diff --git a/.gitignore b/.gitignore
index b5d4127..57c025a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,4 @@ qemu-kvm-0.13.0-25fdf4a.tar.gz
/qemu-kvm-0.15.0-0af4922.tar.gz
/qemu-kvm-0.15.0.tar.gz
/qemu-kvm-0.15.1.tar.gz
+/qemu-kvm-1.0.1.tar.gz
diff --git a/0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch b/0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch
deleted file mode 100644
index a57f4ec..0000000
--- a/0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 0b23c5d40ea933cfece3b4f69427f79c8a23256d Mon Sep 17 00:00:00 2001
-From: Stefan Weil <sw@weilnetz.de>
-Date: Tue, 29 Nov 2011 06:34:48 +0100
-Subject: [PATCH 01/25] malta: Fix regression (i8259 interrupts did not work)
-
-Commit 5632ae46d5bda798e971dae48ebb318ac2c3686a passes the address
-of i8259 to qemu_irq_proxy. i8259 is an auto variable with undefined
-value outside of mips_malta_init.
-
-This made the interrupt proxy unusable: either QEMU crashes, or
-the interrupt handler was not called.
-
-Ethernet for example no longer worked with MIPS Malta.
-
-v2:
-While v1 used a static variable for i8259, this patch introduces
-a qdev for the malta machine. i8259 is now part of the device status.
-This is a minimal qdev implementation to keep the patch small.
-
-Signed-off-by: Stefan Weil <sw@weilnetz.de>
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
-(cherry picked from commit e9b40fd34ceb23461083d505a444a389c094455b)
----
- hw/mips_malta.c | 39 +++++++++++++++++++++++++++++++++++----
- 1 files changed, 35 insertions(+), 4 deletions(-)
-
-diff --git a/hw/mips_malta.c b/hw/mips_malta.c
-index bb49749..941b9bd 100644
---- a/hw/mips_malta.c
-+++ b/hw/mips_malta.c
-@@ -47,6 +47,7 @@
- #include "mc146818rtc.h"
- #include "blockdev.h"
- #include "exec-memory.h"
-+#include "sysbus.h" /* SysBusDevice */
-
- //#define DEBUG_BOARD_INIT
-
-@@ -72,6 +73,11 @@ typedef struct {
- SerialState *uart;
- } MaltaFPGAState;
-
-+typedef struct {
-+ SysBusDevice busdev;
-+ qemu_irq *i8259;
-+} MaltaState;
-+
- static ISADevice *pit;
-
- static struct _loaderparams {
-@@ -775,7 +781,7 @@ void mips_malta_init (ram_addr_t ram_size,
- int64_t kernel_entry;
- PCIBus *pci_bus;
- CPUState *env;
-- qemu_irq *i8259 = NULL, *isa_irq;
-+ qemu_irq *isa_irq;
- qemu_irq *cpu_exit_irq;
- int piix4_devfn;
- i2c_bus *smbus;
-@@ -787,6 +793,11 @@ void mips_malta_init (ram_addr_t ram_size,
- int fl_sectors = 0;
- int be;
-
-+ DeviceState *dev = qdev_create(NULL, "mips-malta");
-+ MaltaState *s = DO_UPCAST(MaltaState, busdev.qdev, dev);
-+
-+ qdev_init_nofail(dev);
-+
- /* Make sure the first 3 serial ports are associated with a device. */
- for(i = 0; i < 3; i++) {
- if (!serial_hds[i]) {
-@@ -932,7 +943,7 @@ void mips_malta_init (ram_addr_t ram_size,
- * qemu_irq_proxy() adds an extra bit of indirection, allowing us
- * to resolve the isa_irq -> i8259 dependency after i8259 is initialized.
- */
-- isa_irq = qemu_irq_proxy(&i8259, 16);
-+ isa_irq = qemu_irq_proxy(&s->i8259, 16);
-
- /* Northbridge */
- pci_bus = gt64120_register(isa_irq);
-@@ -944,9 +955,9 @@ void mips_malta_init (ram_addr_t ram_size,
-
- /* Interrupt controller */
- /* The 8259 is attached to the MIPS CPU INT0 pin, ie interrupt 2 */
-- i8259 = i8259_init(env->irq[2]);
-+ s->i8259 = i8259_init(env->irq[2]);
-
-- isa_bus_irqs(i8259);
-+ isa_bus_irqs(s->i8259);
- pci_piix4_ide_init(pci_bus, hd, piix4_devfn + 1);
- usb_uhci_piix4_init(pci_bus, piix4_devfn + 2);
- smbus = piix4_pm_init(pci_bus, piix4_devfn + 3, 0x1100, isa_get_irq(9),
-@@ -990,6 +1001,20 @@ void mips_malta_init (ram_addr_t ram_size,
- }
- }
-
-+static int mips_malta_sysbus_device_init(SysBusDevice *sysbusdev)
-+{
-+ return 0;
-+}
-+
-+static SysBusDeviceInfo mips_malta_device = {
-+ .init = mips_malta_sysbus_device_init,
-+ .qdev.name = "mips-malta",
-+ .qdev.size = sizeof(MaltaState),
-+ .qdev.props = (Property[]) {
-+ DEFINE_PROP_END_OF_LIST(),
-+ }
-+};
-+
- static QEMUMachine mips_malta_machine = {
- .name = "malta",
- .desc = "MIPS Malta Core LV",
-@@ -998,9 +1023,15 @@ static QEMUMachine mips_malta_machine = {
- .is_default = 1,
- };
-
-+static void mips_malta_device_init(void)
-+{
-+ sysbus_register_withprop(&mips_malta_device);
-+}
-+
- static void mips_malta_machine_init(void)
- {
- qemu_register_machine(&mips_malta_machine);
- }
-
-+device_init(mips_malta_device_init);
- machine_init(mips_malta_machine_init);
---
-1.7.7.5
-
diff --git a/0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch b/0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch
deleted file mode 100644
index e49a049..0000000
--- a/0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 2061800b85ddcc9b34b5ccbfaa87f7e8b94626a6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
-Date: Wed, 30 Nov 2011 16:26:21 +0100
-Subject: [PATCH 02/25] exec.c: Fix subpage memory access to RAM MemoryRegion
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit 95c318f5e1f88d7e5bcc6deac17330fd4806a2d3 (Fix segfault in mmio
-subpage handling code.) prevented a segfault by making all subpage
-registrations over an existing memory page perform an unassigned access.
-Symptoms were writes not taking effect and reads returning zero.
-
-Very small page sizes are not currently supported either,
-so subpage memory areas cannot fully be avoided.
-
-Therefore change the previous fix to use a new IO_MEM_SUBPAGE_RAM
-instead of IO_MEM_UNASSIGNED. Suggested by Avi.
-
-Reviewed-by: Avi Kivity <avi@redhat.com>
-Signed-off-by: Andreas Färber <afaerber@suse.de>
-Cc: Avi Kivity <avi@redhat.com>
-Cc: Gleb Natapov <gleb@redhat.com>
-Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
----
- cpu-common.h | 1 +
- exec.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- 2 files changed, 64 insertions(+), 2 deletions(-)
-
-diff --git a/cpu-common.h b/cpu-common.h
-index c9878ba..3f45428 100644
---- a/cpu-common.h
-+++ b/cpu-common.h
-@@ -172,6 +172,7 @@ void cpu_physical_memory_write_rom(target_phys_addr_t addr,
- #define IO_MEM_ROM (1 << IO_MEM_SHIFT) /* hardcoded offset */
- #define IO_MEM_UNASSIGNED (2 << IO_MEM_SHIFT)
- #define IO_MEM_NOTDIRTY (3 << IO_MEM_SHIFT)
-+#define IO_MEM_SUBPAGE_RAM (4 << IO_MEM_SHIFT)
-
- /* Acts like a ROM when read and like a device when written. */
- #define IO_MEM_ROMD (1)
-diff --git a/exec.c b/exec.c
-index 6b92198..6c206ff 100644
---- a/exec.c
-+++ b/exec.c
-@@ -3570,6 +3570,63 @@ static CPUWriteMemoryFunc * const subpage_write[] = {
- &subpage_writel,
- };
-
-+static uint32_t subpage_ram_readb(void *opaque, target_phys_addr_t addr)
-+{
-+ ram_addr_t raddr = addr;
-+ void *ptr = qemu_get_ram_ptr(raddr);
-+ return ldub_p(ptr);
-+}
-+
-+static void subpage_ram_writeb(void *opaque, target_phys_addr_t addr,
-+ uint32_t value)
-+{
-+ ram_addr_t raddr = addr;
-+ void *ptr = qemu_get_ram_ptr(raddr);
-+ stb_p(ptr, value);
-+}
-+
-+static uint32_t subpage_ram_readw(void *opaque, target_phys_addr_t addr)
-+{
-+ ram_addr_t raddr = addr;
-+ void *ptr = qemu_get_ram_ptr(raddr);
-+ return lduw_p(ptr);
-+}
-+
-+static void subpage_ram_writew(void *opaque, target_phys_addr_t addr,
-+ uint32_t value)
-+{
-+ ram_addr_t raddr = addr;
-+ void *ptr = qemu_get_ram_ptr(raddr);
-+ stw_p(ptr, value);
-+}
-+
-+static uint32_t subpage_ram_readl(void *opaque, target_phys_addr_t addr)
-+{
-+ ram_addr_t raddr = addr;
-+ void *ptr = qemu_get_ram_ptr(raddr);
-+ return ldl_p(ptr);
-+}
-+
-+static void subpage_ram_writel(void *opaque, target_phys_addr_t addr,
-+ uint32_t value)
-+{
-+ ram_addr_t raddr = addr;
-+ void *ptr = qemu_get_ram_ptr(raddr);
-+ stl_p(ptr, value);
-+}
-+
-+static CPUReadMemoryFunc * const subpage_ram_read[] = {
-+ &subpage_ram_readb,
-+ &subpage_ram_readw,
-+ &subpage_ram_readl,
-+};
-+
-+static CPUWriteMemoryFunc * const subpage_ram_write[] = {
-+ &subpage_ram_writeb,
-+ &subpage_ram_writew,
-+ &subpage_ram_writel,
-+};
-+
- static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
- ram_addr_t memory, ram_addr_t region_offset)
- {
-@@ -3583,8 +3640,9 @@ static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
- printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__,
- mmio, start, end, idx, eidx, memory);
- #endif
-- if ((memory & ~TARGET_PAGE_MASK) == IO_MEM_RAM)
-- memory = IO_MEM_UNASSIGNED;
-+ if ((memory & ~TARGET_PAGE_MASK) == IO_MEM_RAM) {
-+ memory = IO_MEM_SUBPAGE_RAM;
-+ }
- memory = (memory >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
- for (; idx <= eidx; idx++) {
- mmio->sub_io_index[idx] = memory;
-@@ -3817,6 +3875,9 @@ static void io_mem_init(void)
- cpu_register_io_memory_fixed(IO_MEM_NOTDIRTY, error_mem_read,
- notdirty_mem_write, NULL,
- DEVICE_NATIVE_ENDIAN);
-+ cpu_register_io_memory_fixed(IO_MEM_SUBPAGE_RAM, subpage_ram_read,
-+ subpage_ram_write, NULL,
-+ DEVICE_NATIVE_ENDIAN);
- for (i=0; i<5; i++)
- io_mem_used[i] = 1;
-
---
-1.7.7.5
-
diff --git a/0003-hw-9pfs-Improve-portability-to-older-systems.patch b/0003-hw-9pfs-Improve-portability-to-older-systems.patch
deleted file mode 100644
index 4e91a9f..0000000
--- a/0003-hw-9pfs-Improve-portability-to-older-systems.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From f03969b952bc2aaf9f4445b6da28aebb0a9abde5 Mon Sep 17 00:00:00 2001
-From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
-Date: Sun, 4 Dec 2011 22:35:27 +0530
-Subject: [PATCH 03/25] hw/9pfs: Improve portability to older systems
-
-handle fs driver require a set of newly added syscalls. Don't
-Compile handle FS driver if those syscalls are not available.
-Instead of adding #ifdef for all those syscalls we check for
-open by handle syscall. If that is available then rest of the
-syscalls used by the driver should be available.
