv || !drv->bdrv_debug_event) {
+    if (!bs || !bs->drv || !bs->drv->bdrv_debug_event) {
         return;
     }
-    drv->bdrv_debug_event(bs, event);
+    bs->drv->bdrv_debug_event(bs, event);
 }
 int bdrv_debug_breakpoint(BlockDriverState *bs, const char *event,
@@ -4879,6 +4877,7 @@ int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
     }
     /* Write back cached data to the OS even with cache=unsafe */
+    BLKDBG_EVENT(bs->file, BLKDBG_FLUSH_TO_OS);
     if (bs->drv->bdrv_co_flush_to_os) {
         ret = bs->drv->bdrv_co_flush_to_os(bs);
         if (ret < 0) {
@@ -4891,6 +4890,7 @@ int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
         goto flush_parent;
     }
+    BLKDBG_EVENT(bs->file, BLKDBG_FLUSH_TO_DISK);
     if (bs->drv->bdrv_co_flush_to_disk) {
         ret = bs->drv->bdrv_co_flush_to_disk(bs);
     } else if (bs->drv->bdrv_aio_flush) {
diff --git a/block/blkdebug.c b/block/blkdebug.c
index c61ce52..8e468b2 100644
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@@ -184,6 +184,9 @@ static const char *event_names[BLKDBG_EVENT_MAX] = {
     [BLKDBG_CLUSTER_ALLOC_BYTES]            = "cluster_alloc_bytes",
     [BLKDBG_CLUSTER_FREE]                   = "cluster_free",
+    [BLKDBG_FLUSH_TO_OS]                    = "flush_to_os",
+    [BLKDBG_FLUSH_TO_DISK]                  = "flush_to_disk",
+
     [BLKDBG_PWRITEV_RMW_HEAD]               = "pwritev_rmw.head",
     [BLKDBG_PWRITEV_RMW_AFTER_HEAD]         = "pwritev_rmw.after_head",
     [BLKDBG_PWRITEV_RMW_TAIL]               = "pwritev_rmw.tail",
diff --git a/include/block/block.h b/include/block/block.h
index 8339cac..75147b2 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -508,6 +508,9 @@ typedef enum {
     BLKDBG_CLUSTER_ALLOC_BYTES,
     BLKDBG_CLUSTER_FREE,
+    BLKDBG_FLUSH_TO_OS,
+    BLKDBG_FLUSH_TO_DISK,
+
     BLKDBG_PWRITEV_RMW_HEAD,
     BLKDBG_PWRITEV_RMW_AFTER_HEAD,
     BLKDBG_PWRITEV_RMW_TAIL,
--
1.8.3.1
SOURCES/kvm-block-backend-expose-bs-bl.max_transfer_length.patch
New file
@@ -0,0 +1,66 @@
From b9d7b6bbaa64404eb9b4a65d0af841bfae5c9089 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Mon, 11 Jul 2016 05:33:36 +0200
Subject: [PATCH 3/7] block-backend: expose bs->bl.max_transfer_length
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1468215219-30793-4-git-send-email-famz@redhat.com>
Patchwork-id: 71107
O-Subject: [RHEL-7.3 qemu-kvm PATCH 3/6] block-backend: expose bs->bl.max_transfer_length
Bugzilla: 1318199
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
From: Peter Lieven <pl@kamp.de>
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 454057b7d9b9ad141bd5df8c4075745e56b4870f)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    block/block-backend.c
    include/sysemu/block-backend.h
Downstream doesn't have BlockBackend yet, so "blk_" -> "bdrv_" and put
the function in block.c.
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block.c               | 5 +++++
 include/block/block.h | 1 +
 2 files changed, 6 insertions(+)
diff --git a/block.c b/block.c
index ae756aa..bdcd741 100644
--- a/block.c
+++ b/block.c
@@ -3656,6 +3656,11 @@ int bdrv_get_flags(BlockDriverState *bs)
     return bs->open_flags;
 }
+int bdrv_get_max_transfer_length(BlockDriverState *bs)
+{
+    return bs->bl.max_transfer_length;
+}
+
 int bdrv_flush_all(void)
 {
     BlockDriverState *bs;
diff --git a/include/block/block.h b/include/block/block.h
index 75147b2..d29733a 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -379,6 +379,7 @@ void bdrv_iterate_format(void (*it)(void *opaque, const char *name),
                          void *opaque);
 const char *bdrv_get_device_name(BlockDriverState *bs);
 int bdrv_get_flags(BlockDriverState *bs);
+int bdrv_get_max_transfer_length(BlockDriverState *bs);
 int bdrv_write_compressed(BlockDriverState *bs, int64_t sector_num,
                           const uint8_t *buf, int nb_sectors);
 int bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi);
--
1.8.3.1
SOURCES/kvm-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
@@ -1,16 +1,16 @@
From f5596dffdad4014342239c7d3ec85e637969d2de Mon Sep 17 00:00:00 2001
From d2291657a3d6100be53008fe8206c9e72b37c584 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Fri, 29 Jul 2016 07:54:22 +0200
Date: Wed, 22 Jun 2016 01:06:15 +0200
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1469778862-32607-1-git-send-email-famz@redhat.com>
Patchwork-id: 71515
O-Subject: [RHEL-7.2.z qemu-kvm PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
Bugzilla: 1358996
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
Message-id: <20160622010615.10307-1-famz@redhat.com>
Patchwork-id: 70730
O-Subject: [RHEL-7.3 qemu-kvm PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
Bugzilla: 1340929
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
From: Peter Lieven <pl@kamp.de>
SOURCES/kvm-block-jobs-qemu-kvm-rhel-differentiation.patch
New file
@@ -0,0 +1,141 @@
From bb8aca64535578520c4b7f5186f9ae5754626694 Mon Sep 17 00:00:00 2001
From: Jeffrey Cody <jcody@redhat.com>
Date: Thu, 5 May 2016 19:46:28 +0200
Subject: [PATCH 10/10] block jobs: qemu-kvm-rhel differentiation
RH-Author: Jeffrey Cody <jcody@redhat.com>
Message-id: <f2ce1dbde4055f710cb6f83e6edd9e93a498b366.1462477116.git.jcody@redhat.com>
Patchwork-id: 70344
O-Subject: [RHEL7.3 qemu-kvm-rhel 1/1] block jobs: qemu-kvm-rhel differentiation
Bugzilla: 1156635
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
The conditional block job disablement for RHEL left some QAPI / HMP
commands in place, that are vestigial without any actual block jobs to
control.
This patch envelopes those block-job related functions in the
conditional code that is disabled for RHEL:
block-job-set-speed
block-job-cancel
block-job-pause
block-job-resume
block-job-complete
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 blockdev.c       | 2 +-
 hmp-commands.hx  | 2 +-
 hmp.c            | 2 +-
 qapi-schema.json | 2 +-
 qmp-commands.hx  | 3 ---
 5 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/blockdev.c b/blockdev.c
index b5792a2..69e951f 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -1701,7 +1701,6 @@ void qmp_drive_mirror(const char *device, const char *target,
         return;
     }
 }
-#endif
 static BlockJob *find_block_job(const char *device)
 {
@@ -1786,6 +1785,7 @@ void qmp_block_job_complete(const char *device, Error **errp)
     trace_qmp_block_job_complete(job);
     block_job_complete(job, errp);
 }
+#endif
 void qmp___com_redhat_change_backing_file(const char *device,
                                           const char *image_node_name,
diff --git a/hmp-commands.hx b/hmp-commands.hx
index 7e1855a..dd528d2 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -81,7 +81,6 @@ ETEXI
         .help       = "copy data from a backing file into a block device",
         .mhandler.cmd = hmp_block_stream,
     },
-#endif
 STEXI
 @item block_stream
@@ -160,6 +159,7 @@ STEXI
 @findex block_job_resume
 Resume a paused block streaming operation.
 ETEXI
+#endif
     {
         .name       = "eject",
diff --git a/hmp.c b/hmp.c
index e1d92f4..fb9b445 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1053,7 +1053,6 @@ void hmp_block_stream(Monitor *mon, const QDict *qdict)
     hmp_handle_error(mon, &error);
 }
-#endif
 void hmp_block_job_set_speed(Monitor *mon, const QDict *qdict)
 {
@@ -1106,6 +1105,7 @@ void hmp_block_job_complete(Monitor *mon, const QDict *qdict)
     hmp_handle_error(mon, &error);
 }
+#endif
 typedef struct MigrationStatus
 {
diff --git a/qapi-schema.json b/qapi-schema.json
index c8732c1..5138ed9 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -2326,7 +2326,6 @@
 { 'command': 'block-stream',
   'data': { 'device': 'str', '*base': 'str', '*backing-file': 'str',
             '*speed': 'int', '*on-error': 'BlockdevOnError' } }
-#_end-rhev-only
 ##
 # @block-job-set-speed:
@@ -2448,6 +2447,7 @@
 # Since: 1.3
 ##
 { 'command': 'block-job-complete', 'data': { 'device': 'str' } }
+#_end-rhev-only
 ##
 # @ObjectTypeInfo:
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 22a09be..9522c44 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -1089,8 +1089,6 @@ Example:
 EQMP
-#endif
-
     {
         .name       = "block-job-set-speed",
         .args_type  = "device:B,speed:o",
@@ -1117,7 +1115,6 @@ EQMP
         .args_type  = "device:B",
         .mhandler.cmd_new = qmp_marshal_input_block_job_complete,
     },
-#ifdef CONFIG_LIVE_BLOCK_OPS
     {
         .name       = "transaction",
         .args_type  = "actions:q",
--
1.8.3.1
SOURCES/kvm-block-raw-posix-Open-file-descriptor-O_RDWR-to-work-.patch
New file
@@ -0,0 +1,68 @@
From 9452583824b50cb6f095c5ec1894b38df7b01175 Mon Sep 17 00:00:00 2001
Message-Id: <9452583824b50cb6f095c5ec1894b38df7b01175.1464449390.git.jen@redhat.com>
In-Reply-To: <c7936395ecf322b3de37662c7c6b772e36866cc7.1464449390.git.jen@redhat.com>
References: <c7936395ecf322b3de37662c7c6b772e36866cc7.1464449390.git.jen@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 23 May 2016 11:28:41 -0400
Subject: [CHANGE 3/3] block/raw-posix: Open file descriptor O_RDWR to work
 around glibc posix_fallocate emulation issue.
To: rhvirt-patches@redhat.com,
    jen@redhat.com
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1464002921-1079-2-git-send-email-kwolf@redhat.com>
Patchwork-id: 70425
O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/1] block/raw-posix: Open file descriptor O_RDWR to work around glibc posix_fallocate emulation issue.
Bugzilla: 1268345
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Richard Jones <rjones@redhat.com>
From: "Richard W.M. Jones" <rjones@redhat.com>
The following command fails on an NFS mountpoint:
  $ qemu-img create -f qcow2 -o preallocation=falloc disk.img 262144
  Formatting 'disk.img', fmt=qcow2 size=262144 encryption=off cluster_size=65536 preallocation='falloc' lazy_refcounts=off
  qemu-img: disk.img: Could not preallocate data for the new file: Bad file descriptor
The reason turns out to be because NFS doesn't support the
posix_fallocate call.  glibc emulates it instead.  However glibc's
emulation involves using the pread(2) syscall.  The pread syscall
fails with EBADF if the file descriptor is opened without the read
open-flag (ie. open (..., O_WRONLY)).