-
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- Makefile.objs | 4 ++--
- fsdev/qemu-fsdev.c | 2 ++
- hw/9pfs/virtio-9p-handle.c | 33 ---------------------------------
- 3 files changed, 4 insertions(+), 35 deletions(-)
-
-diff --git a/Makefile.objs b/Makefile.objs
-index d7a6539..3a699ee 100644
---- a/Makefile.objs
-+++ b/Makefile.objs
-@@ -310,8 +310,8 @@ hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
- 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-local.o virtio-9p-xattr.o
- 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-xattr-user.o virtio-9p-posix-acl.o
- 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-coth.o cofs.o codir.o cofile.o
--9pfs-nested-$(CONFIG_VIRTFS) += coxattr.o virtio-9p-handle.o
--9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-synth.o
-+9pfs-nested-$(CONFIG_VIRTFS) += coxattr.o virtio-9p-synth.o
-+9pfs-nested-$(CONFIG_OPEN_BY_HANDLE) += virtio-9p-handle.o
-
- hw-obj-$(CONFIG_REALLY_VIRTFS) += $(addprefix 9pfs/, $(9pfs-nested-y))
- $(addprefix 9pfs/, $(9pfs-nested-y)): QEMU_CFLAGS+=$(GLIB_CFLAGS)
-diff --git a/fsdev/qemu-fsdev.c b/fsdev/qemu-fsdev.c
-index 7fd2aa7..6684f7e 100644
---- a/fsdev/qemu-fsdev.c
-+++ b/fsdev/qemu-fsdev.c
-@@ -23,7 +23,9 @@ static QTAILQ_HEAD(FsDriverEntry_head, FsDriverListEntry) fsdriver_entries =
-
- static FsDriverTable FsDrivers[] = {
- { .name = "local", .ops = &local_ops},
-+#ifdef CONFIG_OPEN_BY_HANDLE
- { .name = "handle", .ops = &handle_ops},
-+#endif
- { .name = "synth", .ops = &synth_ops},
- };
-
-diff --git a/hw/9pfs/virtio-9p-handle.c b/hw/9pfs/virtio-9p-handle.c
-index 7644ae5..a62f690 100644
---- a/hw/9pfs/virtio-9p-handle.c
-+++ b/hw/9pfs/virtio-9p-handle.c
-@@ -45,7 +45,6 @@ struct handle_data {
- int handle_bytes;
- };
-
--#ifdef CONFIG_OPEN_BY_HANDLE
- static inline int name_to_handle(int dirfd, const char *name,
- struct file_handle *fh, int *mnt_id, int flags)
- {
-@@ -56,38 +55,6 @@ static inline int open_by_handle(int mountfd, const char *fh, int flags)
- {
- return open_by_handle_at(mountfd, (struct file_handle *)fh, flags);
- }
--#else
--
--struct rpl_file_handle {
-- unsigned int handle_bytes;
-- int handle_type;
-- unsigned char handle[0];
--};
--#define file_handle rpl_file_handle
--
--#ifndef AT_REMOVEDIR
--#define AT_REMOVEDIR 0x200
--#endif
--#ifndef AT_EMPTY_PATH
--#define AT_EMPTY_PATH 0x1000 /* Allow empty relative pathname */
--#endif
--#ifndef O_PATH
--#define O_PATH 010000000
--#endif
--
--static inline int name_to_handle(int dirfd, const char *name,
-- struct file_handle *fh, int *mnt_id, int flags)
--{
-- errno = ENOSYS;
-- return -1;
--}
--
--static inline int open_by_handle(int mountfd, const char *fh, int flags)
--{
-- errno = ENOSYS;
-- return -1;
--}
--#endif
-
- static int handle_update_file_cred(int dirfd, const char *name, FsCred *credp)
- {
---
-1.7.7.5
-
diff --git a/0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch b/0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch
deleted file mode 100644
index a63b9e1..0000000
--- a/0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 77a02621812952acfde887244f6f480de1b51f95 Mon Sep 17 00:00:00 2001
-From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
-Date: Sun, 4 Dec 2011 22:35:28 +0530
-Subject: [PATCH 04/25] hw/9pfs: use migration blockers to prevent live
- migration when virtfs export path is mounted
-
-Now when you try to migrate with VirtFS export path mounted, you get a proper QMP error:
-
-(qemu) migrate tcp:localhost:4444
-Migration is disabled when VirtFS export path '/tmp/' is mounted in the guest using mount_tag 'v_tmp'
-(qemu)
-
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- hw/9pfs/virtio-9p-device.c | 22 +++++++++++-----------
- hw/9pfs/virtio-9p.c | 19 +++++++++++++++++++
- hw/9pfs/virtio-9p.h | 5 +++--
- qerror.c | 5 +++++
- qerror.h | 3 +++
- 5 files changed, 41 insertions(+), 13 deletions(-)
-
-diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c
-index bba4c54..c9bca8b 100644
---- a/hw/9pfs/virtio-9p-device.c
-+++ b/hw/9pfs/virtio-9p-device.c
-@@ -33,13 +33,15 @@ static V9fsState *to_virtio_9p(VirtIODevice *vdev)
-
- static void virtio_9p_get_config(VirtIODevice *vdev, uint8_t *config)
- {
-+ int len;
- struct virtio_9p_config *cfg;
- V9fsState *s = to_virtio_9p(vdev);
-
-- cfg = g_malloc0(sizeof(struct virtio_9p_config) +
-- s->tag_len);
-- stw_raw(&cfg->tag_len, s->tag_len);
-- memcpy(cfg->tag, s->tag, s->tag_len);
-+ len = strlen(s->tag);
-+ cfg = g_malloc0(sizeof(struct virtio_9p_config) + len);
-+ stw_raw(&cfg->tag_len, len);
-+ /* We don't copy the terminating null to config space */
-+ memcpy(cfg->tag, s->tag, len);
- memcpy(config, cfg, s->config_size);
- g_free(cfg);
- }
-@@ -96,20 +98,18 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
- }
-
- len = strlen(conf->tag);
-- if (len > MAX_TAG_LEN) {
-+ if (len > MAX_TAG_LEN - 1) {
- fprintf(stderr, "mount tag '%s' (%d bytes) is longer than "
-- "maximum (%d bytes)", conf->tag, len, MAX_TAG_LEN);
-+ "maximum (%d bytes)", conf->tag, len, MAX_TAG_LEN - 1);
- exit(1);
- }
-- /* s->tag is non-NULL terminated string */
-- s->tag = g_malloc(len);
-- memcpy(s->tag, conf->tag, len);
-- s->tag_len = len;
-+
-+ s->tag = strdup(conf->tag);
- s->ctx.uid = -1;
-
- s->ops = fse->ops;
- s->vdev.get_features = virtio_9p_get_features;
-- s->config_size = sizeof(struct virtio_9p_config) + s->tag_len;
-+ s->config_size = sizeof(struct virtio_9p_config) + len;
- s->vdev.get_config = virtio_9p_get_config;
- s->fid_list = NULL;
- qemu_co_rwlock_init(&s->rename_lock);
-diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
-index 1b2fc5d..32b98dd 100644
---- a/hw/9pfs/virtio-9p.c
-+++ b/hw/9pfs/virtio-9p.c
-@@ -23,6 +23,7 @@
- #include "virtio-9p-xattr.h"
- #include "virtio-9p-coth.h"
- #include "trace.h"
-+#include "migration.h"
-
- int open_fd_hw;
- int total_open_fd;
-@@ -373,6 +374,19 @@ static void put_fid(V9fsPDU *pdu, V9fsFidState *fidp)
- * Don't free the fid if it is in reclaim list
- */
- if (!fidp->ref && fidp->clunked) {
-+ if (fidp->fid == pdu->s->root_fid) {
-+ /*
-+ * if the clunked fid is root fid then we
-+ * have unmounted the fs on the client side.
-+ * delete the migration blocker. Ideally, this
-+ * should be hooked to transport close notification
-+ */
-+ if (pdu->s->migration_blocker) {
-+ migrate_del_blocker(pdu->s->migration_blocker);
-+ error_free(pdu->s->migration_blocker);
-+ pdu->s->migration_blocker = NULL;
-+ }
-+ }
- free_fid(pdu, fidp);
- }
- }
-@@ -1235,6 +1249,11 @@ static void v9fs_attach(void *opaque)
- err = offset;
- trace_v9fs_attach_return(pdu->tag, pdu->id,
- qid.type, qid.version, qid.path);
-+ s->root_fid = fid;
-+ /* disable migration */
-+ error_set(&s->migration_blocker, QERR_VIRTFS_FEATURE_BLOCKS_MIGRATION,
-+ s->ctx.fs_root, s->tag);
-+ migrate_add_blocker(s->migration_blocker);
- out:
- put_fid(pdu, fidp);
- out_nofid:
-diff --git a/hw/9pfs/virtio-9p.h b/hw/9pfs/virtio-9p.h
-index 7f88356..8b612da 100644
---- a/hw/9pfs/virtio-9p.h
-+++ b/hw/9pfs/virtio-9p.h
-@@ -246,8 +246,7 @@ typedef struct V9fsState
- V9fsFidState *fid_list;
- FileOperations *ops;
- FsContext ctx;
-- uint16_t tag_len;
-- uint8_t *tag;
-+ char *tag;
- size_t config_size;
- enum p9_proto_version proto_version;
- int32_t msize;
-@@ -256,6 +255,8 @@ typedef struct V9fsState
- * on rename.
- */
- CoRwlock rename_lock;
-+ int32_t root_fid;
-+ Error *migration_blocker;
- } V9fsState;
-
- typedef struct V9fsStatState {
-diff --git a/qerror.c b/qerror.c
-index fdf62b9..25bc91e 100644
---- a/qerror.c
-+++ b/qerror.c
-@@ -235,6 +235,11 @@ static const QErrorStringTable qerror_table[] = {
- "supported by this qemu version: %(feature)",
- },
- {
-+ .error_fmt = QERR_VIRTFS_FEATURE_BLOCKS_MIGRATION,
-+ .desc = "Migration is disabled when VirtFS export path '%(path)' "
-+ "is mounted in the guest using mount_tag '%(tag)'",
-+ },
-+ {
- .error_fmt = QERR_VNC_SERVER_FAILED,
- .desc = "Could not start VNC server on %(target)",
- },
-diff --git a/qerror.h b/qerror.h
-index 2d3d43b..6414cd9 100644
---- a/qerror.h
-+++ b/qerror.h
-@@ -192,6 +192,9 @@ QError *qobject_to_qerror(const QObject *obj);
- #define QERR_UNKNOWN_BLOCK_FORMAT_FEATURE \
- "{ 'class': 'UnknownBlockFormatFeature', 'data': { 'device': %s, 'format': %s, 'feature': %s } }"
-
-+#define QERR_VIRTFS_FEATURE_BLOCKS_MIGRATION \
-+ "{ 'class': 'VirtFSFeatureBlocksMigration', 'data': { 'path': %s, 'tag': %s } }"
-+
- #define QERR_VNC_SERVER_FAILED \
- "{ 'class': 'VNCServerFailed', 'data': { 'target': %s } }"
-
---
-1.7.7.5
-
diff --git a/0005-hw-9pfs-Reset-server-state-during-TVERSION.patch b/0005-hw-9pfs-Reset-server-state-during-TVERSION.patch
deleted file mode 100644
index 585b7cc..0000000
--- a/0005-hw-9pfs-Reset-server-state-during-TVERSION.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From c554919f74e5a79f15360c4c2f417003477634cf Mon Sep 17 00:00:00 2001
-From: Deepak C Shetty <deepakcs@linux.vnet.ibm.com>
-Date: Sun, 4 Dec 2011 22:35:28 +0530
-Subject: [PATCH 05/25] hw/9pfs: Reset server state during TVERSION
-
-As per the 9p rfc, during TVERSION its necessary to clean all the active
-fids, so that we start the session from a clean state. Its also needed in
-scenarios where the guest is booting off 9p, and boot fails, and client
-restarts, without any knowledge of the past, it will issue a TVERSION again
-so this ensures that we always start from a clean state.
-
-Signed-off-by: Deepak C Shetty <deepakcs@linux.vnet.ibm.com>
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- hw/9pfs/virtio-9p.c | 26 ++++++++++++++++++++++++++
- 1 files changed, 26 insertions(+), 0 deletions(-)
-
-diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
-index 32b98dd..dd43209 100644
---- a/hw/9pfs/virtio-9p.c
-+++ b/hw/9pfs/virtio-9p.c
-@@ -523,6 +523,30 @@ static int v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
- return 0;
- }
-
-+static void virtfs_reset(V9fsPDU *pdu)
-+{
-+ V9fsState *s = pdu->s;
-+ V9fsFidState *fidp = NULL;
-+
-+ /* Free all fids */
-+ while (s->fid_list) {
-+ fidp = s->fid_list;
-+ s->fid_list = fidp->next;
-+
-+ if (fidp->ref) {
-+ fidp->clunked = 1;
-+ } else {
-+ free_fid(pdu, fidp);
-+ }
-+ }
-+ if (fidp) {
-+ /* One or more unclunked fids found... */
-+ error_report("9pfs:%s: One or more uncluncked fids "
-+ "found during reset", __func__);
-+ }
-+ return;
-+}
-+
- #define P9_QID_TYPE_DIR 0x80
- #define P9_QID_TYPE_SYMLINK 0x02
-
-@@ -1196,6 +1220,8 @@ static void v9fs_version(void *opaque)
- pdu_unmarshal(pdu, offset, "ds", &s->msize, &version);
- trace_v9fs_version(pdu->tag, pdu->id, s->msize, version.data);
-
-+ virtfs_reset(pdu);
-+
- if (!strcmp(version.data, "9P2000.u")) {
- s->proto_version = V9FS_PROTO_2000U;
- } else if (!strcmp(version.data, "9P2000.L")) {
---
-1.7.7.5
-
diff --git a/0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch b/0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch
deleted file mode 100644
index aa49abb..0000000
--- a/0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 64dd41bc2de392fa018c5ce804cc451b83f18b94 Mon Sep 17 00:00:00 2001
-From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
-Date: Sun, 4 Dec 2011 22:35:28 +0530
-Subject: [PATCH 06/25] hw/9pfs: Add qdev.reset callback for virtio-9p-pci
- device
-
-Add the device reset callback
-
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- hw/9pfs/virtio-9p-device.c | 3 ++-
- hw/virtio-pci.c | 2 +-
- hw/virtio-pci.h | 1 +
- 3 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c
-index c9bca8b..cd343e1 100644
---- a/hw/9pfs/virtio-9p-device.c
-+++ b/hw/9pfs/virtio-9p-device.c
-@@ -176,7 +176,8 @@ static PCIDeviceInfo virtio_9p_info = {
- DEFINE_PROP_STRING("mount_tag", VirtIOPCIProxy, fsconf.tag),
- DEFINE_PROP_STRING("fsdev", VirtIOPCIProxy, fsconf.fsdev_id),
- DEFINE_PROP_END_OF_LIST(),
-- }
-+ },
-+ .qdev.reset = virtio_pci_reset,
- };
-
- static void virtio_9p_register_devices(void)
-diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
-index 64c6a94..c665f5c 100644
---- a/hw/virtio-pci.c
-+++ b/hw/virtio-pci.c
-@@ -266,7 +266,7 @@ static void virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy)
- proxy->ioeventfd_started = false;
- }
-
--static void virtio_pci_reset(DeviceState *d)
-+void virtio_pci_reset(DeviceState *d)
- {
- VirtIOPCIProxy *proxy = container_of(d, VirtIOPCIProxy, pci_dev.qdev);
- virtio_pci_stop_ioeventfd(proxy);
-diff --git a/hw/virtio-pci.h b/hw/virtio-pci.h
-index f8404de..344c22b 100644
---- a/hw/virtio-pci.h
-+++ b/hw/virtio-pci.h
-@@ -45,6 +45,7 @@ typedef struct {
- } VirtIOPCIProxy;
-
- void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev);
-+void virtio_pci_reset(DeviceState *d);
-
- /* Virtio ABI version, if we increment this, we break the guest driver. */
- #define VIRTIO_PCI_ABI_VERSION 0
---
-1.7.7.5
-
diff --git a/0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch b/0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch
deleted file mode 100644
index 446716c..0000000
--- a/0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From ed6857bf98e6c8b8080be208ffe15bb678591466 Mon Sep 17 00:00:00 2001
-From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
-Date: Sun, 4 Dec 2011 22:35:28 +0530
-Subject: [PATCH 07/25] hw/9pfs: Use the correct file descriptor in Fsdriver
- Callback
-
-Fsdriver callback that operate on file descriptor need to
-differentiate between directory fd and file fd.
-
-Based on the original patch from Sassan Panahinejad <sassan@sassan.me.uk>
-
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- fsdev/file-op-9p.h | 4 ++--
- hw/9pfs/cofile.c | 4 ++--
- hw/9pfs/virtio-9p-handle.c | 28 ++++++++++++++++++++++------
- hw/9pfs/virtio-9p-local.c | 36 ++++++++++++++++++++++++++----------
- hw/9pfs/virtio-9p-synth.c | 5 +++--
- 5 files changed, 55 insertions(+), 22 deletions(-)
-
-diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
-index 1928da2..a85ecd3 100644
---- a/fsdev/file-op-9p.h
-+++ b/fsdev/file-op-9p.h
-@@ -112,10 +112,10 @@ typedef struct FileOperations
- ssize_t (*pwritev)(FsContext *, V9fsFidOpenState *,
- const struct iovec *, int, off_t);
- int (*mkdir)(FsContext *, V9fsPath *, const char *, FsCred *);
-- int (*fstat)(FsContext *, V9fsFidOpenState *, struct stat *);
-+ int (*fstat)(FsContext *, int, V9fsFidOpenState *, struct stat *);
- int (*rename)(FsContext *, const char *, const char *);
- int (*truncate)(FsContext *, V9fsPath *, off_t);
-- int (*fsync)(FsContext *, V9fsFidOpenState *, int);
-+ int (*fsync)(FsContext *, int, V9fsFidOpenState *, int);
- int (*statfs)(FsContext *s, V9fsPath *path, struct statfs *stbuf);
- ssize_t (*lgetxattr)(FsContext *, V9fsPath *,
- const char *, void *, size_t);
-diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
-index 586b038..b15838c 100644
---- a/hw/9pfs/cofile.c
-+++ b/hw/9pfs/cofile.c
-@@ -71,7 +71,7 @@ int v9fs_co_fstat(V9fsPDU *pdu, V9fsFidState *fidp, struct stat *stbuf)
- }
- v9fs_co_run_in_worker(
- {
-- err = s->ops->fstat(&s->ctx, &fidp->fs, stbuf);
-+ err = s->ops->fstat(&s->ctx, fidp->fid_type, &fidp->fs, stbuf);
- if (err < 0) {
- err = -errno;
- }
-@@ -192,7 +192,7 @@ int v9fs_co_fsync(V9fsPDU *pdu, V9fsFidState *fidp, int datasync)
- }
- v9fs_co_run_in_worker(
- {
-- err = s->ops->fsync(&s->ctx, &fidp->fs, datasync);
-+ err = s->ops->fsync(&s->ctx, fidp->fid_type, &fidp->fs, datasync);
- if (err < 0) {
- err = -errno;
- }
-diff --git a/hw/9pfs/virtio-9p-handle.c b/hw/9pfs/virtio-9p-handle.c
-index a62f690..f97d898 100644
---- a/hw/9pfs/virtio-9p-handle.c
-+++ b/hw/9pfs/virtio-9p-handle.c
-@@ -255,10 +255,17 @@ static int handle_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
- return ret;
- }
-
--static int handle_fstat(FsContext *fs_ctx, V9fsFidOpenState *fs,
-- struct stat *stbuf)
-+static int handle_fstat(FsContext *fs_ctx, int fid_type,
-+ V9fsFidOpenState *fs, struct stat *stbuf)
- {
-- return fstat(fs->fd, stbuf);
-+ int fd;
-+
-+ if (fid_type == P9_FID_DIR) {
-+ fd = dirfd(fs->dir);
-+ } else {
-+ fd = fs->fd;
-+ }
-+ return fstat(fd, stbuf);
- }
-
- static int handle_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
-@@ -395,12 +402,21 @@ static int handle_remove(FsContext *ctx, const char *path)
- return -1;
- }
-
--static int handle_fsync(FsContext *ctx, V9fsFidOpenState *fs, int datasync)
-+static int handle_fsync(FsContext *ctx, int fid_type,
-+ V9fsFidOpenState *fs, int datasync)
- {
-+ int fd;
-+
-+ if (fid_type == P9_FID_DIR) {
-+ fd = dirfd(fs->dir);
-+ } else {
-+ fd = fs->fd;
-+ }
-+
- if (datasync) {
-- return qemu_fdatasync(fs->fd);
-+ return qemu_fdatasync(fd);
- } else {
-- return fsync(fs->fd);
-+ return fsync(fd);
- }
- }
-
-diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
-index 99ef0cd..371a94d 100644
---- a/hw/9pfs/virtio-9p-local.c
-+++ b/hw/9pfs/virtio-9p-local.c
-@@ -366,11 +366,18 @@ out:
- return err;
- }
-
--static int local_fstat(FsContext *fs_ctx,
-+static int local_fstat(FsContext *fs_ctx, int fid_type,
- V9fsFidOpenState *fs, struct stat *stbuf)
- {
-- int err;
-- err = fstat(fs->fd, stbuf);
-+ int err, fd;
-+
-+ if (fid_type == P9_FID_DIR) {
-+ fd = dirfd(fs->dir);
-+ } else {
-+ fd = fs->fd;
-+ }
-+
-+ err = fstat(fd, stbuf);
- if (err) {
- return err;
- }
-@@ -381,19 +388,19 @@ static int local_fstat(FsContext *fs_ctx,
- mode_t tmp_mode;
- dev_t tmp_dev;
-
-- if (fgetxattr(fs->fd, "user.virtfs.uid",
-+ if (fgetxattr(fd, "user.virtfs.uid",
- &tmp_uid, sizeof(uid_t)) > 0) {
- stbuf->st_uid = tmp_uid;
- }
-- if (fgetxattr(fs->fd, "user.virtfs.gid",
-+ if (fgetxattr(fd, "user.virtfs.gid",
- &tmp_gid, sizeof(gid_t)) > 0) {
- stbuf->st_gid = tmp_gid;
- }
-- if (fgetxattr(fs->fd, "user.virtfs.mode",
-+ if (fgetxattr(fd, "user.virtfs.mode",
- &tmp_mode, sizeof(mode_t)) > 0) {
- stbuf->st_mode = tmp_mode;
- }
-- if (fgetxattr(fs->fd, "user.virtfs.rdev",
-+ if (fgetxattr(fd, "user.virtfs.rdev",
- &tmp_dev, sizeof(dev_t)) > 0) {
- stbuf->st_rdev = tmp_dev;
- }
-@@ -592,12 +599,21 @@ static int local_remove(FsContext *ctx, const char *path)
- return remove(rpath(ctx, path, buffer));
- }
-
--static int local_fsync(FsContext *ctx, V9fsFidOpenState *fs, int datasync)
-+static int local_fsync(FsContext *ctx, int fid_type,
-+ V9fsFidOpenState *fs, int datasync)
- {
-+ int fd;
-+
-+ if (fid_type == P9_FID_DIR) {
-+ fd = dirfd(fs->dir);
-+ } else {
-+ fd = fs->fd;
-+ }
-+
- if (datasync) {
-- return qemu_fdatasync(fs->fd);
-+ return qemu_fdatasync(fd);
- } else {
-- return fsync(fs->fd);
-+ return fsync(fd);
- }
- }
-
-diff --git a/hw/9pfs/virtio-9p-synth.c b/hw/9pfs/virtio-9p-synth.c
-index f573616..92e0b09 100644
---- a/hw/9pfs/virtio-9p-synth.c
-+++ b/hw/9pfs/virtio-9p-synth.c
-@@ -166,7 +166,7 @@ static int v9fs_synth_lstat(FsContext *fs_ctx,
- return 0;
- }
-
--static int v9fs_synth_fstat(FsContext *fs_ctx,
-+static int v9fs_synth_fstat(FsContext *fs_ctx, int fid_type,
- V9fsFidOpenState *fs, struct stat *stbuf)
- {
- V9fsSynthOpenState *synth_open = fs->private;
-@@ -414,7 +414,8 @@ static int v9fs_synth_remove(FsContext *ctx, const char *path)
- return -1;
- }
-
--static int v9fs_synth_fsync(FsContext *ctx, V9fsFidOpenState *fs, int datasync)
-+static int v9fs_synth_fsync(FsContext *ctx, int fid_type,
-+ V9fsFidOpenState *fs, int datasync)
- {
- errno = ENOSYS;
- return 0;
---
-1.7.7.5
-
diff --git a/0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch b/0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch
deleted file mode 100644
index 95c3f05..0000000
--- a/0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch
+++ /dev/null
@@ -1,305 +0,0 @@
-From 45d6cdff48356dc8974497ec0524f971b646dd70 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
-Date: Wed, 21 Dec 2011 12:37:22 +0530
-Subject: [PATCH 08/25] hw/9pfs: replace iovec manipulation with QEMUIOVector
-
-The v9fs_read() and v9fs_write() functions rely on iovec[] manipulation
-code should be replaced with QEMUIOVector to avoid duplicating code.
-In the future it may be possible to make the code even more concise by
-using QEMUIOVector consistently across virtio and 9pfs.
-
-The "v" format specifier for pdu_marshal() and pdu_unmarshal() is
-dropped since it does not actually pack/unpack anything. The specifier
-was also not implemented to update the offset variable and could only be
-used at the end of a format string, another sign that this shouldn't
-really be a format specifier. Instead, see the new
-v9fs_init_qiov_from_pdu() function.
-
-This change avoids a possible iovec[] buffer overflow when indirect
-vrings are used since the number of vectors is now limited by the
-underlying VirtQueueElement and cannot be out-of-bounds.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- hw/9pfs/virtio-9p.c | 162 +++++++++++++++++++--------------------------------
- 1 files changed, 60 insertions(+), 102 deletions(-)
-
-diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
-index dd43209..c018916 100644
---- a/hw/9pfs/virtio-9p.c
-+++ b/hw/9pfs/virtio-9p.c
-@@ -674,40 +674,6 @@ static size_t pdu_pack(V9fsPDU *pdu, size_t offset, const void *src,
- offset, size, 1);
- }
-
--static int pdu_copy_sg(V9fsPDU *pdu, size_t offset, int rx, struct iovec *sg)
--{
-- size_t pos = 0;
-- int i, j;
-- struct iovec *src_sg;
-- unsigned int num;
--
-- if (rx) {
-- src_sg = pdu->elem.in_sg;
-- num = pdu->elem.in_num;
-- } else {
-- src_sg = pdu->elem.out_sg;
-- num = pdu->elem.out_num;
-- }
--
-- j = 0;
-- for (i = 0; i < num; i++) {
-- if (offset <= pos) {
-- sg[j].iov_base = src_sg[i].iov_base;
-- sg[j].iov_len = src_sg[i].iov_len;
-- j++;
-- } else if (offset < (src_sg[i].iov_len + pos)) {
-- sg[j].iov_base = src_sg[i].iov_base;
-- sg[j].iov_len = src_sg[i].iov_len;
-- sg[j].iov_base += (offset - pos);
-- sg[j].iov_len -= (offset - pos);
-- j++;
-- }
-- pos += src_sg[i].iov_len;
-- }
--
-- return j;
--}
--
- static size_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
- {
- size_t old_offset = offset;
-@@ -743,12 +709,6 @@ static size_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
- *valp = le64_to_cpu(val);
- break;
- }
-- case 'v': {
-- struct iovec *iov = va_arg(ap, struct iovec *);
-- int *iovcnt = va_arg(ap, int *);
-- *iovcnt = pdu_copy_sg(pdu, offset, 0, iov);
-- break;
-- }
- case 's': {
- V9fsString *str = va_arg(ap, V9fsString *);
- offset += pdu_unmarshal(pdu, offset, "w", &str->size);
-@@ -827,12 +787,6 @@ static size_t pdu_marshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
- offset += pdu_pack(pdu, offset, &val, sizeof(val));
- break;
- }
-- case 'v': {
-- struct iovec *iov = va_arg(ap, struct iovec *);
-- int *iovcnt = va_arg(ap, int *);
-- *iovcnt = pdu_copy_sg(pdu, offset, 1, iov);
-- break;
-- }
- case 's': {
- V9fsString *str = va_arg(ap, V9fsString *);
- offset += pdu_marshal(pdu, offset, "w", str->size);
-@@ -1143,42 +1097,6 @@ static void stat_to_v9stat_dotl(V9fsState *s, const struct stat *stbuf,
- stat_to_qid(stbuf, &v9lstat->qid);
- }
-
--static struct iovec *adjust_sg(struct iovec *sg, int len, int *iovcnt)
--{
-- while (len && *iovcnt) {
-- if (len < sg->iov_len) {
-- sg->iov_len -= len;
-- sg->iov_base += len;
-- len = 0;
-- } else {
-- len -= sg->iov_len;
-- sg++;
-- *iovcnt -= 1;
-- }
-- }
--
-- return sg;
--}
--
--static struct iovec *cap_sg(struct iovec *sg, int cap, int *cnt)
--{
-- int i;
-- int total = 0;
--
-- for (i = 0; i < *cnt; i++) {
-- if ((total + sg[i].iov_len) > cap) {
-- sg[i].iov_len -= ((total + sg[i].iov_len) - cap);
-- i++;
-- break;
-- }
-- total += sg[i].iov_len;
-- }
--
-- *cnt = i;
--
-- return sg;
--}
--
- static void print_sg(struct iovec *sg, int cnt)
- {
- int i;
-@@ -1861,6 +1779,38 @@ out:
- return count;
- }
-
-+/*
-+ * Create a QEMUIOVector for a sub-region of PDU iovecs
-+ *
-+ * @qiov: uninitialized QEMUIOVector
-+ * @skip: number of bytes to skip from beginning of PDU
-+ * @size: number of bytes to include
-+ * @is_write: true - write, false - read
-+ *
-+ * The resulting QEMUIOVector has heap-allocated iovecs and must be cleaned up
-+ * with qemu_iovec_destroy().