I contacted glibc upstream about this, and their response is here:
  https://bugzilla.redhat.com/show_bug.cgi?id=1265196#c9
There are two possible fixes: Use Linux fallocate directly, or (this
fix) work around the problem in qemu by opening the file with O_RDWR
instead of O_WRONLY.
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 73ba05d936e82fe01b2b2cf987bf3aecb4792af5)
Signed-off-by: Jeff E. Nelson <jen@redhat.com>
---
 block/raw-posix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/raw-posix.c b/block/raw-posix.c
index 1f5275f..92fcb6c 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1265,7 +1265,7 @@ static int raw_create(const char *filename, QEMUOptionParameter *options,
         options++;
     }
-    fd = qemu_open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY,
+    fd = qemu_open(filename, O_RDWR | O_CREAT | O_TRUNC | O_BINARY,
                    0644);
     if (fd < 0) {
         result = -errno;
--
2.5.5
SOURCES/kvm-block-vmdk-fixed-sizeof-error.patch
New file
@@ -0,0 +1,50 @@
From 37bf9db781d9507501649ee04d23b0dab103a126 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Mon, 15 Feb 2016 09:28:23 +0100
Subject: [PATCH 10/18] block: vmdk - fixed sizeof() error
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1455528511-9357-11-git-send-email-famz@redhat.com>
Patchwork-id: 69176
O-Subject: [RHEL-7.3 qemu-kvm PATCH 10/18] block: vmdk - fixed sizeof() error
Bugzilla: 1299250
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
From: Jeff Cody <jcody@redhat.com>
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1299250
The size compared should be PATH_MAX, rather than sizeof(char *).
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 46d873261433f4527e88885582f96942d61758d6.1423592487.git.jcody@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit a7be17bee855f26c317e99aa6582e1dc9b8ebd71)
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/vmdk.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 45ecf02..32b3d4c 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -838,8 +838,7 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
         }
         extent_path = g_malloc0(PATH_MAX);
-        path_combine(extent_path, sizeof(extent_path),
-                desc_file_path, fname);
+        path_combine(extent_path, PATH_MAX, desc_file_path, fname);
         extent_file = NULL;
         ret = bdrv_file_open(&extent_file, extent_path, NULL, bs->open_flags,
                              errp);
--
1.8.3.1
SOURCES/kvm-block-vmdk-make-ret-variable-usage-clear.patch
New file
@@ -0,0 +1,86 @@
From 931d28d0c1c1015df16fbffb8422895497193a78 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Mon, 15 Feb 2016 09:28:21 +0100
Subject: [PATCH 08/18] block: vmdk - make ret variable usage clear
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1455528511-9357-9-git-send-email-famz@redhat.com>
Patchwork-id: 69174
O-Subject: [RHEL-7.3 qemu-kvm PATCH 08/18] block: vmdk - make ret variable usage clear
Bugzilla: 1299250
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
From: Jeff Cody <jcody@redhat.com>
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1299250
Keep the variable 'ret' something that is returned by the function it is
defined in.  For the return value of 'sscanf', use a more meaningful
variable name.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 395a22fae064df64d987d703cf70ae0f57306be8)
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/vmdk.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 1247ea4..3351782 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -788,6 +788,7 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
                               const char *desc_file_path, Error **errp)
 {
     int ret;
+    int matches;
     char access[11];
     char type[11];
     char fname[512];
@@ -799,6 +800,7 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
     BDRVVmdkState *s = bs->opaque;
     VmdkExtent *extent;
+
     while (*p) {
         /* parse extent line in one of below formats:
          *
@@ -808,23 +810,23 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
          * RW [size in sectors] VMFSSPARSE "file-name.vmdk"
          */
         flat_offset = -1;
-        ret = sscanf(p, "%10s %" SCNd64 " %10s \"%511[^\n\r\"]\" %" SCNd64,
-                access, &sectors, type, fname, &flat_offset);
-        if (ret < 4 || strcmp(access, "RW")) {
+        matches = sscanf(p, "%10s %" SCNd64 " %10s \"%511[^\n\r\"]\" %" SCNd64,
+                         access, &sectors, type, fname, &flat_offset);
+        if (matches < 4 || strcmp(access, "RW")) {
             goto next_line;
         } else if (!strcmp(type, "FLAT")) {
-            if (ret != 5 || flat_offset < 0) {
+            if (matches != 5 || flat_offset < 0) {
                 error_setg(errp, "Invalid extent lines: \n%s", p);
                 return -EINVAL;
             }
         } else if (!strcmp(type, "VMFS")) {
-            if (ret == 4) {
+            if (matches == 4) {
                 flat_offset = 0;
             } else {
                 error_setg(errp, "Invalid extent lines:\n%s", p);
                 return -EINVAL;
             }
-        } else if (ret != 4) {
+        } else if (matches != 4) {
             error_setg(errp, "Invalid extent lines:\n%s", p);
             return -EINVAL;
         }
--
1.8.3.1
SOURCES/kvm-block-vmdk-move-string-allocations-from-stack-to-the.patch
New file
@@ -0,0 +1,146 @@
From a767838caf6c761d714a9466d008f8dddaf1a162 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Mon, 15 Feb 2016 09:28:22 +0100
Subject: [PATCH 09/18] block: vmdk - move string allocations from stack to the
 heap
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1455528511-9357-10-git-send-email-famz@redhat.com>
Patchwork-id: 69175
O-Subject: [RHEL-7.3 qemu-kvm PATCH 09/18] block: vmdk - move string allocations from stack to the heap
Bugzilla: 1299250
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
From: Jeff Cody <jcody@redhat.com>
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1299250
Functions 'vmdk_parse_extents' and 'vmdk_create' allocate several
PATH_MAX sized arrays on the stack.  Make these dynamically allocated.
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit fe2065629a9c256f836770ca54449ae77b22d188)
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/vmdk.c | 40 ++++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 16 deletions(-)
diff --git a/block/vmdk.c b/block/vmdk.c
index 3351782..45ecf02 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -795,12 +795,11 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
     const char *p = desc;
     int64_t sectors = 0;
     int64_t flat_offset;
-    char extent_path[PATH_MAX];
+    char *extent_path;
     BlockDriverState *extent_file;
     BDRVVmdkState *s = bs->opaque;
     VmdkExtent *extent;
-
     while (*p) {
         /* parse extent line in one of below formats:
          *
@@ -838,10 +837,13 @@ static int vmdk_parse_extents(const char *desc, BlockDriverState *bs,
             goto next_line;
         }
+        extent_path = g_malloc0(PATH_MAX);
         path_combine(extent_path, sizeof(extent_path),
                 desc_file_path, fname);
+        extent_file = NULL;
         ret = bdrv_file_open(&extent_file, extent_path, NULL, bs->open_flags,
                              errp);
+        g_free(extent_path);
         if (ret) {
             return ret;
         }
@@ -1790,10 +1792,15 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options,
     int ret = 0;
     bool flat, split, compress;
     GString *ext_desc_lines;
-    char path[PATH_MAX], prefix[PATH_MAX], postfix[PATH_MAX];
+    char *path = g_malloc0(PATH_MAX);
+    char *prefix = g_malloc0(PATH_MAX);
+    char *postfix = g_malloc0(PATH_MAX);
+    char *desc_line = g_malloc0(BUF_SIZE);
+    char *ext_filename = g_malloc0(PATH_MAX);
+    char *desc_filename = g_malloc0(PATH_MAX);
     const int64_t split_size = 0x80000000;  /* VMDK has constant split size */
     const char *desc_extent_line;
-    char parent_desc_line[BUF_SIZE] = "";
+    char *parent_desc_line = g_malloc0(BUF_SIZE);
     uint32_t parent_cid = 0xffffffff;
     uint32_t number_heads = 16;
     bool zeroed_grain = false;
@@ -1902,33 +1909,27 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options,
         }
         parent_cid = vmdk_read_cid(bs, 0);
         bdrv_unref(bs);
-        snprintf(parent_desc_line, sizeof(parent_desc_line),
+        snprintf(parent_desc_line, BUF_SIZE,
                 "parentFileNameHint=\"%s\"", backing_file);
     }
     /* Create extents */
     filesize = total_size;
     while (filesize > 0) {
-        char desc_line[BUF_SIZE];
-        char ext_filename[PATH_MAX];
-        char desc_filename[PATH_MAX];
         int64_t size = filesize;
         if (split && size > split_size) {
             size = split_size;
         }
         if (split) {
-            snprintf(desc_filename, sizeof(desc_filename), "%s-%c%03d%s",
+            snprintf(desc_filename, PATH_MAX, "%s-%c%03d%s",
                     prefix, flat ? 'f' : 's', ++idx, postfix);
         } else if (flat) {
-            snprintf(desc_filename, sizeof(desc_filename), "%s-flat%s",
-                    prefix, postfix);
+            snprintf(desc_filename, PATH_MAX, "%s-flat%s", prefix, postfix);
         } else {
-            snprintf(desc_filename, sizeof(desc_filename), "%s%s",
-                    prefix, postfix);
+            snprintf(desc_filename, PATH_MAX, "%s%s", prefix, postfix);
         }
-        snprintf(ext_filename, sizeof(ext_filename), "%s%s",
-                path, desc_filename);
+        snprintf(ext_filename, PATH_MAX, "%s%s", path, desc_filename);
         if (vmdk_create_extent(ext_filename, size,
                                flat, compress, zeroed_grain, errp)) {
@@ -1938,7 +1939,7 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options,
         filesize -= size;
         /* Format description line */
-        snprintf(desc_line, sizeof(desc_line),
+        snprintf(desc_line, BUF_SIZE,
                     desc_extent_line, size / BDRV_SECTOR_SIZE, desc_filename);
         g_string_append(ext_desc_lines, desc_line);
     }
@@ -1988,6 +1989,13 @@ exit:
         bdrv_unref(new_bs);
     }
     g_free(desc);
+    g_free(path);
+    g_free(prefix);
+    g_free(postfix);
+    g_free(desc_line);
+    g_free(ext_filename);
+    g_free(desc_filename);
+    g_free(parent_desc_line);
     g_string_free(ext_desc_lines, true);
     return ret;
 }
--
1.8.3.1
SOURCES/kvm-check-qjson-Add-test-for-JSON-nesting-depth-limit.patch
New file
@@ -0,0 +1,73 @@
From 38d4fe12ad2e3bc18842201f437c480120eace2b Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 27 Jul 2016 07:35:02 +0200
Subject: [PATCH 04/16] check-qjson: Add test for JSON nesting depth limit
RH-Author: Markus Armbruster <armbru@redhat.com>
Message-id: <1469604913-12442-6-git-send-email-armbru@redhat.com>
Patchwork-id: 71481
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 04/15] check-qjson: Add test for JSON nesting depth limit
Bugzilla: 1276036
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
This would have prevented the regression mentioned in the previous
commit.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <1448486613-17634-4-git-send-email-armbru@redhat.com>
(cherry picked from commit f0ae0304c7a41a42b7d4a6cde450da938d3c2cc7)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 tests/check-qjson.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
diff --git a/tests/check-qjson.c b/tests/check-qjson.c
index 4e74548..c5dd74d 100644
--- a/tests/check-qjson.c
+++ b/tests/check-qjson.c
@@ -1465,6 +1465,30 @@ static void unterminated_literal(void)
     g_assert(obj == NULL);
 }
+static char *make_nest(char *buf, size_t cnt)
+{
+    memset(buf, '[', cnt - 1);
+    buf[cnt - 1] = '{';
+    buf[cnt] = '}';
+    memset(buf + cnt + 1, ']', cnt - 1);
+    buf[2 * cnt] = 0;
+    return buf;
+}
+
+static void limits_nesting(void)
+{
+    enum { max_nesting = 1024 }; /* see qobject/json-streamer.c */
+    char buf[2 * (max_nesting + 1) + 1];
+    QObject *obj;
+
+    obj = qobject_from_json(make_nest(buf, max_nesting));
+    g_assert(obj != NULL);
+    qobject_decref(obj);
+
+    obj = qobject_from_json(make_nest(buf, max_nesting + 1));
+    g_assert(obj == NULL);
+}
+
 int main(int argc, char **argv)
 {
     g_test_init(&argc, &argv, NULL);
@@ -1500,6 +1524,7 @@ int main(int argc, char **argv)
     g_test_add_func("/errors/invalid_array_comma", invalid_array_comma);
     g_test_add_func("/errors/invalid_dict_comma", invalid_dict_comma);
     g_test_add_func("/errors/unterminated/literal", unterminated_literal);
+    g_test_add_func("/errors/limits/nesting", limits_nesting);
     return g_test_run();
 }
--
1.8.3.1
SOURCES/kvm-cutils-Support-P-and-E-suffixes-in-strtosz.patch
New file
@@ -0,0 +1,132 @@
From b7cea737b24456765a21ed43ebd9b68ebbbf3537 Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Mon, 23 Nov 2015 17:38:21 +0100
Subject: [PATCH 02/27] cutils: Support 'P' and 'E' suffixes in strtosz()
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1448300320-7772-3-git-send-email-jsnow@redhat.com>
Patchwork-id: 68430
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 02/21] cutils: Support 'P' and 'E' suffixes in strtosz()
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 5e00984aef7c1c317e27c0e8acf66526513c770f)
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 include/qemu-common.h      |  2 ++
 monitor.c                  |  8 ++++----
 qemu-img.c                 | 10 ++++++----
 tests/qemu-iotests/049.out |  8 ++++----
 util/cutils.c              |  4 ++++
 5 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/include/qemu-common.h b/include/qemu-common.h
index aee85e3..67f57c9 100644
--- a/include/qemu-common.h
+++ b/include/qemu-common.h
@@ -178,6 +178,8 @@ int parse_uint_full(const char *s, unsigned long long *value, int base);
  * A-Z, as strtosz() will use qemu_toupper() on the given argument
  * prior to comparison.