-+ */
-+static void v9fs_init_qiov_from_pdu(QEMUIOVector *qiov, V9fsPDU *pdu,
-+ uint64_t skip, size_t size,
-+ bool is_write)
-+{
-+ QEMUIOVector elem;
-+ struct iovec *iov;
-+ unsigned int niov;
-+
-+ if (is_write) {
-+ iov = pdu->elem.out_sg;
-+ niov = pdu->elem.out_num;
-+ } else {
-+ iov = pdu->elem.in_sg;
-+ niov = pdu->elem.in_num;
-+ }
-+
-+ qemu_iovec_init_external(&elem, iov, niov);
-+ qemu_iovec_init(qiov, niov);
-+ qemu_iovec_copy(qiov, &elem, skip, size);
-+}
-+
- static void v9fs_read(void *opaque)
- {
- int32_t fid;
-@@ -1895,21 +1845,21 @@ static void v9fs_read(void *opaque)
- err += pdu_marshal(pdu, offset, "d", count);
- err += count;
- } else if (fidp->fid_type == P9_FID_FILE) {
-- int32_t cnt;
-+ QEMUIOVector qiov_full;
-+ QEMUIOVector qiov;
- int32_t len;
-- struct iovec *sg;
-- struct iovec iov[128]; /* FIXME: bad, bad, bad */
-
-- sg = iov;
-- pdu_marshal(pdu, offset + 4, "v", sg, &cnt);
-- sg = cap_sg(sg, max_count, &cnt);
-+ v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset + 4, max_count, false);
-+ qemu_iovec_init(&qiov, qiov_full.niov);
- do {
-+ qemu_iovec_reset(&qiov);
-+ qemu_iovec_copy(&qiov, &qiov_full, count, qiov_full.size - count);
- if (0) {
-- print_sg(sg, cnt);
-+ print_sg(qiov.iov, qiov.niov);
- }
- /* Loop in case of EINTR */
- do {
-- len = v9fs_co_preadv(pdu, fidp, sg, cnt, off);
-+ len = v9fs_co_preadv(pdu, fidp, qiov.iov, qiov.niov, off);
- if (len >= 0) {
- off += len;
- count += len;
-@@ -1920,11 +1870,12 @@ static void v9fs_read(void *opaque)
- err = len;
- goto out;
- }
-- sg = adjust_sg(sg, len, &cnt);
- } while (count < max_count && len > 0);
- err = offset;
- err += pdu_marshal(pdu, offset, "d", count);
- err += count;
-+ qemu_iovec_destroy(&qiov);
-+ qemu_iovec_destroy(&qiov_full);
- } else if (fidp->fid_type == P9_FID_XATTR) {
- err = v9fs_xattr_read(s, pdu, fidp, off, max_count);
- } else {
-@@ -2095,7 +2046,6 @@ out:
-
- static void v9fs_write(void *opaque)
- {
-- int cnt;
- ssize_t err;
- int32_t fid;
- int64_t off;
-@@ -2104,13 +2054,14 @@ static void v9fs_write(void *opaque)
- int32_t total = 0;
- size_t offset = 7;
- V9fsFidState *fidp;
-- struct iovec iov[128]; /* FIXME: bad, bad, bad */
-- struct iovec *sg = iov;
- V9fsPDU *pdu = opaque;
- V9fsState *s = pdu->s;
-+ QEMUIOVector qiov_full;
-+ QEMUIOVector qiov;
-
-- pdu_unmarshal(pdu, offset, "dqdv", &fid, &off, &count, sg, &cnt);
-- trace_v9fs_write(pdu->tag, pdu->id, fid, off, count, cnt);
-+ offset += pdu_unmarshal(pdu, offset, "dqd", &fid, &off, &count);
-+ v9fs_init_qiov_from_pdu(&qiov_full, pdu, offset, count, true);
-+ trace_v9fs_write(pdu->tag, pdu->id, fid, off, count, qiov_full.niov);
-
- fidp = get_fid(pdu, fid);
- if (fidp == NULL) {
-@@ -2126,20 +2077,23 @@ static void v9fs_write(void *opaque)
- /*
- * setxattr operation
- */
-- err = v9fs_xattr_write(s, pdu, fidp, off, count, sg, cnt);
-+ err = v9fs_xattr_write(s, pdu, fidp, off, count,
-+ qiov_full.iov, qiov_full.niov);
- goto out;
- } else {
- err = -EINVAL;
- goto out;
- }
-- sg = cap_sg(sg, count, &cnt);
-+ qemu_iovec_init(&qiov, qiov_full.niov);
- do {
-+ qemu_iovec_reset(&qiov);
-+ qemu_iovec_copy(&qiov, &qiov_full, total, qiov_full.size - total);
- if (0) {
-- print_sg(sg, cnt);
-+ print_sg(qiov.iov, qiov.niov);
- }
- /* Loop in case of EINTR */
- do {
-- len = v9fs_co_pwritev(pdu, fidp, sg, cnt, off);
-+ len = v9fs_co_pwritev(pdu, fidp, qiov.iov, qiov.niov, off);
- if (len >= 0) {
- off += len;
- total += len;
-@@ -2148,16 +2102,20 @@ static void v9fs_write(void *opaque)
- if (len < 0) {
- /* IO error return the error */
- err = len;
-- goto out;
-+ goto out_qiov;
- }
-- sg = adjust_sg(sg, len, &cnt);
- } while (total < count && len > 0);
-+
-+ offset = 7;
- offset += pdu_marshal(pdu, offset, "d", total);
- err = offset;
- trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
-+out_qiov:
-+ qemu_iovec_destroy(&qiov);
- out:
- put_fid(pdu, fidp);
- out_nofid:
-+ qemu_iovec_destroy(&qiov_full);
- complete_pdu(s, pdu, err);
- }
-
---
-1.7.7.5
-
diff --git a/0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch b/0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch
deleted file mode 100644
index c0b02f2..0000000
--- a/0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From 3d3ec7b809b91f2a71fb78fc6b5b079963383243 Mon Sep 17 00:00:00 2001
-From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
-Date: Wed, 21 Dec 2011 12:37:23 +0530
-Subject: [PATCH 09/25] hw/9pfs: Use the correct signed type for different
- variables
-
-Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
----
- fsdev/file-op-9p.h | 2 +-
- hw/9pfs/virtio-9p.c | 21 +++++++++++----------
- hw/9pfs/virtio-9p.h | 2 +-
- trace-events | 8 ++++----
- 4 files changed, 17 insertions(+), 16 deletions(-)
-
-diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
-index a85ecd3..c823fe0 100644
---- a/fsdev/file-op-9p.h
-+++ b/fsdev/file-op-9p.h
-@@ -74,7 +74,7 @@ typedef struct FsContext
- } FsContext;
-
- typedef struct V9fsPath {
-- int16_t size;
-+ uint16_t size;
- char *data;
- } V9fsPath;
-
-diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c
-index c018916..b3fc3d0 100644
---- a/hw/9pfs/virtio-9p.c
-+++ b/hw/9pfs/virtio-9p.c
-@@ -1694,8 +1694,8 @@ out_nofid:
- complete_pdu(s, pdu, err);
- }
-
--static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu,
-- V9fsFidState *fidp, int64_t off, int32_t max_count)
-+static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
-+ uint64_t off, uint32_t max_count)
- {
- size_t offset = 7;
- int read_count;
-@@ -1719,7 +1719,7 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu,
- }
-
- static int v9fs_do_readdir_with_stat(V9fsPDU *pdu,
-- V9fsFidState *fidp, int32_t max_count)
-+ V9fsFidState *fidp, uint32_t max_count)
- {
- V9fsPath path;
- V9fsStat v9stat;
-@@ -1814,11 +1814,11 @@ static void v9fs_init_qiov_from_pdu(QEMUIOVector *qiov, V9fsPDU *pdu,
- static void v9fs_read(void *opaque)
- {
- int32_t fid;
-- int64_t off;
-+ uint64_t off;
- ssize_t err = 0;
- int32_t count = 0;
- size_t offset = 7;
-- int32_t max_count;
-+ uint32_t max_count;
- V9fsFidState *fidp;
- V9fsPDU *pdu = opaque;
- V9fsState *s = pdu->s;
-@@ -1962,8 +1962,9 @@ static void v9fs_readdir(void *opaque)
- V9fsFidState *fidp;
- ssize_t retval = 0;
- size_t offset = 7;
-- int64_t initial_offset;
-- int32_t count, max_count;
-+ uint64_t initial_offset;
-+ int32_t count;
-+ uint32_t max_count;
- V9fsPDU *pdu = opaque;
- V9fsState *s = pdu->s;
-
-@@ -2001,7 +2002,7 @@ out_nofid:
- }
-
- static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
-- int64_t off, int32_t count,
-+ uint64_t off, uint32_t count,
- struct iovec *sg, int cnt)
- {
- int i, to_copy;
-@@ -2048,8 +2049,8 @@ static void v9fs_write(void *opaque)
- {
- ssize_t err;
- int32_t fid;
-- int64_t off;
-- int32_t count;
-+ uint64_t off;
-+ uint32_t count;
- int32_t len = 0;
- int32_t total = 0;
- size_t offset = 7;
-diff --git a/hw/9pfs/virtio-9p.h b/hw/9pfs/virtio-9p.h
-index 8b612da..19a797b 100644
---- a/hw/9pfs/virtio-9p.h
-+++ b/hw/9pfs/virtio-9p.h
-@@ -156,7 +156,7 @@ typedef struct V9fsFidState V9fsFidState;
-
- typedef struct V9fsString
- {
-- int16_t size;
-+ uint16_t size;
- char *data;
- } V9fsString;
-
-diff --git a/trace-events b/trace-events
-index 962caca..e417897 100644
---- a/trace-events
-+++ b/trace-events
-@@ -579,11 +579,11 @@ v9fs_lcreate(uint16_t tag, uint8_t id, int32_t dfid, int32_t flags, int32_t mode
- v9fs_lcreate_return(uint16_t tag, uint8_t id, int8_t type, int32_t version, int64_t path, int32_t iounit) "tag %d id %d qid={type %d version %d path %"PRId64"} iounit %d"
- v9fs_fsync(uint16_t tag, uint8_t id, int32_t fid, int datasync) "tag %d id %d fid %d datasync %d"
- v9fs_clunk(uint16_t tag, uint8_t id, int32_t fid) "tag %d id %d fid %d"
--v9fs_read(uint16_t tag, uint8_t id, int32_t fid, int64_t off, int32_t max_count) "tag %d id %d fid %d off %"PRId64" max_count %d"
-+v9fs_read(uint16_t tag, uint8_t id, int32_t fid, uint64_t off, uint32_t max_count) "tag %d id %d fid %d off %"PRIu64" max_count %u"
- v9fs_read_return(uint16_t tag, uint8_t id, int32_t count, ssize_t err) "tag %d id %d count %d err %zd"
--v9fs_readdir(uint16_t tag, uint8_t id, int32_t fid, int64_t offset, int32_t max_count) "tag %d id %d fid %d offset %"PRId64" max_count %d"
--v9fs_readdir_return(uint16_t tag, uint8_t id, int32_t count, ssize_t retval) "tag %d id %d count %d retval %zd"
--v9fs_write(uint16_t tag, uint8_t id, int32_t fid, int64_t off, int32_t count, int cnt) "tag %d id %d fid %d off %"PRId64" count %d cnt %d"
-+v9fs_readdir(uint16_t tag, uint8_t id, int32_t fid, uint64_t offset, uint32_t max_count) "tag %d id %d fid %d offset %"PRIu64" max_count %u"
-+v9fs_readdir_return(uint16_t tag, uint8_t id, uint32_t count, ssize_t retval) "tag %d id %d count %u retval %zd"
-+v9fs_write(uint16_t tag, uint8_t id, int32_t fid, uint64_t off, uint32_t count, int cnt) "tag %d id %d fid %d off %"PRIu64" count %u cnt %d"
- v9fs_write_return(uint16_t tag, uint8_t id, int32_t total, ssize_t err) "tag %d id %d total %d err %zd"
- v9fs_create(uint16_t tag, uint8_t id, int32_t fid, char* name, int32_t perm, int8_t mode) "tag %d id %d fid %d name %s perm %d mode %d"
- v9fs_create_return(uint16_t tag, uint8_t id, int8_t type, int32_t version, int64_t path, int iounit) "tag %d id %d qid={type %d version %d path %"PRId64"} iounit %d"
---
-1.7.7.5
-
diff --git a/0010-target-i386-fix-cmpxchg-instruction-emulation.patch b/0010-target-i386-fix-cmpxchg-instruction-emulation.patch
deleted file mode 100644
index a7276e2..0000000
--- a/0010-target-i386-fix-cmpxchg-instruction-emulation.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From abf80f880410ebbdd01a289c41c87153802fe900 Mon Sep 17 00:00:00 2001
-From: Andreas Gustafsson <gson@gson.org>
-Date: Mon, 12 Dec 2011 00:46:32 +0400
-Subject: [PATCH 10/25] target-i386: fix cmpxchg instruction emulation
-
-When the i386 cmpxchg instruction is executed with a memory operand
-and the comparison result is "unequal", do the memory write before
-changing the accumulator instead of the other way around, because
-otherwise the new accumulator value will incorrectly be used in the
-comparison when the instruction is restarted after a page fault.