  */
+#define STRTOSZ_DEFSUFFIX_EB    'E'
+#define STRTOSZ_DEFSUFFIX_PB    'P'
 #define STRTOSZ_DEFSUFFIX_TB    'T'
 #define STRTOSZ_DEFSUFFIX_GB    'G'
 #define STRTOSZ_DEFSUFFIX_MB    'M'
diff --git a/monitor.c b/monitor.c
index 6a1d06e..33c5bc8 100644
--- a/monitor.c
+++ b/monitor.c
@@ -94,10 +94,10 @@
  * 'M'          Non-negative target long (32 or 64 bit), in user mode the
  *              value is multiplied by 2^20 (think Mebibyte)
  * 'o'          octets (aka bytes)
- *              user mode accepts an optional T, t, G, g, M, m, K, k
- *              suffix, which multiplies the value by 2^40 for
- *              suffixes T and t, 2^30 for suffixes G and g, 2^20 for
- *              M and m, 2^10 for K and k
+ *              user mode accepts an optional E, e, P, p, T, t, G, g, M, m,
+ *              K, k suffix, which multiplies the value by 2^60 for suffixes E
+ *              and e, 2^50 for suffixes P and p, 2^40 for suffixes T and t,
+ *              2^30 for suffixes G and g, 2^20 for M and m, 2^10 for K and k
  * 'T'          double
  *              user mode accepts an optional ms, us, ns suffix,
  *              which divides the value by 1e3, 1e6, 1e9, respectively
diff --git a/qemu-img.c b/qemu-img.c
index 9c021e7..eb2d4cb 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -87,8 +87,9 @@ static void help(void)
            "  'src_cache' is the cache mode used to read input disk images, the valid\n"
            "    options are the same as for the 'cache' option\n"
            "  'size' is the disk image size in bytes. Optional suffixes\n"
-           "    'k' or 'K' (kilobyte, 1024), 'M' (megabyte, 1024k), 'G' (gigabyte, 1024M)\n"
-           "    and T (terabyte, 1024G) are supported. 'b' is ignored.\n"
+           "    'k' or 'K' (kilobyte, 1024), 'M' (megabyte, 1024k), 'G' (gigabyte, 1024M),\n"
+           "    'T' (terabyte, 1024G), 'P' (petabyte, 1024T) and 'E' (exabyte, 1024P)  are\n"
+           "    supported. 'b' is ignored.\n"
            "  'output_filename' is the destination disk image filename\n"
            "  'output_fmt' is the destination format\n"
            "  'options' is a comma separated list of format specific options in a\n"
@@ -417,8 +418,9 @@ static int img_create(int argc, char **argv)
                 error_report("Image size must be less than 8 EiB!");
             } else {
                 error_report("Invalid image size specified! You may use k, M, "
-                      "G or T suffixes for ");
-                error_report("kilobytes, megabytes, gigabytes and terabytes.");
+                      "G, T, P or E suffixes for ");
+                error_report("kilobytes, megabytes, gigabytes, terabytes, "
+                             "petabytes and exabytes.");
             }
             goto fail;
         }
diff --git a/tests/qemu-iotests/049.out b/tests/qemu-iotests/049.out
index b2fcf0b..3e56772 100644
--- a/tests/qemu-iotests/049.out
+++ b/tests/qemu-iotests/049.out
@@ -108,15 +108,15 @@ qemu-img: TEST_DIR/t.qcow2: Could not resize image: Operation not supported
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=-1024 encryption=off cluster_size=65536 lazy_refcounts=off
 qemu-img create -f qcow2 TEST_DIR/t.qcow2 -- 1kilobyte
-qemu-img: Invalid image size specified! You may use k, M, G or T suffixes for
-qemu-img: kilobytes, megabytes, gigabytes and terabytes.
+qemu-img: Invalid image size specified! You may use k, M, G, T, P or E suffixes for
+qemu-img: kilobytes, megabytes, gigabytes, terabytes, petabytes and exabytes.
 qemu-img create -f qcow2 -o size=1kilobyte TEST_DIR/t.qcow2
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=1024 encryption=off cluster_size=65536 lazy_refcounts=off
 qemu-img create -f qcow2 TEST_DIR/t.qcow2 -- foobar
-qemu-img: Invalid image size specified! You may use k, M, G or T suffixes for
-qemu-img: kilobytes, megabytes, gigabytes and terabytes.
+qemu-img: Invalid image size specified! You may use k, M, G, T, P or E suffixes for
+qemu-img: kilobytes, megabytes, gigabytes, terabytes, petabytes and exabytes.
 qemu-img create -f qcow2 -o size=foobar TEST_DIR/t.qcow2
 qemu-img: Parameter 'size' expects a size
diff --git a/util/cutils.c b/util/cutils.c
index a165819..8f28896 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -267,6 +267,10 @@ static int64_t suffix_mul(char suffix, int64_t unit)
         return unit * unit * unit;
     case STRTOSZ_DEFSUFFIX_TB:
         return unit * unit * unit * unit;
+    case STRTOSZ_DEFSUFFIX_PB:
+        return unit * unit * unit * unit * unit;
+    case STRTOSZ_DEFSUFFIX_EB:
+        return unit * unit * unit * unit * unit * unit;
     }
     return -1;
 }
--
1.8.3.1
SOURCES/kvm-e1000-eliminate-infinite-loops-on-out-of-bounds-tran.patch
New file
@@ -0,0 +1,109 @@
From 4fef3479339001ef3ea529fb0552533fae422240 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Fri, 5 Feb 2016 14:26:18 +0100
Subject: [PATCH 1/5] e1000: eliminate infinite loops on out-of-bounds transfer
 start
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1454682378-29144-2-git-send-email-lersek@redhat.com>
Patchwork-id: 69116
O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/1] e1000: eliminate infinite loops on out-of-bounds transfer start
Bugzilla: 1296044
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: P J P <ppandit@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:
- the TDLEN and RDLEN registers store the total size of the descriptor
  area,
- while the TDH and RDH registers store the offset (in whole tx / rx
  descriptors) into the area where the transfer is supposed to start.
Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).
QEMU already contains logic to deal with bogus transfers submitted by the
guest:
- Normally, the transmit case wants to increase TDH from its initial value
  to TDT. (TDT is allowed to be numerically smaller than the initial TDH
  value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
  that QEMU currently has here is a check against reaching the original
  TDH value again -- a complete wraparound, which should never happen.
- In the receive case RDH is increased from its initial value until
  "total_size" bytes have been received; preferably in a single step, or
  in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
  RX descriptors are skipped without receiving data, while RDH is
  incremented just the same. QEMU tries to prevent an infinite loop
  (processing only null RX descriptors) by detecting whether RDH assumes
  its original value during the loop. (Again, wrapping from RDLEN to 0 is
  normal.)
What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.
The condition that expresses this is:
  xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.
This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.
This is CVE-2016-1981.
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Prasad Pandit <ppandit@redhat.com>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: qemu-stable@nongnu.org
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit dd793a74882477ca38d49e191110c17dfee51dcc)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/net/e1000.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 87a84a7..2cd38bc 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -697,7 +697,8 @@ start_xmit(E1000State *s)
          * bogus values to TDT/TDLEN.
          * there's nothing too intelligent we could do about this.
          */
-        if (s->mac_reg[TDH] == tdh_start) {
+        if (s->mac_reg[TDH] == tdh_start ||
+            tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
             DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
                    tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
             break;
@@ -902,7 +903,8 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
         if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
             s->mac_reg[RDH] = 0;
         /* see comment in start_xmit; same here */
-        if (s->mac_reg[RDH] == rdh_start) {
+        if (s->mac_reg[RDH] == rdh_start ||
+            rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
             DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
                    rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
             set_ics(s, 0, E1000_ICS_RXO);
--
1.8.3.1
SOURCES/kvm-ehci-clear-suspend-bit-on-detach.patch
New file
@@ -0,0 +1,48 @@
From ad3f6b5b188c572bd07cc5929e844138c2d95915 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 13 Nov 2015 13:32:34 +0100
Subject: [PATCH 1/6] ehci: clear suspend bit on detach
Message-id: <1447421554-28366-2-git-send-email-kraxel@redhat.com>
Patchwork-id: 68349
O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/1] ehci: clear suspend bit on detach
Bugzilla: 1268879
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
When a device is detached, clear the suspend bit (PORTSC_SUSPEND)
in the port status register.
The specs are not *that* clear what is supposed to happen in case
a suspended device is unplugged.  But the enable bit (PORTSC_PED)
is cleared, and the specs mention setting suspend with enable being
unset is undefined behavior.  So clearing them both looks reasonable,
and it actually fixes the reported bug.
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Message-id: 1445413462-18004-1-git-send-email-kraxel@redhat.com
(cherry picked from commit cbf82fa01e6fd4ecb234b235b10ffce548154a95)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/usb/hcd-ehci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 02d2ab7..3429c77 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -802,7 +802,7 @@ static void ehci_detach(USBPort *port)
     ehci_queues_rip_device(s, port->dev, 0);
     ehci_queues_rip_device(s, port->dev, 1);
-    *portsc &= ~(PORTSC_CONNECT|PORTSC_PED);
+    *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND);
     *portsc |= PORTSC_CSC;
     ehci_raise_irq(s, USBSTS_PCD);
--
1.8.3.1
SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
@@ -1,16 +1,17 @@
From 5d12c17191e042a57e02749cedc55104a8251ac3 Mon Sep 17 00:00:00 2001
From ba24567fd90702ea40ff320a79bc921b38510f22 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 21 Jan 2016 07:17:43 +0100
Subject: [PATCH] fw_cfg: add check to validate current entry value
Subject: [PATCH 2/2] fw_cfg: add check to validate current entry value
 (CVE-2016-1714)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
Message-id: <1453360663-5066-1-git-send-email-mrezanin@redhat.com>
Patchwork-id: 68834
O-Subject: [RHEL-7.2.z/RHEL-7.3 qemu-kvm PATCH] fw_cfg: add check to validate current entry value (CVE-2016-1714)
Bugzilla: 1298047
Bugzilla: 1298048
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
SOURCES/kvm-hw-input-hid.c-Fix-capslock-hid-code.patch
New file
@@ -0,0 +1,50 @@
From 61ecb3c995018bc9ec901d376004c1d092d166ff Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 1 Jun 2016 12:24:01 +0200
Subject: [PATCH 1/3] hw/input/hid.c Fix capslock hid code
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1464783841-27701-2-git-send-email-kraxel@redhat.com>
Patchwork-id: 70522
O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/1] hw/input/hid.c Fix capslock hid code
Bugzilla: 1256741
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Dinar Valeev <dvaleev@suse.com>
When ever USB keyboard is used, e.g. '-usbdevice keyboard' pressing
caps lock key send 0x32 hid code, which is treated as backslash.
Instead it should be 0x39 code. This affects sending uppercase keys,
as they typed whith caps lock active.
While on x86 this can be workarounded by using ps/2 protocol. On
Power it is crusial as we don't have anything else than USB.
This is fixes guest automation tasts over vnc.
Signed-off-by: Dinar Valeev <dvaleev@suse.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0ee4de5840ccc1072459ec68062bfb63c888a94d)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/input/hid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/input/hid.c b/hw/input/hid.c
index 14b3125..db45c89 100644
--- a/hw/input/hid.c
+++ b/hw/input/hid.c
@@ -41,7 +41,7 @@ static const uint8_t hid_usage_keys[0x100] = {
     0x07, 0x09, 0x0a, 0x0b, 0x0d, 0x0e, 0x0f, 0x33,
     0x34, 0x35, 0xe1, 0x31, 0x1d, 0x1b, 0x06, 0x19,
     0x05, 0x11, 0x10, 0x36, 0x37, 0x38, 0xe5, 0x55,
-    0xe2, 0x2c, 0x32, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e,
+    0xe2, 0x2c, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e,
     0x3f, 0x40, 0x41, 0x42, 0x43, 0x53, 0x47, 0x5f,
     0x60, 0x61, 0x56, 0x5c, 0x5d, 0x5e, 0x57, 0x59,
     0x5a, 0x5b, 0x62, 0x63, 0x00, 0x00, 0x00, 0x44,
--
1.8.3.1
SOURCES/kvm-ide-test-fix-failure-for-test_flush.patch
New file
@@ -0,0 +1,113 @@
From 31ce74359a069be69af0f6ba2f7867ed2083317a Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Tue, 8 Dec 2015 20:30:59 +0100
Subject: [PATCH 21/27] ide-test: fix failure for test_flush
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1449606659-23710-1-git-send-email-jsnow@redhat.com>
Patchwork-id: 68521
O-Subject: [RHEL-7.3 qemu-kvm PATCH v3 21/21] ide-test: fix failure for test_flush
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
This patch is a combination of two patches:
(1) Revert "qtest/ide-test: disable flush-test"
(2) ide-test: fix failure for test_flush
First, the downstream-only revert:
This reverts commit 228e49fabffa644ab7a6a03e98205f293115dc89.
Second, the backported fix:
bd07684aacfb61668ae2c25b7dd00b64f3d7c7f3 added a test to ensure BSY
flag is set when a flush request is in flight. It does this by setting
a blkdebug breakpoint on flush_to_os before issuing a CMD_FLUSH_CACHE.
It then resumes CMD_FLUSH_CACHE operation and checks that BSY is unset.
The actual unsetting of BSY does not occur until ide_flush_cb gets
called in a bh, however, so in some cases this check will race with
the actual completion.
Fix this by polling the ide status register until BSY flag gets unset
before we do our final sanity checks. According to
f68ec8379e88502b4841a110c070e9b118d3151c this is in line with how a guest
would determine whether or not the device is still busy.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 22bfa16ed3d4c9d534dcfe6f2381a654f32296b9)
Signed-off-by: John Snow <jsnow@redhat.com>
---
 tests/ide-test.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 tests/ide-test.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
diff --git a/tests/ide-test.c b/tests/ide-test.c
index 43b7fd6..92dd0e5 100644
--- a/tests/ide-test.c
+++ b/tests/ide-test.c
@@ -425,6 +425,46 @@ static void test_identify(void)
     ide_test_quit();
 }
+static void test_flush(void)
+{
+    uint8_t data;
+
+    ide_test_start(
+        "-vnc none "
+        "-drive file=blkdebug::%s,if=ide,cache=writeback",
+        tmp_path);
+
+    /* Delay the completion of the flush request until we explicitly do it */
+    qmp("{'execute':'human-monitor-command', 'arguments': { "
+        "'command-line': 'qemu-io ide0-hd0 \"break flush_to_os A\"'} }");
+
+    /* FLUSH CACHE command on device 0*/
+    outb(IDE_BASE + reg_device, 0);
+    outb(IDE_BASE + reg_command, CMD_FLUSH_CACHE);
+
+    /* Check status while request is in flight*/
+    data = inb(IDE_BASE + reg_status);
+    assert_bit_set(data, BSY | DRDY);
+    assert_bit_clear(data, DF | ERR | DRQ);
+
+    /* Complete the command */
+    qmp("{'execute':'human-monitor-command', 'arguments': { "
+        "'command-line': 'qemu-io ide0-hd0 \"resume A\"'} }");
+
+    /* Check registers */
+    data = inb(IDE_BASE + reg_device);
+    g_assert_cmpint(data & DEV, ==, 0);
+
+    do {
+        data = inb(IDE_BASE + reg_status);
+    } while (data & BSY);
+
+    assert_bit_set(data, DRDY);
+    assert_bit_clear(data, BSY | DF | ERR | DRQ);
+
+    ide_test_quit();
+}
+
 static void test_flush_nodev(void)
 {
     ide_test_start("");
@@ -468,6 +508,7 @@ int main(int argc, char **argv)
     qtest_add_func("/ide/bmdma/long_prdt", test_bmdma_long_prdt);
     qtest_add_func("/ide/bmdma/teardown", test_bmdma_teardown);
+    qtest_add_func("/ide/flush", test_flush);
     qtest_add_func("/ide/flush_nodev", test_flush_nodev);
     ret = g_test_run();
--
1.8.3.1
SOURCES/kvm-json-parser-drop-superfluous-assignment-for-token-va.patch
New file
@@ -0,0 +1,97 @@
From 110f5902133db4e8a46c9cc18ed0d4ed2e99aec2 Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 27 Jul 2016 07:34:59 +0200
Subject: [PATCH 01/16] json-parser: drop superfluous assignment for token
 variable
RH-Author: Markus Armbruster <armbru@redhat.com>
Message-id: <1469604913-12442-3-git-send-email-armbru@redhat.com>
Patchwork-id: 71470
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 01/15] json-parser: drop superfluous assignment for token variable
Bugzilla: 1276036
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
From: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit a491af471bf8f1188b2665f54d109065d4591e45)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 qobject/json-parser.c | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/qobject/json-parser.c b/qobject/json-parser.c
index e7947b3..fa09769 100644
--- a/qobject/json-parser.c
+++ b/qobject/json-parser.c
@@ -423,7 +423,6 @@ static QObject *parse_object(JSONParserContext *ctxt, va_list *ap)
     if (!token_is_operator(token, '{')) {
         goto out;
     }
-    token = NULL;
     dict = qdict_new();
@@ -449,7 +448,6 @@ static QObject *parse_object(JSONParserContext *ctxt, va_list *ap)
                 parse_error(ctxt, token, "expected separator in dict");
                 goto out;
             }
-            token = NULL;
             if (parse_pair(ctxt, dict, ap) == -1) {
                 goto out;
@@ -461,10 +459,8 @@ static QObject *parse_object(JSONParserContext *ctxt, va_list *ap)
                 goto out;
             }
         }
-        token = NULL;
     } else {
-        token = parser_context_pop_token(ctxt);
-        token = NULL;
+        (void)parser_context_pop_token(ctxt);
     }
     return QOBJECT(dict);
@@ -487,10 +483,8 @@ static QObject *parse_array(JSONParserContext *ctxt, va_list *ap)
     }
     if (!token_is_operator(token, '[')) {
-        token = NULL;
         goto out;
     }
-    token = NULL;
     list = qlist_new();
@@ -523,8 +517,6 @@ static QObject *parse_array(JSONParserContext *ctxt, va_list *ap)
                 goto out;
             }
-            token = NULL;
-
             obj = parse_value(ctxt, ap);
             if (obj == NULL) {
                 parse_error(ctxt, token, "expecting value");
@@ -539,11 +531,8 @@ static QObject *parse_array(JSONParserContext *ctxt, va_list *ap)
                 goto out;
             }
         }
-
-        token = NULL;
     } else {
-        token = parser_context_pop_token(ctxt);
-        token = NULL;
+        (void)parser_context_pop_token(ctxt);
     }
     return QOBJECT(list);
--
1.8.3.1
SOURCES/kvm-json-streamer-Don-t-leak-tokens-on-incomplete-parse.patch
New file
@@ -0,0 +1,65 @@
From b3e87d63aec8631b853cb86a0736af41954769a4 Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 27 Jul 2016 07:35:12 +0200
Subject: [PATCH 14/16] json-streamer: Don't leak tokens on incomplete parse
RH-Author: Markus Armbruster <armbru@redhat.com>
Message-id: <1469604913-12442-16-git-send-email-armbru@redhat.com>
Patchwork-id: 71477
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 14/15] json-streamer: Don't leak tokens on incomplete parse
Bugzilla: 1276036
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
From: Eric Blake <eblake@redhat.com>
Valgrind complained about a number of leaks in
tests/check-qobject-json:
==12657==    definitely lost: 17,247 bytes in 1,234 blocks
All of which had the same root cause: on an incomplete parse,
we were abandoning the token queue without cleaning up the
allocated data within each queue element.  Introduced in
commit 95385fe, when we switched from QList (which recursively
frees contents) to g_queue (which does not).
We don't yet require glib 2.32 with its g_queue_free_full(),
so open-code it instead.
CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463608012-12760-1-git-send-email-eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit ba4dba54347d5062436a8553f527dbbed6dcf069)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 qobject/json-streamer.c | 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index a4db4b8..3c7d6be 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -19,9 +19,15 @@
 #define MAX_TOKEN_COUNT (2ULL << 20)
 #define MAX_NESTING (1ULL << 10)
+static void json_message_free_token(void *token, void *opaque)
+{
+    g_free(token);
+}
+
 static void json_message_free_tokens(JSONMessageParser *parser)
 {
     if (parser->tokens) {
+        g_queue_foreach(parser->tokens, json_message_free_token, NULL);
         g_queue_free(parser->tokens);
         parser->tokens = NULL;
     }
--
1.8.3.1
SOURCES/kvm-json-streamer-fix-double-free-on-exiting-during-a-pa.patch
New file
@@ -0,0 +1,64 @@
From a781053c1b5084ba32b86229b98b9601c990722c Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 27 Jul 2016 07:35:13 +0200
Subject: [PATCH 15/16] json-streamer: fix double-free on exiting during a
 parse
RH-Author: Markus Armbruster <armbru@redhat.com>
Message-id: <1469604913-12442-17-git-send-email-armbru@redhat.com>
Patchwork-id: 71484
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 15/15] json-streamer: fix double-free on exiting during a parse
Bugzilla: 1276036
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: John Snow <jsnow@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call.  To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.
Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 qobject/json-streamer.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 3c7d6be..7d041e1 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -38,6 +38,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input,
 {
     JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
     JSONToken *token;
+    GQueue *tokens;
     switch (type) {
     case JSON_LCURLY:
@@ -95,9 +96,12 @@ out_emit:
     /* send current list of tokens to parser and reset tokenizer */
     parser->brace_count = 0;
     parser->bracket_count = 0;
-    /* parser->emit takes ownership of parser->tokens.  */
-    parser->emit(parser, parser->tokens);
+    /* parser->emit takes ownership of parser->tokens.  Remove our own
+     * reference to parser->tokens before handing it out to parser->emit.
+     */
+    tokens = parser->tokens;
     parser->tokens = g_queue_new();
+    parser->emit(parser, tokens);
     parser->token_size = 0;
 }
--
1.8.3.1
SOURCES/kvm-nbd-Always-call-close_fn-in-nbd_client_new.patch
New file
@@ -0,0 +1,112 @@
From 2efca7904a7a71d44bdf715208899e3bb29711df Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Thu, 10 Mar 2016 04:00:51 +0100
Subject: [PATCH 2/5] nbd: Always call "close_fn" in nbd_client_new
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1457582453-13835-2-git-send-email-famz@redhat.com>
Patchwork-id: 69757
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 1/3] nbd: Always call "close_fn" in nbd_client_new
Bugzilla: 1285453
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
Rename the parameter "close" to "close_fn" to disambiguous with
close(2).
This unifies error handling paths of NBDClient allocation:
nbd_client_new will shutdown the socket and call the "close_fn" callback
if negotiation failed, so the caller don't need a different path than
the normal close.
The returned pointer is never used, make it void in preparation for the
next patch.
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1452760863-25350-2-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ee7d7aabdaea4484e069cb99c9fc54e8cb24b56f)
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    include/block/nbd.h
    nbd.c
    qemu-nbd.c
* nbd_update_server_fd_handler not in downstream;
* Context around the changed line is different.
---
 include/block/nbd.h |  3 +--
 nbd.c               | 11 +++++------
 qemu-nbd.c          |  4 ++--
 3 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/include/block/nbd.h b/include/block/nbd.h
index c90f5e4..92e360e 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -92,8 +92,7 @@ NBDExport *nbd_export_find(const char *name);
 void nbd_export_set_name(NBDExport *exp, const char *name);
 void nbd_export_close_all(void);
-NBDClient *nbd_client_new(NBDExport *exp, int csock,
-                          void (*close)(NBDClient *));
+void nbd_client_new(NBDExport *exp, int csock, void (*close_fn)(NBDClient *));
 void nbd_client_close(NBDClient *client);
 void nbd_client_get(NBDClient *client);
 void nbd_client_put(NBDClient *client);
diff --git a/nbd.c b/nbd.c
index f258cdd..ba97270 100644
--- a/nbd.c
+++ b/nbd.c
@@ -1232,8 +1232,7 @@ static void nbd_restart_write(void *opaque)
     qemu_coroutine_enter(client->send_coroutine, NULL);
 }
-NBDClient *nbd_client_new(NBDExport *exp, int csock,
-                          void (*close)(NBDClient *))
+void nbd_client_new(NBDExport *exp, int csock, void (*close_fn)(NBDClient *))
 {
     NBDClient *client;
     client = g_malloc0(sizeof(NBDClient));
@@ -1241,10 +1240,11 @@ NBDClient *nbd_client_new(NBDExport *exp, int csock,
     client->exp = exp;
     client->sock = csock;
     if (nbd_send_negotiate(client) < 0) {
-        g_free(client);
-        return NULL;
+        shutdown(client->sock, 2);
+        close_fn(client);
+        return;
     }
-    client->close = close;
+    client->close = close_fn;
     qemu_co_mutex_init(&client->send_lock);
     qemu_set_fd_handler2(csock, nbd_can_read, nbd_read, NULL, client);
@@ -1252,5 +1252,4 @@ NBDClient *nbd_client_new(NBDExport *exp, int csock,
         QTAILQ_INSERT_TAIL(&exp->clients, client, next);
         nbd_export_get(exp);
     }
-    return client;
 }
diff --git a/qemu-nbd.c b/qemu-nbd.c
index ff792ef..047dd49 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -297,9 +297,9 @@ static void nbd_accept(void *opaque)
         close(fd);
         return;
     }
-
-    if (fd >= 0 && nbd_client_new(exp, fd, nbd_client_closed)) {
+    if (fd >= 0) {
         nb_fds++;
+        nbd_client_new(exp, fd, nbd_client_closed);
     }
 }
--
1.8.3.1
SOURCES/kvm-nbd-client_close-on-error-in-nbd_co_client_start.patch
New file
@@ -0,0 +1,50 @@
From c62e0877b191e5fba9b678bbd518a57c8fdf7099 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Thu, 10 Mar 2016 04:00:53 +0100
Subject: [PATCH 4/5] nbd: client_close on error in nbd_co_client_start
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1457582453-13835-4-git-send-email-famz@redhat.com>
Patchwork-id: 69759
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 3/3] nbd: client_close on error in nbd_co_client_start
Bugzilla: 1285453
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
From: Max Reitz <mreitz@redhat.com>
Use client_close() if an error in nbd_co_client_start() occurs instead
of manually inlining parts of it. This fixes an assertion error on the
server side if nbd_negotiate() fails.
Signed-off-by: Max Reitz <mreitz@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit d3780c2dce2c452759ee9d94f9d824cf14cc3ab8)
Signed-off-by: Fam Zheng <famz@redhat.com>
Downstream: client_close -> nbd_client_close.
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 nbd.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/nbd.c b/nbd.c
index 97aeecb..c20e57e 100644
--- a/nbd.c
+++ b/nbd.c
@@ -1282,8 +1282,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
         nbd_export_get(exp);
     }
     if (nbd_negotiate(data)) {
-        shutdown(client->sock, 2);
-        client->close(client);
+        nbd_client_close(client);
         goto out;
     }
     qemu_co_mutex_init(&client->send_lock);
--
1.8.3.1
SOURCES/kvm-nbd-server-Coroutine-based-negotiation.patch
New file
@@ -0,0 +1,262 @@
From 2a68d801c63137c3d1fe9fa96f0193eb2d1576f5 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Thu, 10 Mar 2016 04:00:52 +0100
Subject: [PATCH 3/5] nbd-server: Coroutine based negotiation
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1457582453-13835-3-git-send-email-famz@redhat.com>
Patchwork-id: 69758
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 2/3] nbd-server: Coroutine based negotiation
Bugzilla: 1285453
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
Create a coroutine in nbd_client_new, so that nbd_send_negotiate doesn't
need qemu_set_block().
Handlers need to be set temporarily for csock fd in case the coroutine
yields during I/O.
With this, if the other end disappears in the middle of the negotiation,
we don't block the whole event loop.
To make the code clearer, unify all function names that belong to
negotiate, so they are less likely to be misused. This is important
because we rely on negotiation staying in main loop, as commented in
nbd_negotiate_read/write().
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1452760863-25350-4-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1a6245a5b0b4e8d822c739b403fc67c8a7bc8d12)
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    nbd.c
Downstream doesn't have new style protocol, and the code is not split.
The patch is redone.