-
-This bug was originally reported on 2010-04-25 as
-https://bugs.launchpad.net/qemu/+bug/569760
-
-Signed-off-by: Andreas Gustafsson <gson@gson.org>
----
- target-i386/translate.c | 11 +++++++----
- 1 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/target-i386/translate.c b/target-i386/translate.c
-index 1ef8d16..8321bf3 100644
---- a/target-i386/translate.c
-+++ b/target-i386/translate.c
-@@ -4870,20 +4870,23 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start)
- tcg_gen_sub_tl(t2, cpu_regs[R_EAX], t0);
- gen_extu(ot, t2);
- tcg_gen_brcondi_tl(TCG_COND_EQ, t2, 0, label1);
-+ label2 = gen_new_label();
- if (mod == 3) {
-- label2 = gen_new_label();
- gen_op_mov_reg_v(ot, R_EAX, t0);
- tcg_gen_br(label2);
- gen_set_label(label1);
- gen_op_mov_reg_v(ot, rm, t1);
-- gen_set_label(label2);
- } else {
-- tcg_gen_mov_tl(t1, t0);
-+ /* perform no-op store cycle like physical cpu; must be
-+ before changing accumulator to ensure idempotency if
-+ the store faults and the instruction is restarted */
-+ gen_op_st_v(ot + s->mem_index, t0, a0);
- gen_op_mov_reg_v(ot, R_EAX, t0);
-+ tcg_gen_br(label2);
- gen_set_label(label1);
-- /* always store */
- gen_op_st_v(ot + s->mem_index, t1, a0);
- }
-+ gen_set_label(label2);
- tcg_gen_mov_tl(cpu_cc_src, t0);
- tcg_gen_mov_tl(cpu_cc_dst, t2);
- s->cc_op = CC_OP_SUBB + ot;
---
-1.7.7.5
-
diff --git a/0011-configure-Enable-build-by-default-PIE-read-only-relo.patch b/0011-configure-Enable-build-by-default-PIE-read-only-relo.patch
deleted file mode 100644
index bd592c7..0000000
--- a/0011-configure-Enable-build-by-default-PIE-read-only-relo.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 6d450bfbc862d0dab0e8da10ae15698612800726 Mon Sep 17 00:00:00 2001
-From: Brad <brad@comstyle.com>
-Date: Mon, 28 Nov 2011 19:53:49 -0500
-Subject: [PATCH 11/25] configure: Enable build by default PIE / read-only
- relocation sections on OpenBSD amd64/i386.
-
-Enable build by default PIE / read-only relocation sections for the QEMU
-binaries on OpenBSD amd64/i386.
-
-Signed-off-by: Brad Smith <brad@comstyle.com>
-Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
----
- configure | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/configure b/configure
-index ac4840d..b113f60 100755
---- a/configure
-+++ b/configure
-@@ -1116,7 +1116,7 @@ fi
-
- if test "$pie" = ""; then
- case "$cpu-$targetos" in
-- i386-Linux|x86_64-Linux)
-+ i386-Linux|x86_64-Linux|i386-OpenBSD|x86_64-OpenBSD)
- ;;
- *)
- pie="no"
---
-1.7.7.5
-
diff --git a/0012-cris-Handle-conditional-stores-on-CRISv10.patch b/0012-cris-Handle-conditional-stores-on-CRISv10.patch
deleted file mode 100644
index c824a09..0000000
--- a/0012-cris-Handle-conditional-stores-on-CRISv10.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 3e8088148bb56b84a739c2ef3c63d89188a1ad8f Mon Sep 17 00:00:00 2001
-From: Stefan Sandstrom <Stefan.Sandstrom@axis.com>
-Date: Mon, 12 Dec 2011 11:38:31 +0100
-Subject: [PATCH 12/25] cris: Handle conditional stores on CRISv10
-
-Signed-off-by: Stefan Sandstrom <Stefan.Sandstrom@axis.com>
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
----
- target-cris/cpu.h | 2 +
- target-cris/helper.c | 1 +
- target-cris/translate_v10.c | 72 +++++++++++++++++++++++++++++++++++++++---
- 3 files changed, 69 insertions(+), 6 deletions(-)
-
-diff --git a/target-cris/cpu.h b/target-cris/cpu.h
-index 8ae0ce3..453afbb 100644
---- a/target-cris/cpu.h
-+++ b/target-cris/cpu.h
-@@ -67,6 +67,8 @@
- #define Q_FLAG 0x80000000
- #define M_FLAG 0x40000000
- #define PFIX_FLAG 0x800 /* CRISv10 Only. */
-+#define F_FLAG_V10 0x400
-+#define P_FLAG_V10 0x200
- #define S_FLAG 0x200
- #define R_FLAG 0x100
- #define P_FLAG 0x80
-diff --git a/target-cris/helper.c b/target-cris/helper.c
-index 75f0035..5bc6d81 100644
---- a/target-cris/helper.c
-+++ b/target-cris/helper.c
-@@ -157,6 +157,7 @@ static void do_interruptv10(CPUState *env)
- /* Now that we are in kernel mode, load the handlers address. */
- env->pc = ldl_code(env->pregs[PR_EBP] + ex_vec * 4);
- env->locked_irq = 1;
-+ env->pregs[PR_CCS] |= F_FLAG_V10; /* set F. */
-
- qemu_log_mask(CPU_LOG_INT, "%s isr=%x vec=%x ccs=%x pid=%d erp=%x\n",
- __func__, env->pc, ex_vec,
-diff --git a/target-cris/translate_v10.c b/target-cris/translate_v10.c
-index 637ac20..95053b6 100644
---- a/target-cris/translate_v10.c
-+++ b/target-cris/translate_v10.c
-@@ -62,6 +62,65 @@ static inline void cris_illegal_insn(DisasContext *dc)
- t_gen_raise_exception(EXCP_BREAK);
- }
-
-+static void gen_store_v10_conditional(DisasContext *dc, TCGv addr, TCGv val,
-+ unsigned int size, int mem_index)
-+{
-+ int l1 = gen_new_label();
-+ TCGv taddr = tcg_temp_local_new();
-+ TCGv tval = tcg_temp_local_new();
-+ TCGv t1 = tcg_temp_local_new();
-+ dc->postinc = 0;
-+ cris_evaluate_flags(dc);
-+
-+ tcg_gen_mov_tl(taddr, addr);
-+ tcg_gen_mov_tl(tval, val);
-+
-+ /* Store only if F flag isn't set */
-+ tcg_gen_andi_tl(t1, cpu_PR[PR_CCS], F_FLAG_V10);
-+ tcg_gen_brcondi_tl(TCG_COND_NE, t1, 0, l1);
-+ if (size == 1) {
-+ tcg_gen_qemu_st8(tval, taddr, mem_index);
-+ } else if (size == 2) {
-+ tcg_gen_qemu_st16(tval, taddr, mem_index);
-+ } else {
-+ tcg_gen_qemu_st32(tval, taddr, mem_index);
-+ }
-+ gen_set_label(l1);
-+ tcg_gen_shri_tl(t1, t1, 1); /* shift F to P position */
-+ tcg_gen_or_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], t1); /*P=F*/
-+ tcg_temp_free(t1);
-+ tcg_temp_free(tval);
-+ tcg_temp_free(taddr);
-+}
-+
-+static void gen_store_v10(DisasContext *dc, TCGv addr, TCGv val,
-+ unsigned int size)
-+{
-+ int mem_index = cpu_mmu_index(dc->env);
-+
-+ /* If we get a fault on a delayslot we must keep the jmp state in
-+ the cpu-state to be able to re-execute the jmp. */
-+ if (dc->delayed_branch == 1) {
-+ cris_store_direct_jmp(dc);
-+ }
-+
-+ /* Conditional writes. We only support the kind were X is known
-+ at translation time. */
-+ if (dc->flagx_known && dc->flags_x) {
-+ gen_store_v10_conditional(dc, addr, val, size, mem_index);
-+ return;
-+ }
-+
-+ if (size == 1) {
-+ tcg_gen_qemu_st8(val, addr, mem_index);
-+ } else if (size == 2) {
-+ tcg_gen_qemu_st16(val, addr, mem_index);
-+ } else {
-+ tcg_gen_qemu_st32(val, addr, mem_index);
-+ }
-+}
-+
-+
- /* Prefix flag and register are used to handle the more complex
- addressing modes. */
- static void cris_set_prefix(DisasContext *dc)
-@@ -313,7 +372,8 @@ static unsigned int dec10_setclrf(DisasContext *dc)
- if (set) {
- tcg_gen_ori_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], flags);
- } else {
-- tcg_gen_andi_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], ~flags);
-+ tcg_gen_andi_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS],
-+ ~(flags|F_FLAG_V10|P_FLAG_V10));
- }
-
- dc->flags_uptodate = 1;
-@@ -723,7 +783,7 @@ static unsigned int dec10_ind_move_r_m(DisasContext *dc, unsigned int size)
- LOG_DIS("move.%d $r%d, [$r%d]\n", dc->size, dc->src, dc->dst);
- addr = tcg_temp_new();
- crisv10_prepare_memaddr(dc, addr, size);
-- gen_store(dc, addr, cpu_R[dc->dst], size);
-+ gen_store_v10(dc, addr, cpu_R[dc->dst], size);
- insn_len += crisv10_post_memaddr(dc, size);
-
- return insn_len;
-@@ -767,10 +827,10 @@ static unsigned int dec10_ind_move_pr_m(DisasContext *dc)
- t0 = tcg_temp_new();
- cris_evaluate_flags(dc);
- tcg_gen_andi_tl(t0, cpu_PR[PR_CCS], ~PFIX_FLAG);
-- gen_store(dc, addr, t0, size);
-+ gen_store_v10(dc, addr, t0, size);
- tcg_temp_free(t0);
- } else {
-- gen_store(dc, addr, cpu_PR[dc->dst], size);
-+ gen_store_v10(dc, addr, cpu_PR[dc->dst], size);
- }
- t0 = tcg_temp_new();
- insn_len += crisv10_post_memaddr(dc, size);
-@@ -793,9 +853,9 @@ static void dec10_movem_r_m(DisasContext *dc)
- tcg_gen_mov_tl(t0, addr);
- for (i = dc->dst; i >= 0; i--) {
- if ((pfix && dc->mode == CRISV10_MODE_AUTOINC) && dc->src == i) {
-- gen_store(dc, addr, t0, 4);
-+ gen_store_v10(dc, addr, t0, 4);
- } else {
-- gen_store(dc, addr, cpu_R[i], 4);
-+ gen_store_v10(dc, addr, cpu_R[i], 4);
- }
- tcg_gen_addi_tl(addr, addr, 4);
- }
---
-1.7.7.5
-
diff --git a/0013-pc-add-pc-0.15.patch b/0013-pc-add-pc-0.15.patch
deleted file mode 100644
index f85b065..0000000
--- a/0013-pc-add-pc-0.15.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a25808dc5baee83f36e0cdab998eb6c0024156fa Mon Sep 17 00:00:00 2001
-From: Anthony Liguori <aliguori@us.ibm.com>
-Date: Sun, 18 Dec 2011 12:59:12 -0600
-Subject: [PATCH 13/25] pc: add pc-0.15
-
-Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
----
- hw/pc_piix.c | 9 +++++++++
- 1 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/hw/pc_piix.c b/hw/pc_piix.c
-index 970f43c..9093a28 100644
---- a/hw/pc_piix.c
-+++ b/hw/pc_piix.c
-@@ -306,6 +306,14 @@ static QEMUMachine pc_machine_v1_0 = {
- .is_default = 1,
- };
-
-+static QEMUMachine pc_machine_v0_15 = {
-+ .name = "pc-0.15",
-+ .desc = "Standard PC",
-+ .init = pc_init_pci,
-+ .max_cpus = 255,
-+ .is_default = 1,
-+};
-+
- static QEMUMachine pc_machine_v0_14 = {
- .name = "pc-0.14",
- .desc = "Standard PC",
-@@ -557,6 +565,7 @@ static QEMUMachine xenfv_machine = {
- static void pc_machine_init(void)
- {
- qemu_register_machine(&pc_machine_v1_0);
-+ qemu_register_machine(&pc_machine_v0_15);
- qemu_register_machine(&pc_machine_v0_14);
- qemu_register_machine(&pc_machine_v0_13);
- qemu_register_machine(&pc_machine_v0_12);
---
-1.7.7.5
-
diff --git a/0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch b/0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch
deleted file mode 100644
index 121ec6c..0000000
--- a/0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 7e2191ae9898cc957a3d1991aff0e40f2e0f44a4 Mon Sep 17 00:00:00 2001
-From: Anthony Liguori <aliguori@us.ibm.com>
-Date: Sun, 18 Dec 2011 13:07:03 -0600
-Subject: [PATCH 14/25] pc: fix event_idx compatibility for virtio devices
-
-event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
-(including virtio-balloon-pci).
-
-Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
----
- hw/pc_piix.c | 32 ++++++++++++++++++++++++++++++++
- 1 files changed, 32 insertions(+), 0 deletions(-)
-
-diff --git a/hw/pc_piix.c b/hw/pc_piix.c
-index 9093a28..05000e3 100644
---- a/hw/pc_piix.c
-+++ b/hw/pc_piix.c
-@@ -328,6 +328,22 @@ static QEMUMachine pc_machine_v0_14 = {
- .driver = "qxl-vga",
- .property = "revision",
- .value = stringify(2),
-+ },{
-+ .driver = "virtio-blk-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
-+ .driver = "virtio-serial-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
-+ .driver = "virtio-net-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
-+ .driver = "virtio-balloon-pci",
-+ .property = "event_idx",
-+ .value = "off",
- },
- { /* end of list */ }
- },
-@@ -368,6 +384,10 @@ static QEMUMachine pc_machine_v0_13 = {
- .property = "event_idx",
- .value = "off",
- },{
-+ .driver = "virtio-balloon-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
- .driver = "AC97",
- .property = "use_broken_id",
- .value = stringify(1),
-@@ -415,6 +435,10 @@ static QEMUMachine pc_machine_v0_12 = {
- .property = "event_idx",
- .value = "off",
- },{
-+ .driver = "virtio-balloon-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
- .driver = "AC97",
- .property = "use_broken_id",
- .value = stringify(1),
-@@ -470,6 +494,10 @@ static QEMUMachine pc_machine_v0_11 = {
- .property = "event_idx",
- .value = "off",
- },{
-+ .driver = "virtio-balloon-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
- .driver = "AC97",
- .property = "use_broken_id",
- .value = stringify(1),
-@@ -537,6 +565,10 @@ static QEMUMachine pc_machine_v0_10 = {
- .property = "event_idx",
- .value = "off",
- },{
-+ .driver = "virtio-balloon-pci",
-+ .property = "event_idx",
-+ .value = "off",
-+ },{
- .driver = "AC97",
- .property = "use_broken_id",
- .value = stringify(1),
---
-1.7.7.5
-
diff --git a/0015-Fix-parse-of-usb-device-description-with-multiple-co.patch b/0015-Fix-parse-of-usb-device-description-with-multiple-co.patch
deleted file mode 100644
index efc5119..0000000
--- a/0015-Fix-parse-of-usb-device-description-with-multiple-co.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 9b81fbdbb0cc930aacec343c6ab37adfd60c9e76 Mon Sep 17 00:00:00 2001
-From: "Cao,Bing Bu" <mars@linux.vnet.ibm.com>
-Date: Tue, 13 Dec 2011 09:22:20 +0800
-Subject: [PATCH 15/25] Fix parse of usb device description with multiple
- configurations
-
-Changed From V1:
-Use DPRINTF instead of fprintf,because it is not an error.