---
 nbd.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 82 insertions(+), 24 deletions(-)
diff --git a/nbd.c b/nbd.c
index ba97270..97aeecb 100644
--- a/nbd.c
+++ b/nbd.c
@@ -167,6 +167,41 @@ ssize_t nbd_wr_sync(int fd, void *buffer, size_t size, bool do_read)
     return offset;
 }
+static void nbd_negotiate_continue(void *opaque)
+{
+    qemu_coroutine_enter(opaque, NULL);
+}
+
+static ssize_t read_sync(int fd, void *buffer, size_t size);
+static ssize_t write_sync(int fd, void *buffer, size_t size);
+
+static ssize_t nbd_negotiate_read(int fd, void *buffer, size_t size)
+{
+    ssize_t ret;
+
+    assert(qemu_in_coroutine());
+    /* Negotiation are always in main loop. */
+    qemu_set_fd_handler(fd, nbd_negotiate_continue, NULL,
+                        qemu_coroutine_self());
+    ret = read_sync(fd, buffer, size);
+    qemu_set_fd_handler(fd, NULL, NULL, NULL);
+    return ret;
+
+}
+
+static ssize_t nbd_negotiate_write(int fd, void *buffer, size_t size)
+{
+    ssize_t ret;
+
+    assert(qemu_in_coroutine());
+    /* Negotiation are always in main loop. */
+    qemu_set_fd_handler(fd, NULL, nbd_negotiate_continue,
+                        qemu_coroutine_self());
+    ret = write_sync(fd, buffer, size);
+    qemu_set_fd_handler(fd, NULL, NULL, NULL);
+    return ret;
+}
+
 static ssize_t read_sync(int fd, void *buffer, size_t size)
 {
     /* Sockets are kept in blocking mode in the negotiation phase.  After
@@ -280,7 +315,7 @@ int unix_socket_outgoing(const char *path)
 */
-static int nbd_receive_options(NBDClient *client)
+static coroutine_fn int nbd_negotiate_receive_options(NBDClient *client)
 {
     int csock = client->sock;
     char name[256];
@@ -297,7 +332,7 @@ static int nbd_receive_options(NBDClient *client)
      */
     rc = -EINVAL;
-    if (read_sync(csock, &tmp, sizeof(tmp)) != sizeof(tmp)) {
+    if (nbd_negotiate_read(csock, &tmp, sizeof(tmp)) != sizeof(tmp)) {
         LOG("read failed");
         goto fail;
     }
@@ -307,7 +342,7 @@ static int nbd_receive_options(NBDClient *client)
         goto fail;
     }
-    if (read_sync(csock, &magic, sizeof(magic)) != sizeof(magic)) {
+    if (nbd_negotiate_read(csock, &magic, sizeof(magic)) != sizeof(magic)) {
         LOG("read failed");
         goto fail;
     }
@@ -317,7 +352,7 @@ static int nbd_receive_options(NBDClient *client)
         goto fail;
     }
-    if (read_sync(csock, &tmp, sizeof(tmp)) != sizeof(tmp)) {
+    if (nbd_negotiate_read(csock, &tmp, sizeof(tmp)) != sizeof(tmp)) {
         LOG("read failed");
         goto fail;
     }
@@ -327,7 +362,7 @@ static int nbd_receive_options(NBDClient *client)
         goto fail;
     }
-    if (read_sync(csock, &length, sizeof(length)) != sizeof(length)) {
+    if (nbd_negotiate_read(csock, &length, sizeof(length)) != sizeof(length)) {
         LOG("read failed");
         goto fail;
     }
@@ -337,7 +372,7 @@ static int nbd_receive_options(NBDClient *client)
         LOG("Bad length received");
         goto fail;
     }
-    if (read_sync(csock, name, length) != length) {
+    if (nbd_negotiate_read(csock, name, length) != length) {
         LOG("read failed");
         goto fail;
     }
@@ -358,8 +393,14 @@ fail:
     return rc;
 }
-static int nbd_send_negotiate(NBDClient *client)
+typedef struct {
+    NBDClient *client;
+    Coroutine *co;
+} NBDClientNewData;
+
+static coroutine_fn int nbd_negotiate(NBDClientNewData *data)
 {
+    NBDClient *client = data->client;
     int csock = client->sock;
     char buf[8 + 8 + 8 + 128];
     int rc;
@@ -385,7 +426,6 @@ static int nbd_send_negotiate(NBDClient *client)
         [28 .. 151]   reserved     (0)
      */
-    qemu_set_block(csock);
     rc = -EINVAL;
     TRACE("Beginning negotiation.");
@@ -401,16 +441,16 @@ static int nbd_send_negotiate(NBDClient *client)
     }
     if (client->exp) {
-        if (write_sync(csock, buf, sizeof(buf)) != sizeof(buf)) {
+        if (nbd_negotiate_write(csock, buf, sizeof(buf)) != sizeof(buf)) {
             LOG("write failed");
             goto fail;
         }
     } else {
-        if (write_sync(csock, buf, 18) != 18) {
+        if (nbd_negotiate_write(csock, buf, 18) != 18) {
             LOG("write failed");
             goto fail;
         }
-        rc = nbd_receive_options(client);
+        rc = nbd_negotiate_receive_options(client);
         if (rc < 0) {
             LOG("option negotiation failed");
             goto fail;
@@ -419,7 +459,8 @@ static int nbd_send_negotiate(NBDClient *client)
         assert ((client->exp->nbdflags & ~65535) == 0);
         cpu_to_be64w((uint64_t*)(buf + 18), client->exp->size);
         cpu_to_be16w((uint16_t*)(buf + 26), client->exp->nbdflags | myflags);
-        if (write_sync(csock, buf + 18, sizeof(buf) - 18) != sizeof(buf) - 18) {
+        if (nbd_negotiate_write(csock, buf + 18,
+                                sizeof(buf) - 18) != sizeof(buf) - 18) {
             LOG("write failed");
             goto fail;
         }
@@ -428,7 +469,6 @@ static int nbd_send_negotiate(NBDClient *client)
     TRACE("Negotiation succeeded.");
     rc = 0;
 fail:
-    qemu_set_nonblock(csock);
     return rc;
 }
@@ -1232,24 +1272,42 @@ static void nbd_restart_write(void *opaque)
     qemu_coroutine_enter(client->send_coroutine, NULL);
 }
+static coroutine_fn void nbd_co_client_start(void *opaque)
+{
+    NBDClientNewData *data = opaque;
+    NBDClient *client = data->client;
+    NBDExport *exp = client->exp;
+
+    if (exp) {
+        nbd_export_get(exp);
+    }
+    if (nbd_negotiate(data)) {
+        shutdown(client->sock, 2);
+        client->close(client);
+        goto out;
+    }
+    qemu_co_mutex_init(&client->send_lock);
+    qemu_set_fd_handler2(client->sock, nbd_can_read, nbd_read, NULL, client);
+
+    if (exp) {
+        QTAILQ_INSERT_TAIL(&exp->clients, client, next);
+    }
+out:
+    g_free(data);
+}
+
 void nbd_client_new(NBDExport *exp, int csock, void (*close_fn)(NBDClient *))
 {
     NBDClient *client;
+    NBDClientNewData *data = g_new(NBDClientNewData, 1);
+
     client = g_malloc0(sizeof(NBDClient));
     client->refcount = 1;
     client->exp = exp;
     client->sock = csock;
-    if (nbd_send_negotiate(client) < 0) {
-        shutdown(client->sock, 2);
-        close_fn(client);
-        return;
-    }
     client->close = close_fn;
-    qemu_co_mutex_init(&client->send_lock);
-    qemu_set_fd_handler2(csock, nbd_can_read, nbd_read, NULL, client);
-    if (exp) {
-        QTAILQ_INSERT_TAIL(&exp->clients, client, next);
-        nbd_export_get(exp);
-    }
+    data->client = client;
+    data->co = qemu_coroutine_create(nbd_co_client_start);
+    qemu_coroutine_enter(data->co, data);
 }
--
1.8.3.1
SOURCES/kvm-nbd-server-Set-O_NONBLOCK-on-client-fd.patch
New file
@@ -0,0 +1,44 @@
From e36a5a8613df42339773ebf48e07d063ad7484e8 Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Mon, 5 Sep 2016 01:18:15 +0200
Subject: [PATCH] nbd-server: Set O_NONBLOCK on client fd
RH-Author: Fam Zheng <famz@redhat.com>
Message-id: <1473038295-7193-1-git-send-email-famz@redhat.com>
Patchwork-id: 72141
O-Subject: [RHEL-7.3 qemu-kvm PATCH] nbd-server: Set O_NONBLOCK on client fd
Bugzilla: 1285453
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
Upstream: upstream uses IO channels that is not present in downstream.
Backporting that deserves a separate and deliberate justification BZ,
for 7.4.
Even with 2a68d80 (nbd-server: Coroutine based negotiation), QEMU still
hangs when client hangs, because recvmsg the socket fd is blocking. Set
the O_NONBLOCK to fix this.
Analyzed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 nbd.c | 1 +
 1 file changed, 1 insertion(+)
diff --git a/nbd.c b/nbd.c
index c20e57e..8a32e18 100644
--- a/nbd.c
+++ b/nbd.c
@@ -1281,6 +1281,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
     if (exp) {
         nbd_export_get(exp);
     }
+    qemu_set_nonblock(client->sock);
     if (nbd_negotiate(data)) {
         nbd_client_close(client);
         goto out;
--
1.8.3.1
SOURCES/kvm-net-Make-qmp_query_rx_filter-with-name-argument-more.patch
New file
@@ -0,0 +1,47 @@
From 9c2a6798c053cec989e02935e810a0d239fb493c Mon Sep 17 00:00:00 2001
From: Vlad Yasevich <vyasevic@redhat.com>
Date: Wed, 16 Dec 2015 02:59:35 +0100
Subject: [PATCH 1/2] net: Make qmp_query_rx_filter() with name argument more
 obvious
RH-Author: Vlad Yasevich <vyasevic@redhat.com>
Message-id: <1450234776-7779-2-git-send-email-vyasevic@redhat.com>
Patchwork-id: 68620
O-Subject: [RHEL7.3 qemu-kvm PATCH 1/2] net: Make qmp_query_rx_filter() with name argument more obvious
Bugzilla: 1269738
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
From: Markus Armbruster <armbru@redhat.com>
With a client name, the QMP command is specified to return a list of
one element.  This isn't locally obvious in the code.  Make it so.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 638fb14169ad96cf9bc0dd5f61460daaecee5bb1)
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 net/net.c | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/net/net.c b/net/net.c
index a8c49fc..0be50a0 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1000,6 +1000,10 @@ RxFilterInfoList *qmp_query_rx_filter(bool has_name, const char *name,
                        " rx-filter querying", name);
             break;
         }
+
+        if (has_name) {
+            break;
+        }
     }
     if (filter_list == NULL && !error_is_set(errp) && has_name) {
--
1.8.3.1
SOURCES/kvm-pc-set-the-OEM-fields-in-the-RSDT-and-the-FADT-from-.patch
New file
@@ -0,0 +1,133 @@
From 607904cf94b1dee91c74522aedebda308ffba93d Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 11 May 2016 12:33:48 +0200
Subject: [PATCH 09/10] pc: set the OEM fields in the RSDT and the FADT from
 the SLIC
RH-Author: Laszlo Ersek <lersek@redhat.com>
Message-id: <1462970028-10959-8-git-send-email-lersek@redhat.com>
Patchwork-id: 70384
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 7/7] pc: set the OEM fields in the RSDT and the FADT from the SLIC
Bugzilla: 1330969
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
The Microsoft spec about the SLIC and MSDM ACPI tables at
<http://go.microsoft.com/fwlink/p/?LinkId=234834> requires the OEM ID and
OEM Table ID fields to be consistent between the SLIC and the RSDT/XSDT.
That further affects the FADT, because a similar match between the FADT
and the RSDT/XSDT is required by the ACPI spec in general.
This patch wires up the previous three patches.
Cc: "Michael S. Tsirkin" <mst@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Igor Mammedov <imammedo@redhat.com> (supporter:ACPI/SMBIOS)
Cc: Paolo Bonzini <pbonzini@redhat.com> (maintainer:X86)
Cc: Richard W.M. Jones <rjones@redhat.com>
Cc: Aleksei Kovura <alex3kov@zoho.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Cc: Steven Newbury <steve@snewbury.org.uk>
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1248758
LP: https://bugs.launchpad.net/qemu/+bug/1533848
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Steven Newbury <steve@snewbury.org.uk>
(cherry picked from commit ae12374951f07157f7a52c8d848b90f8eec722fb)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
    hw/i386/acpi-build.c
RHEL-7 backport note: conflict due to downstream lacking 7c2c1fa5f428
("pc: acpi: use local var for accessing ACPI tables blob in
acpi_build()").
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 hw/i386/acpi-build.c | 13 +++++++++----
 qemu-options.hx      |  4 ++++
 2 files changed, 13 insertions(+), 4 deletions(-)
---
 hw/i386/acpi-build.c | 13 +++++++++----
 qemu-options.hx      |  4 ++++
 2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index d9433e6..85291f5 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -511,7 +511,8 @@ static void fadt_setup(AcpiFadtDescriptorRev1 *fadt, AcpiPmInfo *pm)
 /* FADT */
 static void
 build_fadt(GArray *table_data, GArray *linker, AcpiPmInfo *pm,
-           unsigned facs, unsigned dsdt)
+           unsigned facs, unsigned dsdt,
+           const char *oem_id, const char *oem_table_id)
 {
     AcpiFadtDescriptorRev1 *fadt = acpi_data_push(table_data, sizeof(*fadt));
@@ -532,7 +533,7 @@ build_fadt(GArray *table_data, GArray *linker, AcpiPmInfo *pm,
     fadt_setup(fadt, pm);
     build_header(linker, table_data,
-                 (void *)fadt, "FACP", sizeof(*fadt), 1, NULL, NULL);
+                 (void *)fadt, "FACP", sizeof(*fadt), 1, oem_id, oem_table_id);
 }
 static void
@@ -1065,6 +1066,7 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     AcpiMcfgInfo mcfg;
     PcPciInfo pci;
     uint8_t *u;
+    AcpiSlicOem slic_oem = { .id = NULL, .table_id = NULL };
     acpi_get_cpu_info(&cpu);
     acpi_get_pm_info(&pm);
@@ -1072,6 +1074,7 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     acpi_get_hotplug_info(&misc);
     acpi_get_misc_info(&misc);
     acpi_get_pci_info(&pci);
+    acpi_get_slic_oem(&slic_oem);
     table_offsets = g_array_new(false, true /* clear */,
                                         sizeof(uint32_t));
@@ -1095,7 +1098,8 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     /* ACPI tables pointed to by RSDT */
     acpi_add_table(table_offsets, tables->table_data);
-    build_fadt(tables->table_data, tables->linker, &pm, facs, dsdt);
+    build_fadt(tables->table_data, tables->linker, &pm, facs, dsdt,
+               slic_oem.id, slic_oem.table_id);
     acpi_add_table(table_offsets, tables->table_data);
     build_ssdt(tables->table_data, tables->linker, &cpu, &pm, &misc, &pci,
@@ -1127,7 +1131,8 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     /* RSDT is pointed to by RSDP */
     rsdt = tables->table_data->len;
-    build_rsdt(tables->table_data, tables->linker, table_offsets, NULL, NULL);
+    build_rsdt(tables->table_data, tables->linker, table_offsets,
+               slic_oem.id, slic_oem.table_id);
     /* RSDP is in FSEG memory, so allocate it separately */
     build_rsdp(tables->rsdp, tables->linker, rsdt);
diff --git a/qemu-options.hx b/qemu-options.hx
index 62c3e06..24ffab6 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1295,6 +1295,10 @@ ACPI headers (possible overridden by other options).
 For data=, only data
 portion of the table is used, all header information is specified in the
 command line.
+If a SLIC table is supplied to QEMU, then the SLIC's oem_id and oem_table_id
+fields will override the same in the RSDT and the FADT (a.k.a. FACP), in order
+to ensure the field matches required by the Microsoft SLIC spec and the ACPI
+spec.
 ETEXI
 DEF("smbios", HAS_ARG, QEMU_OPTION_smbios,
--
1.8.3.1
SOURCES/kvm-qemu-io-Check-for-trailing-chars.patch
New file
@@ -0,0 +1,59 @@
From 362faad8e8f4c2c2c875df12f6bbae7964c0146d Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Mon, 23 Nov 2015 17:38:38 +0100
Subject: [PATCH 19/27] qemu-io: Check for trailing chars
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1448300320-7772-20-git-send-email-jsnow@redhat.com>
Patchwork-id: 68449
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 19/21] qemu-io: Check for trailing chars
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
Make sure there's not trailing garbage, e.g.
"64k-whatever-i-want-here"
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit ef5a788527b2038d742b057a415ab4d0e735e98f)
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
  qemu-io-cmds.c:
    - Downstream still uses strtosz_suffix, not
      qemu_strtosz_suffix.
Signed-off-by: John Snow <jsnow@redhat.com>
---
 qemu-io-cmds.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
index 95345fe..6ea027d 100644
--- a/qemu-io-cmds.c
+++ b/qemu-io-cmds.c
@@ -124,7 +124,14 @@ static char **breakline(char *input, int *count)
 static int64_t cvtnum(const char *s)
 {
     char *end;
-    return strtosz_suffix(s, &end, STRTOSZ_DEFSUFFIX_B);
+    int64_t ret;
+
+    ret = strtosz_suffix(s, &end, STRTOSZ_DEFSUFFIX_B);
+    if (*end != '\0') {
+        /* Detritus at the end of the string */
+        return -EINVAL;
+    }
+    return ret;
 }
 #define EXABYTES(x)     ((long long)(x) << 60)
--
1.8.3.1
SOURCES/kvm-qemu-io-Correct-error-messages.patch
New file
@@ -0,0 +1,218 @@
From 8adbd2914ccd44e0b1766690b514bda213b88740 Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Mon, 23 Nov 2015 17:38:39 +0100
Subject: [PATCH 20/27] qemu-io: Correct error messages
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1448300320-7772-21-git-send-email-jsnow@redhat.com>
Patchwork-id: 68446
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 20/21] qemu-io: Correct error messages
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit a9ecfa004f2dd83df612daac4a87dfc3a0feba28)
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
  qemu-io-cmds.c:
    - Fixes to sigraise are not backported.
Signed-off-by: John Snow <jsnow@redhat.com>
---
 qemu-io-cmds.c | 51 +++++++++++++++++++++++++++++++++------------------
 1 file changed, 33 insertions(+), 18 deletions(-)
diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c
index 6ea027d..b41d6ee 100644
--- a/qemu-io-cmds.c
+++ b/qemu-io-cmds.c
@@ -134,6 +134,21 @@ static int64_t cvtnum(const char *s)
     return ret;
 }
+static void print_cvtnum_err(int64_t rc, const char *arg)
+{
+    switch (rc) {
+    case -EINVAL:
+        printf("Parsing error: non-numeric argument,"
+               " or extraneous/unrecognized suffix -- %s\n", arg);
+        break;
+    case -ERANGE:
+        printf("Parsing error: argument too large -- %s\n", arg);
+        break;
+    default:
+        printf("Parsing error: %s\n", arg);
+    }
+}
+
 #define EXABYTES(x)     ((long long)(x) << 60)
 #define PETABYTES(x)    ((long long)(x) << 50)
 #define TERABYTES(x)    ((long long)(x) << 40)
@@ -355,13 +370,13 @@ create_iovec(BlockDriverState *bs, QEMUIOVector *qiov, char **argv, int nr_iov,
         len = cvtnum(arg);
         if (len < 0) {
-            printf("non-numeric length argument -- %s\n", arg);
+            print_cvtnum_err(len, arg);
             goto fail;
         }
         /* should be SIZE_T_MAX, but that doesn't exist */
         if (len > INT_MAX) {
-            printf("too large length argument -- %s\n", arg);
+            printf("Argument '%s' exceeds maximum size %d\n", arg, INT_MAX);
             goto fail;
         }
@@ -688,7 +703,7 @@ static int read_f(BlockDriverState *bs, int argc, char **argv)
             lflag = 1;
             pattern_count = cvtnum(optarg);
             if (pattern_count < 0) {
-                printf("non-numeric length argument -- %s\n", optarg);
+                print_cvtnum_err(pattern_count, optarg);
                 return 0;
             }
             break;
@@ -709,7 +724,7 @@ static int read_f(BlockDriverState *bs, int argc, char **argv)
             sflag = 1;
             pattern_offset = cvtnum(optarg);
             if (pattern_offset < 0) {
-                printf("non-numeric length argument -- %s\n", optarg);
+                print_cvtnum_err(pattern_offset, optarg);
                 return 0;
             }
             break;
@@ -732,14 +747,14 @@ static int read_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[optind]);
     if (offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(offset, argv[optind]);
         return 0;
     }
     optind++;
     count = cvtnum(argv[optind]);
     if (count < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(count, argv[optind]);
         return 0;
     } else if (count > SIZE_MAX) {
         printf("length cannot exceed %" PRIu64 ", given %s\n",
@@ -894,7 +909,7 @@ static int readv_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[optind]);
     if (offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(offset, argv[optind]);
         return 0;
     }
     optind++;
@@ -1043,14 +1058,14 @@ static int write_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[optind]);
     if (offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(offset, argv[optind]);
         return 0;
     }
     optind++;
     count = cvtnum(argv[optind]);
     if (count < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(count, argv[optind]);
         return 0;
     } else if (count > SIZE_MAX) {
         printf("length cannot exceed %" PRIu64 ", given %s\n",
@@ -1179,7 +1194,7 @@ static int writev_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[optind]);
     if (offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(offset, argv[optind]);
         return 0;
     }
     optind++;
@@ -1306,7 +1321,7 @@ static int multiwrite_f(BlockDriverState *bs, int argc, char **argv)
         /* Read the offset of the request */
         offset = cvtnum(argv[optind]);
         if (offset < 0) {
-            printf("non-numeric offset argument -- %s\n", argv[optind]);
+            print_cvtnum_err(offset, argv[optind]);
             goto out;
         }
         optind++;
@@ -1526,7 +1541,7 @@ static int aio_read_f(BlockDriverState *bs, int argc, char **argv)
     ctx->offset = cvtnum(argv[optind]);
     if (ctx->offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(ctx->offset, argv[optind]);
         g_free(ctx);
         return 0;
     }
@@ -1618,7 +1633,7 @@ static int aio_write_f(BlockDriverState *bs, int argc, char **argv)
     ctx->offset = cvtnum(argv[optind]);
     if (ctx->offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(ctx->offset, argv[optind]);
         g_free(ctx);
         return 0;
     }
@@ -1676,7 +1691,7 @@ static int truncate_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[1]);
     if (offset < 0) {
-        printf("non-numeric truncate argument -- %s\n", argv[1]);
+        print_cvtnum_err(offset, argv[1]);
         return 0;
     }
@@ -1822,14 +1837,14 @@ static int discard_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[optind]);
     if (offset < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(offset, argv[optind]);
         return 0;
     }
     optind++;
     count = cvtnum(argv[optind]);
     if (count < 0) {
-        printf("non-numeric length argument -- %s\n", argv[optind]);
+        print_cvtnum_err(count, argv[optind]);
         return 0;
     } else if (count >> BDRV_SECTOR_BITS > INT_MAX) {
         printf("length cannot exceed %"PRIu64", given %s\n",
@@ -1867,7 +1882,7 @@ static int alloc_f(BlockDriverState *bs, int argc, char **argv)
     offset = cvtnum(argv[1]);
     if (offset < 0) {
-        printf("non-numeric offset argument -- %s\n", argv[1]);
+        print_cvtnum_err(offset, argv[1]);
         return 0;
     } else if (offset & 0x1ff) {
         printf("offset %" PRId64 " is not sector aligned\n",
@@ -1878,7 +1893,7 @@ static int alloc_f(BlockDriverState *bs, int argc, char **argv)
     if (argc == 3) {
         nb_sectors = cvtnum(argv[2]);
         if (nb_sectors < 0) {
-            printf("non-numeric length argument -- %s\n", argv[2]);
+            print_cvtnum_err(nb_sectors, argv[2]);
             return 0;
         } else if (nb_sectors > INT_MAX) {
             printf("length argument cannot exceed %d, given %s\n",
--
1.8.3.1
SOURCES/kvm-qemu-io-Don-t-use-global-bs-in-command-implementatio.patch
New file
@@ -0,0 +1,737 @@
From 2653e21a25d8fb99479337c785e81b07f755acda Mon Sep 17 00:00:00 2001
From: John Snow <jsnow@redhat.com>
Date: Mon, 23 Nov 2015 17:38:24 +0100
Subject: [PATCH 05/27] qemu-io: Don't use global bs in command implementations
RH-Author: John Snow <jsnow@redhat.com>
Message-id: <1448300320-7772-6-git-send-email-jsnow@redhat.com>
Patchwork-id: 68433
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 05/21] qemu-io: Don't use global bs in command implementations
Bugzilla: 1272523
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
Pass in the BlockDriverState to the command handlers instead of using
the global variable. This is an important step to make the commands
usable outside of qemu-io.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 734c3b85cb72d264ad2b38a87f30304e05de2cb1)
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Conflicts:
  qemu-io.c
    Number of arguments to bdrv_co_write_zeroes
    bdrv_unref used downstream instead of bdrv_delete
    downstream, local_err used for bdrv_open
    downstream, error_abort used for bdrv_new
    map_is_allocated was never backported from a00e81e98f71
    sleep_f was backported, adjust its signature
Signed-off-by: John Snow <jsnow@redhat.com>
---
 cmd.c     |   6 ++-
 cmd.h     |   8 ++-
 qemu-io.c | 164 ++++++++++++++++++++++++++++++++++----------------------------
 3 files changed, 99 insertions(+), 79 deletions(-)
diff --git a/cmd.c b/cmd.c
index 214c6f7..d501aab 100644
--- a/cmd.c
+++ b/cmd.c
@@ -57,7 +57,7 @@ check_command(
     const cmdinfo_t    *ci)
 {
     if (check_func)
-        return check_func(ci);
+        return check_func(qemuio_bs, ci);
     return 1;
 }
@@ -103,7 +103,7 @@ command(
         return 0;
     }
     optind = 0;
-    return ct->cfunc(argc, argv);
+    return ct->cfunc(qemuio_bs, argc, argv);
 }
 const cmdinfo_t *
@@ -452,6 +452,7 @@ static cmdinfo_t quit_cmd;
 /* ARGSUSED */
 static int
 quit_f(
+    BlockDriverState *bs,
     int    argc,
     char    **argv)
 {
@@ -490,6 +491,7 @@ help_all(void)
 static int
 help_f(
+    BlockDriverState *bs,
     int        argc,
     char        **argv)
 {
diff --git a/cmd.h b/cmd.h
index 4dcfe88..ccf6336 100644
--- a/cmd.h
+++ b/cmd.h
@@ -17,9 +17,13 @@
 #ifndef __COMMAND_H__
 #define __COMMAND_H__
+#include "qemu-common.h"
+
 #define CMD_FLAG_GLOBAL    ((int)0x80000000)    /* don't iterate "args" */
-typedef int (*cfunc_t)(int argc, char **argv);
+extern BlockDriverState *qemuio_bs;
+
+typedef int (*cfunc_t)(BlockDriverState *bs, int argc, char **argv);
 typedef void (*helpfunc_t)(void);
 typedef struct cmdinfo {
@@ -41,7 +45,7 @@ extern int        ncmds;
 void help_init(void);
 void quit_init(void);
-typedef int (*checkfunc_t)(const cmdinfo_t *ci);
+typedef int (*checkfunc_t)(BlockDriverState *bs, const cmdinfo_t *ci);
 void add_command(const cmdinfo_t *ci);
 void add_user_command(char *optarg);
diff --git a/qemu-io.c b/qemu-io.c
index e4fa2fc..c3cc4f3 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -29,8 +29,8 @@
 #define CMD_NOFILE_OK   0x01
 char *progname;
-static BlockDriverState *bs;
+BlockDriverState *qemuio_bs;
 static int misalign;
 static int64_t cvtnum(const char *s)
@@ -67,7 +67,7 @@ static int parse_pattern(const char *arg)
  */
 #define MISALIGN_OFFSET     16
-static void *qemu_io_alloc(size_t len, int pattern)
+static void *qemu_io_alloc(BlockDriverState *bs, size_t len, int pattern)
 {
     void *buf;
@@ -140,7 +140,8 @@ static void print_report(const char *op, struct timeval *t, int64_t offset,
  * vector matching it.