-
-When testing ipod on QEMU by He Jie Xu<xuhj@linux.vnet.ibm.com>,qemu made a assertion.
-We found that the ipod with 2 configurations,and the usb-linux did not parse the descriptor correctly.
-The descr_len returned is the total length of the all configurations,not one configuration.
-The older version will through the other configurations instead of skip,continue parsing the descriptor of interfaces/endpoints in other configurations,then went wrong.
-
-This patch will put the configuration descriptor parse in loop outside and dispel the other configurations not requested.
-
-Signed-off-by: Cao,Bing Bu <mars@linux.vnet.ibm.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- usb-linux.c | 19 +++++++++++--------
- 1 files changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/usb-linux.c b/usb-linux.c
-index ab4c693..ed14bb1 100644
---- a/usb-linux.c
-+++ b/usb-linux.c
-@@ -1141,15 +1141,18 @@ static int usb_linux_update_endp_table(USBHostDevice *s)
- length = s->descr_len - 18;
- i = 0;
-
-- if (descriptors[i + 1] != USB_DT_CONFIG ||
-- descriptors[i + 5] != s->configuration) {
-- fprintf(stderr, "invalid descriptor data - configuration %d\n",
-- s->configuration);
-- return 1;
-- }
-- i += descriptors[i];
--
- while (i < length) {
-+ if (descriptors[i + 1] != USB_DT_CONFIG) {
-+ fprintf(stderr, "invalid descriptor data\n");
-+ return 1;
-+ } else if (descriptors[i + 5] != s->configuration) {
-+ DPRINTF("not requested configuration %d\n", s->configuration);
-+ i += (descriptors[i + 3] << 8) + descriptors[i + 2];
-+ continue;
-+ }
-+
-+ i += descriptors[i];
-+
- if (descriptors[i + 1] != USB_DT_INTERFACE ||
- (descriptors[i + 1] == USB_DT_INTERFACE &&
- descriptors[i + 4] == 0)) {
---
-1.7.7.5
-
diff --git a/0016-usb-storage-cancel-I-O-on-reset.patch b/0016-usb-storage-cancel-I-O-on-reset.patch
deleted file mode 100644
index 5fdd63d..0000000
--- a/0016-usb-storage-cancel-I-O-on-reset.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From f63d074313c5df917535587b50802ece7beb6e45 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 4 Jan 2012 18:13:54 +0100
-Subject: [PATCH 16/25] usb-storage: cancel I/O on reset
-
-When resetting the usb-storage device we'll have to carefully cancel
-and clear any requests which might be in flight, otherwise we'll confuse
-the state machine.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb-msd.c | 12 ++++++++++++
- 1 files changed, 12 insertions(+), 0 deletions(-)
-
-diff --git a/hw/usb-msd.c b/hw/usb-msd.c
-index 4c06950..3147131 100644
---- a/hw/usb-msd.c
-+++ b/hw/usb-msd.c
-@@ -278,6 +278,18 @@ static void usb_msd_handle_reset(USBDevice *dev)
- MSDState *s = (MSDState *)dev;
-
- DPRINTF("Reset\n");
-+ if (s->req) {
-+ scsi_req_cancel(s->req);
-+ }
-+ assert(s->req == NULL);
-+
-+ if (s->packet) {
-+ USBPacket *p = s->packet;
-+ s->packet = NULL;
-+ p->result = USB_RET_STALL;
-+ usb_packet_complete(dev, p);
-+ }
-+
- s->mode = USB_MSDM_CBW;
- }
-
---
-1.7.7.5
-
diff --git a/0017-usb-host-properly-release-port-on-unplug-exit.patch b/0017-usb-host-properly-release-port-on-unplug-exit.patch
deleted file mode 100644
index 5804510..0000000
--- a/0017-usb-host-properly-release-port-on-unplug-exit.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From c936f649d4a6b87cabe809170874f6b560cc0524 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 5 Jan 2012 15:49:18 +0100
-Subject: [PATCH 17/25] usb-host: properly release port on unplug & exit
-
-Factor out port release into a separate function. Call release function
-in exit notifier too. Add explicit call the USBDEVFS_RELEASE_PORT
-ioctl, just closing the hub file handle seems not to be enougth. Make
-sure we release the port before resetting the device, otherwise host
-drivers will not re-attach.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- usb-linux.c | 28 ++++++++++++++++++++--------
- 1 files changed, 20 insertions(+), 8 deletions(-)
-
-diff --git a/usb-linux.c b/usb-linux.c
-index ed14bb1..749ce71 100644
---- a/usb-linux.c
-+++ b/usb-linux.c
-@@ -116,6 +116,7 @@ typedef struct USBHostDevice {
- USBDevice dev;
- int fd;
- int hub_fd;
-+ int hub_port;
-
- uint8_t descr[8192];
- int descr_len;
-@@ -434,7 +435,7 @@ static int usb_host_claim_port(USBHostDevice *s)
- {
- #ifdef USBDEVFS_CLAIM_PORT
- char *h, hub_name[64], line[1024];
-- int hub_addr, portnr, ret;
-+ int hub_addr, ret;
-
- snprintf(hub_name, sizeof(hub_name), "%d-%s",
- s->match.bus_num, s->match.port);
-@@ -442,13 +443,13 @@ static int usb_host_claim_port(USBHostDevice *s)
- /* try strip off last ".$portnr" to get hub */
- h = strrchr(hub_name, '.');
- if (h != NULL) {
-- portnr = atoi(h+1);
-+ s->hub_port = atoi(h+1);
- *h = '\0';
- } else {
- /* no dot in there -> it is the root hub */
- snprintf(hub_name, sizeof(hub_name), "usb%d",
- s->match.bus_num);
-- portnr = atoi(s->match.port);
-+ s->hub_port = atoi(s->match.port);
- }
-
- if (!usb_host_read_file(line, sizeof(line), "devnum",
-@@ -469,20 +470,32 @@ static int usb_host_claim_port(USBHostDevice *s)
- return -1;
- }
-
-- ret = ioctl(s->hub_fd, USBDEVFS_CLAIM_PORT, &portnr);
-+ ret = ioctl(s->hub_fd, USBDEVFS_CLAIM_PORT, &s->hub_port);
- if (ret < 0) {
- close(s->hub_fd);
- s->hub_fd = -1;
- return -1;
- }
-
-- trace_usb_host_claim_port(s->match.bus_num, hub_addr, portnr);
-+ trace_usb_host_claim_port(s->match.bus_num, hub_addr, s->hub_port);
- return 0;
- #else
- return -1;
- #endif
- }
-
-+static void usb_host_release_port(USBHostDevice *s)
-+{
-+ if (s->hub_fd == -1) {
-+ return;
-+ }
-+#ifdef USBDEVFS_RELEASE_PORT
-+ ioctl(s->hub_fd, USBDEVFS_RELEASE_PORT, &s->hub_port);
-+#endif
-+ close(s->hub_fd);
-+ s->hub_fd = -1;
-+}
-+
- static int usb_host_disconnect_ifaces(USBHostDevice *dev, int nb_interfaces)
- {
- /* earlier Linux 2.4 do not support that */
-@@ -635,10 +648,8 @@ static void usb_host_handle_destroy(USBDevice *dev)
- {
- USBHostDevice *s = (USBHostDevice *)dev;
-
-+ usb_host_release_port(s);
- usb_host_close(s);
-- if (s->hub_fd != -1) {
-- close(s->hub_fd);
-- }
- QTAILQ_REMOVE(&hostdevs, s, next);
- qemu_remove_exit_notifier(&s->exit);
- }
-@@ -1402,6 +1413,7 @@ static void usb_host_exit_notifier(struct Notifier *n, void *data)
- {
- USBHostDevice *s = container_of(n, USBHostDevice, exit);
-
-+ usb_host_release_port(s);
- if (s->fd != -1) {
- usb_host_do_reset(s);;
- }
---
-1.7.7.5
-
diff --git a/0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch b/0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch
deleted file mode 100644
index bba083e..0000000
--- a/0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 23201c64a789cf948fedcea221a4b6e197fcd628 Mon Sep 17 00:00:00 2001
-From: Andriy Gapon <avg@FreeBSD.org>
-Date: Thu, 22 Dec 2011 11:34:30 +0200
-Subject: [PATCH 18/25] usb-ohci: td.cbp incorrectly updated near page end
-
-The current code that updates the cbp value after a transfer looks like this:
-td.cbp += ret;
-if ((td.cbp & 0xfff) + ret > 0xfff) {
- <handle page overflow>
-because the 'ret' value is effectively added twice the check may fire too early
-when the overflow hasn't happened yet.
-
-Below is one of the possible changes that correct the behavior:
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb-ohci.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
-index c2981c5..c27014a 100644
---- a/hw/usb-ohci.c
-+++ b/hw/usb-ohci.c
-@@ -1025,10 +1025,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
- if (ret == len) {
- td.cbp = 0;
- } else {
-- td.cbp += ret;
- if ((td.cbp & 0xfff) + ret > 0xfff) {
-- td.cbp &= 0xfff;
-- td.cbp |= td.be & ~0xfff;
-+ td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
-+ } else {
-+ td.cbp += ret;
- }
- }
- td.flags |= OHCI_TD_T1;
---
-1.7.7.5
-
diff --git a/0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch b/0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch
deleted file mode 100644
index d3a4197..0000000
--- a/0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 37769d27270eff15d878a1c7df23407fc5f09b7f Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sat, 7 Jan 2012 15:20:12 +0100
-Subject: [PATCH 19/25] target-sh4: ignore ocbp and ocbwb instructions
-
-ocbp and ocbwb controls the writeback of a cache line to memory. They
-are supposed to do nothing in case of a cache miss. Given QEMU only
-partially emulate caches, it is safe to ignore these instructions.
-
-This fixes a kernel oops when trying to access an rtl8139 NIC with
-recent versions.
-
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
-(cherry picked from commit 0cdb95549fedc73e13c147ab9dcabcc303426a07)
----
- target-sh4/translate.c | 14 +++-----------
- 1 files changed, 3 insertions(+), 11 deletions(-)
-
-diff --git a/target-sh4/translate.c b/target-sh4/translate.c
-index bad3577..e04a6e0 100644
---- a/target-sh4/translate.c
-+++ b/target-sh4/translate.c
-@@ -1652,18 +1652,10 @@ static void _decode_opc(DisasContext * ctx)
- }
- return;
- case 0x00a3: /* ocbp @Rn */
-- {
-- TCGv dummy = tcg_temp_new();
-- tcg_gen_qemu_ld32s(dummy, REG(B11_8), ctx->memidx);
-- tcg_temp_free(dummy);
-- }
-- return;
- case 0x00b3: /* ocbwb @Rn */
-- {
-- TCGv dummy = tcg_temp_new();
-- tcg_gen_qemu_ld32s(dummy, REG(B11_8), ctx->memidx);
-- tcg_temp_free(dummy);
-- }
-+ /* These instructions are supposed to do nothing in case of
-+ a cache miss. Given that we only partially emulate caches
-+ it is safe to simply ignore them. */
- return;
- case 0x0083: /* pref @Rn */
- return;
---
-1.7.7.5
-
diff --git a/0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch b/0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch
deleted file mode 100644
index f6ce35a..0000000
--- a/0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From fbcf305e5adc310e6383d4ec5e844f3f8d072116 Mon Sep 17 00:00:00 2001
-From: Alexander Graf <agraf@suse.de>
-Date: Mon, 12 Dec 2011 22:36:01 +0100
-Subject: [PATCH 20/25] PPC: Fix linker scripts on ppc hosts
-
-When compiling qemu statically with multilib on PPC, we hit the
-same issue that commit 845f2c2812d9ed24b36c02a3d06ee83aeafe8b49
-is fixing. Do the same here.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
-(cherry picked from commit 665a04ae1cbfa8004a38cf0fe99ba799c978a1fe)
----
- ppc.ld | 16 ++++++++++++++--
- ppc64.ld | 16 ++++++++++++++--
- 2 files changed, 28 insertions(+), 4 deletions(-)
-
-diff --git a/ppc.ld b/ppc.ld
-index 69aa3f2..2a0dcad 100644
---- a/ppc.ld
-+++ b/ppc.ld
-@@ -49,8 +49,20 @@ SECTIONS
- .rela.sbss2 : { *(.rela.sbss2 .rela.sbss2.* .rela.gnu.linkonce.sb2.*) }
- .rel.bss : { *(.rel.bss .rel.bss.* .rel.gnu.linkonce.b.*) }
- .rela.bss : { *(.rela.bss .rela.bss.* .rela.gnu.linkonce.b.*) }
-- .rel.plt : { *(.rel.plt) }
-- .rela.plt : { *(.rela.plt) }
-+ .rel.plt :
-+ {
-+ *(.rel.plt)
-+ PROVIDE (__rel_iplt_start = .);
-+ *(.rel.iplt)
-+ PROVIDE (__rel_iplt_end = .);
-+ }
-+ .rela.plt :
-+ {
-+ *(.rela.plt)
-+ PROVIDE (__rela_iplt_start = .);
-+ *(.rela.iplt)
-+ PROVIDE (__rela_iplt_end = .);
-+ }
- .init :
- {
- KEEP (*(.init))
-diff --git a/ppc64.ld b/ppc64.ld
-index 0a7c0dd..e2dafa0 100644
---- a/ppc64.ld
-+++ b/ppc64.ld
-@@ -54,8 +54,20 @@ SECTIONS
- *(.rela.sbss2 .rela.sbss2.* .rela.gnu.linkonce.sb2.*)
- *(.rela.bss .rela.bss.* .rela.gnu.linkonce.b.*)
- }
-- .rel.plt : { *(.rel.plt) }
-- .rela.plt : { *(.rela.plt) }
-+ .rel.plt :
-+ {
-+ *(.rel.plt)
-+ PROVIDE (__rel_iplt_start = .);
-+ *(.rel.iplt)
-+ PROVIDE (__rel_iplt_end = .);
-+ }
-+ .rela.plt :
-+ {
-+ *(.rela.plt)
-+ PROVIDE (__rela_iplt_start = .);
-+ *(.rela.iplt)
-+ PROVIDE (__rela_iplt_end = .);
-+ }
- .rela.tocbss : { *(.rela.tocbss) }
- .init :
- {
---
-1.7.7.5
-
diff --git a/0021-qiov-prevent-double-free-or-use-after-free.patch b/0021-qiov-prevent-double-free-or-use-after-free.patch
deleted file mode 100644
index 08e0e84..0000000
--- a/0021-qiov-prevent-double-free-or-use-after-free.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6061f16a8a119a46e61f2ddbabdb58f83e8857f7 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 25 Nov 2011 12:06:22 +0100
-Subject: [PATCH 21/25] qiov: prevent double free or use-after-free
-
-qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
-could thus be used after free or freed again. While I do not know any
-example in the tree, I observed this using virtio-scsi (and SCSI
-scatter/gather) when canceling DMA requests.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- cutils.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/cutils.c b/cutils.c
-index 6db6304..24b3fe3 100644
---- a/cutils.c
-+++ b/cutils.c
-@@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov)
- {
- assert(qiov->nalloc != -1);
-
-+ qemu_iovec_reset(qiov);
- g_free(qiov->iov);
-+ qiov->nalloc = 0;
-+ qiov->iov = NULL;
- }
-
- void qemu_iovec_reset(QEMUIOVector *qiov)
---
-1.7.7.5
-
diff --git a/0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch b/0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
deleted file mode 100644
index eebdfaa..0000000
--- a/0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From fe5c13ebf1161d0f324229cfb36cb5fb87ec6248 Mon Sep 17 00:00:00 2001
-From: Avi Kivity <avi@redhat.com>
-Date: Mon, 5 Dec 2011 19:20:12 +0200
-Subject: [PATCH 22/25] coroutine: switch per-thread free pool to a global
- pool
-
-ucontext-based coroutines use a free pool to reduce allocations and
-deallocations of coroutine objects. The pool is per-thread, presumably
-to improve locality. However, as coroutines are usually allocated in
-a vcpu thread and freed in the I/O thread, the pool accounting gets
-screwed up and we end allocating and freeing a coroutine for every I/O
-request. This is expensive since large objects are allocated via the
-kernel, and are not cached by the C runtime.
-
-Fix by switching to a global pool. This is safe since we're protected
-by the global mutex.
-
-Signed-off-by: Avi Kivity <avi@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- coroutine-ucontext.c | 30 ++++++++++++++++--------------
- 1 files changed, 16 insertions(+), 14 deletions(-)
-
-diff --git a/coroutine-ucontext.c b/coroutine-ucontext.c
-index 2b8d3e9..3d01075 100644
---- a/coroutine-ucontext.c
-+++ b/coroutine-ucontext.c
-@@ -35,6 +35,10 @@ enum {
- POOL_MAX_SIZE = 64,
- };
-
-+/** Free list to speed up creation */
-+static QLIST_HEAD(, Coroutine) pool = QLIST_HEAD_INITIALIZER(pool);
-+static unsigned int pool_size;
-+
- typedef struct {
- Coroutine base;
- void *stack;
-@@ -48,10 +52,6 @@ typedef struct {
- /** Currently executing coroutine */
- Coroutine *current;
-
-- /** Free list to speed up creation */
-- QLIST_HEAD(, Coroutine) pool;
-- unsigned int pool_size;
--
- /** The default coroutine */
- CoroutineUContext leader;
- } CoroutineThreadState;
-@@ -75,7 +75,6 @@ static CoroutineThreadState *coroutine_get_thread_state(void)
- if (!s) {
- s = g_malloc0(sizeof(*s));
- s->current = &s->leader.base;
-- QLIST_INIT(&s->pool);
- pthread_setspecific(thread_state_key, s);
- }
- return s;
-@@ -84,14 +83,19 @@ static CoroutineThreadState *coroutine_get_thread_state(void)
- static void qemu_coroutine_thread_cleanup(void *opaque)
- {
- CoroutineThreadState *s = opaque;
-+
-+ g_free(s);
-+}
-+
-+static void __attribute__((destructor)) coroutine_cleanup(void)
-+{
- Coroutine *co;
- Coroutine *tmp;
-
-- QLIST_FOREACH_SAFE(co, &s->pool, pool_next, tmp) {
-+ QLIST_FOREACH_SAFE(co, &pool, pool_next, tmp) {
- g_free(DO_UPCAST(CoroutineUContext, base, co)->stack);
- g_free(co);
- }
-- g_free(s);
- }
-
- static void __attribute__((constructor)) coroutine_init(void)
-@@ -169,13 +173,12 @@ static Coroutine *coroutine_new(void)
-
- Coroutine *qemu_coroutine_new(void)
- {
-- CoroutineThreadState *s = coroutine_get_thread_state();
- Coroutine *co;
-
-- co = QLIST_FIRST(&s->pool);
-+ co = QLIST_FIRST(&pool);
- if (co) {
- QLIST_REMOVE(co, pool_next);
-- s->pool_size--;
-+ pool_size--;
- } else {
- co = coroutine_new();
- }
-@@ -184,13 +187,12 @@ Coroutine *qemu_coroutine_new(void)
-
- void qemu_coroutine_delete(Coroutine *co_)
- {
-- CoroutineThreadState *s = coroutine_get_thread_state();
- CoroutineUContext *co = DO_UPCAST(CoroutineUContext, base, co_);
-
-- if (s->pool_size < POOL_MAX_SIZE) {
-- QLIST_INSERT_HEAD(&s->pool, &co->base, pool_next);
-+ if (pool_size < POOL_MAX_SIZE) {
-+ QLIST_INSERT_HEAD(&pool, &co->base, pool_next);
- co->base.caller = NULL;
-- s->pool_size++;
-+ pool_size++;
- return;
- }
-
---
-1.7.7.5
-
diff --git a/0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch b/0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
deleted file mode 100644
index 413ebd0..0000000
--- a/0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 5bb37d151b026759ee35f04212b11b4d625c7431 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 7 Dec 2011 12:42:10 +0100
-Subject: [PATCH 23/25] qemu-img rebase: Fix for undersized backing files
-
-Backing files may be smaller than the corresponding COW file. When
-reading directly from the backing file, qemu-img rebase must consider
-this and assume zero sectors after the end of backing files.
-
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
----
- qemu-img.c | 42 +++++++++++++++++++++++++++++++++---------
- 1 files changed, 33 insertions(+), 9 deletions(-)
-
-diff --git a/qemu-img.c b/qemu-img.c
-index 8bdae66..01cc0d3 100644
---- a/qemu-img.c
-+++ b/qemu-img.c
-@@ -1420,6 +1420,8 @@ static int img_rebase(int argc, char **argv)
- */
- if (!unsafe) {
- uint64_t num_sectors;
-+ uint64_t old_backing_num_sectors;
-+ uint64_t new_backing_num_sectors;
- uint64_t sector;
- int n;
- uint8_t * buf_old;
-@@ -1430,6 +1432,8 @@ static int img_rebase(int argc, char **argv)
- buf_new = qemu_blockalign(bs, IO_BUF_SIZE);
-
- bdrv_get_geometry(bs, &num_sectors);
-+ bdrv_get_geometry(bs_old_backing, &old_backing_num_sectors);
-+ bdrv_get_geometry(bs_new_backing, &new_backing_num_sectors);
-
- local_progress = (float)100 /
- (num_sectors / MIN(num_sectors, IO_BUF_SIZE / 512));
-@@ -1448,16 +1452,36 @@ static int img_rebase(int argc, char **argv)
- continue;
- }
-
-- /* Read old and new backing file */
-- ret = bdrv_read(bs_old_backing, sector, buf_old, n);
-- if (ret < 0) {
-- error_report("error while reading from old backing file");
-- goto out;
-+ /*
-+ * Read old and new backing file and take into consideration that
-+ * backing files may be smaller than the COW image.
-+ */
-+ if (sector >= old_backing_num_sectors) {
-+ memset(buf_old, 0, n * BDRV_SECTOR_SIZE);
-+ } else {
-+ if (sector + n > old_backing_num_sectors) {
-+ n = old_backing_num_sectors - sector;
-+ }
-+
-+ ret = bdrv_read(bs_old_backing, sector, buf_old, n);
-+ if (ret < 0) {
-+ error_report("error while reading from old backing file");
-+ goto out;
-+ }
- }
-- ret = bdrv_read(bs_new_backing, sector, buf_new, n);
-- if (ret < 0) {
-- error_report("error while reading from new backing file");
-- goto out;
-+
-+ if (sector >= new_backing_num_sectors) {
-+ memset(buf_new, 0, n * BDRV_SECTOR_SIZE);
-+ } else {
-+ if (sector + n > new_backing_num_sectors) {
-+ n = new_backing_num_sectors - sector;
-+ }
-+
-+ ret = bdrv_read(bs_new_backing, sector, buf_new, n);
-+ if (ret < 0) {
-+ error_report("error while reading from new backing file");
-+ goto out;
-+ }
- }
-
- /* If they differ, we need to write to the COW file */
---
-1.7.7.5
-
diff --git a/0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch b/0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
deleted file mode 100644
index 6df771d..0000000
--- a/0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 8afe984ef7aa25cb2f8af51da021fdc8a242884d Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 7 Dec 2011 13:57:13 +0100
-Subject: [PATCH 24/25] Documentation: Add qemu-img -t parameter in man page
-
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
----
- qemu-img-cmds.hx | 6 +++---
- qemu-img.texi | 10 +++++++---
- 2 files changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
-index 4be00a5..49dce7c 100644
---- a/qemu-img-cmds.hx
-+++ b/qemu-img-cmds.hx
-@@ -24,13 +24,13 @@ ETEXI
- DEF("commit", img_commit,
- "commit [-f fmt] [-t cache] filename")
- STEXI
--@item commit [-f @var{fmt}] @var{filename}
-+@item commit [-f @var{fmt}] [-t @var{cache}] @var{filename}
- ETEXI
-
- DEF("convert", img_convert,
- "convert [-c] [-p] [-f fmt] [-t cache] [-O output_fmt] [-o options] [-s snapshot_name] [-S sparse_size] filename [filename2 [...]] output_filename")
- STEXI
--@item convert [-c] [-p] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename}
-+@item convert [-c] [-p] [-f @var{fmt}] [-t @var{cache}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename}
- ETEXI
-
- DEF("info", img_info,
-@@ -48,7 +48,7 @@ ETEXI
- DEF("rebase", img_rebase,
- "rebase [-f fmt] [-t cache] [-p] [-u] -b backing_file [-F backing_fmt] filename")
- STEXI
--@item rebase [-f @var{fmt}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename}
-+@item rebase [-f @var{fmt}] [-t @var{cache}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename}
- ETEXI
-
- DEF("resize", img_resize,
-diff --git a/qemu-img.texi b/qemu-img.texi
-index 70fa321..b2ca3a5 100644
---- a/qemu-img.texi
-+++ b/qemu-img.texi
-@@ -45,6 +45,10 @@ indicates the consecutive number of bytes that must contain only zeros
- for qemu-img to create a sparse image during conversion. This value is rounded
- down to the nearest 512 bytes. You may use the common size suffixes like
- @code{k} for kilobytes.
-+@item -t @var{cache}
-+specifies the cache mode that should be used with the (destination) file. See
-+the documentation of the emulator's @code{-drive cache=...} option for allowed
-+values.
- @end table
-
- Parameters to snapshot subcommand:
-@@ -87,11 +91,11 @@ this case. @var{backing_file} will never be modified unless you use the
- The size can also be specified using the @var{size} option with @code{-o},
- it doesn't need to be specified separately in this case.
-
--@item commit [-f @var{fmt}] @var{filename}
-+@item commit [-f @var{fmt}] [-t @var{cache}] @var{filename}
-
- Commit the changes recorded in @var{filename} in its base image.
-
--@item convert [-c] [-p] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename}
-+@item convert [-c] [-p] [-f @var{fmt}] [-t @var{cache}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] [-S @var{sparse_size}] @var{filename} [@var{filename2} [...]] @var{output_filename}
-
- Convert the disk image @var{filename} or a snapshot @var{snapshot_name} to disk image @var{output_filename}
- using format @var{output_fmt}. It can be optionally compressed (@code{-c}
-@@ -121,7 +125,7 @@ they are displayed too.
-
- List, apply, create or delete snapshots in image @var{filename}.
-
--@item rebase [-f @var{fmt}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename}
-+@item rebase [-f @var{fmt}] [-t @var{cache}] [-p] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename}
-
- Changes the backing file of an image. Only the formats @code{qcow2} and
- @code{qed} support changing the backing file.
---
-1.7.7.5
-
diff --git a/0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch b/0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
deleted file mode 100644
index fb7010d..0000000
--- a/0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From e47c212cb5af148ab6d9dcf49bc0e054fe9c2e1d Mon Sep 17 00:00:00 2001
-From: Josh Durgin <josh.durgin@dreamhost.com>
-Date: Tue, 6 Dec 2011 17:05:10 -0800
-Subject: [PATCH 25/25] rbd: always set out parameter in qemu_rbd_snap_list
-
-The caller expects psn_tab to be NULL when there are no snapshots or
-an error occurs. This results in calling g_free on an invalid address.