  */
 static void *
-create_iovec(QEMUIOVector *qiov, char **argv, int nr_iov, int pattern)
+create_iovec(BlockDriverState *bs, QEMUIOVector *qiov, char **argv, int nr_iov,
+             int pattern)
 {
     size_t *sizes = g_new0(size_t, nr_iov);
     size_t count = 0;
@@ -176,7 +177,7 @@ create_iovec(QEMUIOVector *qiov, char **argv, int nr_iov, int pattern)
     qemu_iovec_init(qiov, nr_iov);
-    buf = p = qemu_io_alloc(count, pattern);
+    buf = p = qemu_io_alloc(bs, count, pattern);
     for (i = 0; i < nr_iov; i++) {
         qemu_iovec_add(qiov, p, sizes[i]);
@@ -188,7 +189,8 @@ fail:
     return buf;
 }
-static int do_read(char *buf, int64_t offset, int count, int *total)
+static int do_read(BlockDriverState *bs, char *buf, int64_t offset, int count,
+                   int *total)
 {
     int ret;
@@ -200,7 +202,8 @@ static int do_read(char *buf, int64_t offset, int count, int *total)
     return 1;
 }
-static int do_write(char *buf, int64_t offset, int count, int *total)
+static int do_write(BlockDriverState *bs, char *buf, int64_t offset, int count,
+                    int *total)
 {
     int ret;
@@ -212,7 +215,8 @@ static int do_write(char *buf, int64_t offset, int count, int *total)
     return 1;
 }
-static int do_pread(char *buf, int64_t offset, int count, int *total)
+static int do_pread(BlockDriverState *bs, char *buf, int64_t offset, int count,
+                    int *total)
 {
     *total = bdrv_pread(bs, offset, (uint8_t *)buf, count);
     if (*total < 0) {
@@ -221,7 +225,8 @@ static int do_pread(char *buf, int64_t offset, int count, int *total)
     return 1;
 }
-static int do_pwrite(char *buf, int64_t offset, int count, int *total)
+static int do_pwrite(BlockDriverState *bs, char *buf, int64_t offset, int count,
+                     int *total)
 {
     *total = bdrv_pwrite(bs, offset, (uint8_t *)buf, count);
     if (*total < 0) {
@@ -231,6 +236,7 @@ static int do_pwrite(char *buf, int64_t offset, int count, int *total)
 }
 typedef struct {
+    BlockDriverState *bs;
     int64_t offset;
     int count;
     int *total;
@@ -242,7 +248,7 @@ static void coroutine_fn co_write_zeroes_entry(void *opaque)
 {
     CoWriteZeroes *data = opaque;
-    data->ret = bdrv_co_write_zeroes(bs, data->offset / BDRV_SECTOR_SIZE,
+    data->ret = bdrv_co_write_zeroes(data->bs, data->offset / BDRV_SECTOR_SIZE,
                                      data->count / BDRV_SECTOR_SIZE, 0);
     data->done = true;
     if (data->ret < 0) {
@@ -253,10 +259,12 @@ static void coroutine_fn co_write_zeroes_entry(void *opaque)
     *data->total = data->count;
 }
-static int do_co_write_zeroes(int64_t offset, int count, int *total)
+static int do_co_write_zeroes(BlockDriverState *bs, int64_t offset, int count,
+                              int *total)
 {
     Coroutine *co;
     CoWriteZeroes data = {
+        .bs     = bs,
         .offset = offset,
         .count  = count,
         .total  = total,
@@ -275,7 +283,8 @@ static int do_co_write_zeroes(int64_t offset, int count, int *total)
     }
 }
-static int do_write_compressed(char *buf, int64_t offset, int count, int *total)
+static int do_write_compressed(BlockDriverState *bs, char *buf, int64_t offset,
+                               int count, int *total)
 {
     int ret;
@@ -287,7 +296,8 @@ static int do_write_compressed(char *buf, int64_t offset, int count, int *total)
     return 1;
 }
-static int do_load_vmstate(char *buf, int64_t offset, int count, int *total)
+static int do_load_vmstate(BlockDriverState *bs, char *buf, int64_t offset,
+                           int count, int *total)
 {
     *total = bdrv_load_vmstate(bs, (uint8_t *)buf, offset, count);
     if (*total < 0) {
@@ -296,7 +306,8 @@ static int do_load_vmstate(char *buf, int64_t offset, int count, int *total)
     return 1;
 }
-static int do_save_vmstate(char *buf, int64_t offset, int count, int *total)
+static int do_save_vmstate(BlockDriverState *bs, char *buf, int64_t offset,
+                           int count, int *total)
 {
     *total = bdrv_save_vmstate(bs, (uint8_t *)buf, offset, count);
     if (*total < 0) {
@@ -311,7 +322,8 @@ static void aio_rw_done(void *opaque, int ret)
     *(int *)opaque = ret;
 }
-static int do_aio_readv(QEMUIOVector *qiov, int64_t offset, int *total)
+static int do_aio_readv(BlockDriverState *bs, QEMUIOVector *qiov,
+                        int64_t offset, int *total)
 {
     int async_ret = NOT_DONE;
@@ -325,7 +337,8 @@ static int do_aio_readv(QEMUIOVector *qiov, int64_t offset, int *total)
     return async_ret < 0 ? async_ret : 1;
 }
-static int do_aio_writev(QEMUIOVector *qiov, int64_t offset, int *total)
+static int do_aio_writev(BlockDriverState *bs, QEMUIOVector *qiov,
+                         int64_t offset, int *total)
 {
     int async_ret = NOT_DONE;
@@ -354,7 +367,8 @@ static void multiwrite_cb(void *opaque, int ret)
     }
 }
-static int do_aio_multiwrite(BlockRequest* reqs, int num_reqs, int *total)
+static int do_aio_multiwrite(BlockDriverState *bs, BlockRequest* reqs,
+                             int num_reqs, int *total)
 {
     int i, ret;
     struct multiwrite_async_ret async_ret = {
@@ -403,7 +417,7 @@ static void read_help(void)
 "\n");
 }
-static int read_f(int argc, char **argv);
+static int read_f(BlockDriverState *bs, int argc, char **argv);
 static const cmdinfo_t read_cmd = {
     .name       = "read",
@@ -416,7 +430,7 @@ static const cmdinfo_t read_cmd = {
     .help       = read_help,
 };
-static int read_f(int argc, char **argv)
+static int read_f(BlockDriverState *bs, int argc, char **argv)
 {
     struct timeval t1, t2;
     int Cflag = 0, pflag = 0, qflag = 0, vflag = 0;
@@ -522,15 +536,15 @@ static int read_f(int argc, char **argv)
         }
     }
-    buf = qemu_io_alloc(count, 0xab);
+    buf = qemu_io_alloc(bs, count, 0xab);
     gettimeofday(&t1, NULL);
     if (pflag) {
-        cnt = do_pread(buf, offset, count, &total);
+        cnt = do_pread(bs, buf, offset, count, &total);
     } else if (bflag) {
-        cnt = do_load_vmstate(buf, offset, count, &total);
+        cnt = do_load_vmstate(bs, buf, offset, count, &total);
     } else {
-        cnt = do_read(buf, offset, count, &total);
+        cnt = do_read(bs, buf, offset, count, &total);
     }
     gettimeofday(&t2, NULL);
@@ -587,7 +601,7 @@ static void readv_help(void)
 "\n");
 }
-static int readv_f(int argc, char **argv);
+static int readv_f(BlockDriverState *bs, int argc, char **argv);
 static const cmdinfo_t readv_cmd = {
     .name       = "readv",
@@ -599,7 +613,7 @@ static const cmdinfo_t readv_cmd = {
     .help       = readv_help,
 };
-static int readv_f(int argc, char **argv)
+static int readv_f(BlockDriverState *bs, int argc, char **argv)
 {
     struct timeval t1, t2;
     int Cflag = 0, qflag = 0, vflag = 0;
@@ -655,13 +669,13 @@ static int readv_f(int argc, char **argv)
     }
     nr_iov = argc - optind;
-    buf = create_iovec(&qiov, &argv[optind], nr_iov, 0xab);
+    buf = create_iovec(bs, &qiov, &argv[optind], nr_iov, 0xab);
     if (buf == NULL) {
         return 0;
     }
     gettimeofday(&t1, NULL);
-    cnt = do_aio_readv(&qiov, offset, &total);
+    cnt = do_aio_readv(bs, &qiov, offset, &total);
     gettimeofday(&t2, NULL);
     if (cnt < 0) {
@@ -718,7 +732,7 @@ static void write_help(void)
 "\n");
 }
-static int write_f(int argc, char **argv);
+static int write_f(BlockDriverState *bs, int argc, char **argv);
 static const cmdinfo_t write_cmd = {
     .name       = "write",
@@ -731,7 +745,7 @@ static const cmdinfo_t write_cmd = {
     .help       = write_help,
 };