-
-Reported-by: Oliver Francke <Oliver@filoo.de>
-Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- block/rbd.c | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/block/rbd.c b/block/rbd.c
-index 9088c52..54a6961 100644
---- a/block/rbd.c
-+++ b/block/rbd.c
-@@ -808,7 +808,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs,
- } while (snap_count == -ERANGE);
-
- if (snap_count <= 0) {
-- return snap_count;
-+ goto done;
- }
-
- sn_tab = g_malloc0(snap_count * sizeof(QEMUSnapshotInfo));
-@@ -827,6 +827,7 @@ static int qemu_rbd_snap_list(BlockDriverState *bs,
- }
- rbd_snap_list_end(snaps);
-
-+ done:
- *psn_tab = sn_tab;
- return snap_count;
- }
---
-1.7.7.5
-
diff --git a/0026-e1000-bounds-packet-size-against-buffer-size.patch b/0026-e1000-bounds-packet-size-against-buffer-size.patch
deleted file mode 100644
index bd2bdc7..0000000
--- a/0026-e1000-bounds-packet-size-against-buffer-size.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001
-From: Anthony Liguori <aliguori@us.ibm.com>
-Date: Mon, 23 Jan 2012 07:30:43 -0600
-Subject: [PATCH 26/26] e1000: bounds packet size against buffer size
-
-Otherwise we can write beyond the buffer and corrupt memory. This is tracked
-as CVE-2012-0029.
-
-Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
----
- hw/e1000.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/hw/e1000.c b/hw/e1000.c
-index 986ed9c..e164d79 100644
---- a/hw/e1000.c
-+++ b/hw/e1000.c
-@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- bytes = split_size;
- if (tp->size + bytes > msh)
- bytes = msh - tp->size;
-+
-+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
- pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
- if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
- memmove(tp->header, tp->data, hdr);
-@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- // context descriptor TSE is not set, while data descriptor TSE is set
- DBGOUT(TXERR, "TCP segmentaion Error\n");
- } else {
-+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
- pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
- tp->size += split_size;
- }
---
-1.7.7.6
-
diff --git a/Fix_save-restore_of_in-kernel_i8259.patch b/Fix_save-restore_of_in-kernel_i8259.patch
deleted file mode 100644
index 15c772f..0000000
--- a/Fix_save-restore_of_in-kernel_i8259.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-As the qemu-kvm version of the i8259 contains KVM bits, it still has to
-be compiled per target. This unbreaks migration of the i8259.
-
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
----
-
-Not sure if anyone bothers (no one should actually use qemu-kvm for
-targets != x86), but let's avoid needless breakages of other targets
-requiring the i8259.
-
- Makefile.objs | 2 +-
- Makefile.target | 8 ++++----
- hw/i8259.c | 2 --
- 3 files changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/Makefile.objs b/Makefile.objs
-index 13afd19..77237e1 100644
---- a/Makefile.objs
-+++ b/Makefile.objs
-@@ -223,7 +223,7 @@ hw-obj-$(CONFIG_APPLESMC) += applesmc.o
- hw-obj-$(CONFIG_SMARTCARD) += usb-ccid.o ccid-card-passthru.o
- hw-obj-$(CONFIG_SMARTCARD_NSS) += ccid-card-emulated.o
- hw-obj-$(CONFIG_USB_REDIR) += usb-redir.o
--hw-obj-$(CONFIG_I8259) += i8259.o
-+# hw-obj-$(CONFIG_I8259) += i8259.o
-
- # PPC devices
- hw-obj-$(CONFIG_PREP_PCI) += prep_pci.o
-diff --git a/Makefile.target b/Makefile.target
-index 0b610ad..29eaa68 100644
---- a/Makefile.target
-+++ b/Makefile.target
-@@ -236,7 +236,7 @@ obj-$(CONFIG_IVSHMEM) += ivshmem.o
-
- # Hardware support
- obj-i386-y += vga.o
--obj-i386-y += mc146818rtc.o pc.o
-+obj-i386-y += mc146818rtc.o pc.o i8259.o
- obj-i386-y += cirrus_vga.o sga.o apic.o ioapic.o piix_pci.o
- obj-i386-y += vmport.o
- obj-i386-y += device-hotplug.o pci-hotplug.o smbios.o wdt_ib700.o
-@@ -255,7 +255,7 @@ obj-i386-$(CONFIG_KVM_DEVICE_ASSIGNMENT) += device-assignment.o
- obj-ppc-y = ppc.o ppc_booke.o
- obj-ppc-y += vga.o
- # PREP target
--obj-ppc-y += mc146818rtc.o
-+obj-ppc-y += mc146818rtc.o i8259.o
- obj-ppc-y += ppc_prep.o
- # OldWorld PowerMac
- obj-ppc-y += ppc_oldworld.o
-@@ -311,7 +311,7 @@ obj-mips-y += acpi.o acpi_piix4.o
- obj-mips-y += mips_addr.o mips_timer.o mips_int.o
- obj-mips-y += vga.o
- obj-mips-y += jazz_led.o
--obj-mips-y += gt64xxx.o mc146818rtc.o
-+obj-mips-y += gt64xxx.o mc146818rtc.o i8259.o
- obj-mips-y += cirrus_vga.o
- obj-mips-$(CONFIG_FULONG) += bonito.o vt82c686.o mips_fulong2e.o
-
-@@ -392,7 +392,7 @@ obj-m68k-y += m68k-semi.o dummy_m68k.o
-
- obj-s390x-y = s390-virtio-bus.o s390-virtio.o
-
--obj-alpha-y = mc146818rtc.o
-+obj-alpha-y = mc146818rtc.o i8259.o
- obj-alpha-y += vga.o cirrus_vga.o
- obj-alpha-y += alpha_pci.o alpha_dp264.o alpha_typhoon.o
-
-diff --git a/hw/i8259.c b/hw/i8259.c
-index fa63e83..a9ea9c9 100644
---- a/hw/i8259.c
-+++ b/hw/i8259.c
-@@ -697,8 +697,6 @@ static int kvm_kernel_pic_load_from_user(PicState *s)
- return 0;
- }
-
--extern void apic_set_irq_delivered(void);
--
- static void kvm_i8259_set_irq(void *opaque, int irq, int level)
- {
- int pic_ret;
---
-1.7.3.4
---
-To unsubscribe from this list: send the line "unsubscribe kvm" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/qemu-Allow-to-leave-type-on-default-in-machine.patch b/qemu-Allow-to-leave-type-on-default-in-machine.patch
deleted file mode 100644
index e4a8e6d..0000000
--- a/qemu-Allow-to-leave-type-on-default-in-machine.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- qemu-kvm-0.15.0.old/vl.c 2011-08-09 13:40:29.000000000 +0100
-+++ qemu-kvm-0.15.0/vl.c 2011-08-18 16:38:51.487515037 +0100
-@@ -2718,7 +2718,10 @@
- fprintf(stderr, "parse error: %s\n", optarg);
- exit(1);
- }
-- machine = machine_parse(qemu_opt_get(opts, "type"));
-+ optarg = qemu_opt_get(opts, "type");
-+ if (optarg) {
-+ machine = machine_parse(optarg);
-+ }
- break;
- case QEMU_OPTION_no_kvm:
- olist = qemu_find_opts("machine");
diff --git a/qemu-fix-non-PCI-target-build.patch b/qemu-fix-non-PCI-target-build.patch
deleted file mode 100644
index b479efa..0000000
--- a/qemu-fix-non-PCI-target-build.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-commit 1a8364456c2f3946b4feb8fc78eaf00d974f4c03
-Author: Jan Kiszka <jan.kiszka@siemens.com>
-Date: Wed Feb 23 09:28:53 2011 +0100
-
- qemu-kvm: Fix non-PCI target build
-
- Replace obsolete qemu-kvm.h with kvm.h in pci.c and build that module
- just like upstream does. This fixes non-x86 targets which have no PCI
- support.
-
- Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
- Signed-off-by: Avi Kivity <avi@redhat.com>
-
-diff --git a/Makefile.objs b/Makefile.objs
-index f5702eb..3ec7121 100644
---- a/Makefile.objs
-+++ b/Makefile.objs
-@@ -170,7 +170,7 @@ hw-obj-y =
- hw-obj-y += loader.o
- hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
- hw-obj-y += fw_cfg.o
--hw-obj-$(CONFIG_PCI) += pci_bridge.o
-+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o
- hw-obj-$(CONFIG_PCI) += msix.o msi.o
- hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
- hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
-diff --git a/Makefile.target b/Makefile.target
-index 6e9a024..23367eb 100644
---- a/Makefile.target
-+++ b/Makefile.target
-@@ -195,7 +195,7 @@ endif #CONFIG_BSD_USER
- # System emulator target
- ifdef CONFIG_SOFTMMU
-
--obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o
-+obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o vl.o balloon.o
- # virtio has to be here due to weird dependency between PCI and virtio-net.
- # need to fix this properly
- obj-$(CONFIG_NO_PCI) += pci-stub.o
-diff --git a/hw/pci.c b/hw/pci.c
-index 0c44939..1f6cebe 100644
---- a/hw/pci.c
-+++ b/hw/pci.c
-@@ -29,8 +29,8 @@
- #include "net.h"
- #include "sysemu.h"
- #include "loader.h"
--#include "qemu-kvm.h"
- #include "hw/pc.h"
-+#include "kvm.h"
- #include "device-assignment.h"
- #include "qemu-objects.h"
- #include "range.h"
diff --git a/qemu-fix-systemtap.patch b/qemu-fix-systemtap.patch
new file mode 100644
index 0000000..1ea1fc0
--- /dev/null
+++ b/qemu-fix-systemtap.patch
@@ -0,0 +1,16 @@
+diff -rup qemu-kvm-1.0.1/scripts/tracetool foo/scripts/tracetool
+--- qemu-kvm-1.0.1/scripts/tracetool 2012-04-16 22:15:17.000000000 -0400
++++ foo/scripts/tracetool 2012-07-29 20:46:52.628797169 -0400
+@@ -499,6 +499,12 @@ EOF
+ # 'limit' is a reserved keyword
+ if [ "$arg" = "limit" ]; then
+ arg="_limit"
++ if [ "$arg" = "in" ]; then
++ arg="_in"
++ if [ "$arg" = "next" ]; then
++ arg="_next"
++ if [ "$arg" = "self" ]; then
++ arg="_self"
+ fi
+ cat <<EOF
+ $arg = \$arg$i;
diff --git a/qemu-fix-vnc-audio.patch b/qemu-fix-vnc-audio.patch
new file mode 100644
index 0000000..f7bc464
--- /dev/null
+++ b/qemu-fix-vnc-audio.patch
@@ -0,0 +1,20 @@
+commit 83617103984eb4d81cf46c94435f3da2c6f33b55
+Author: malc <av1474@comtv.ru>
+Date: Mon Jul 16 18:08:36 2012 +0400
+
+ audio: Unbreak capturing in mixemu case
+
+ Signed-off-by: malc <av1474@comtv.ru>
+
+diff --git a/audio/audio.c b/audio/audio.c
+index 583ee51..1c77389 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -818,6 +818,7 @@ static int audio_attach_capture (HWVoiceOut *hw)
+ sw->active = hw->enabled;
+ sw->conv = noop_conv;
+ sw->ratio = ((int64_t) hw_cap->info.freq << 32) / sw->info.freq;
++ sw->vol = nominal_volume;
+ sw->rate = st_rate_start (sw->info.freq, hw_cap->info.freq);
+ if (!sw->rate) {
+ dolog ("Could not start rate conversion for `%s'\n", SW_NAME (sw));
diff --git a/qemu-snapshot-symlink-attack.patch b/qemu-snapshot-symlink-attack.patch
new file mode 100644
index 0000000..198c010
--- /dev/null
+++ b/qemu-snapshot-symlink-attack.patch
@@ -0,0 +1,93 @@
+diff -rup qemu-kvm-1.0.1/block/vvfat.c foo/block/vvfat.c
+--- qemu-kvm-1.0.1/block/vvfat.c 2012-04-16 22:15:17.000000000 -0400
++++ foo/block/vvfat.c 2012-07-29 20:00:15.515321504 -0400
+@@ -2799,7 +2799,12 @@ static int enable_write_target(BDRVVVFAT
+ array_init(&(s->commits), sizeof(commit_t));
+
+ s->qcow_filename = g_malloc(1024);
+- get_tmp_filename(s->qcow_filename, 1024);
++ ret = get_tmp_filename(s->qcow_filename, 1024);
++ if (ret < 0) {
++ g_free(s->qcow_filename);
++ s->qcow_filename = NULL;
++ return ret;
++ }
+
+ bdrv_qcow = bdrv_find_format("qcow");
+ options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
+diff -rup qemu-kvm-1.0.1/block.c foo/block.c
+--- qemu-kvm-1.0.1/block.c 2012-04-16 22:15:17.000000000 -0400
++++ foo/block.c 2012-07-29 20:00:15.513321760 -0400
+@@ -272,28 +272,36 @@ int bdrv_create_file(const char* filenam
+ return bdrv_create(drv, filename, options);
+ }
+
+-#ifdef _WIN32
+-void get_tmp_filename(char *filename, int size)
++/*
++ * Create a uniquely-named empty temporary file.
++ * Return 0 upon success, otherwise a negative errno value.
++ */
++int get_tmp_filename(char *filename, int size)
+ {
++#ifdef _WIN32
+ char temp_dir[MAX_PATH];
+-
+- GetTempPath(MAX_PATH, temp_dir);
+- GetTempFileName(temp_dir, "qem", 0, filename);
+-}
++ /* GetTempFileName requires that its output buffer (4th param)
++ have length MAX_PATH or greater. */
++ assert(size >= MAX_PATH);
++ return (GetTempPath(MAX_PATH, temp_dir)
++ && GetTempFileName(temp_dir, "qem", 0, filename)
++ ? 0 : -GetLastError());
+ #else
+-void get_tmp_filename(char *filename, int size)
+-{
+ int fd;
+ const char *tmpdir;
+- /* XXX: race condition possible */
+ tmpdir = getenv("TMPDIR");
+ if (!tmpdir)
+ tmpdir = "/tmp";
+- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
++ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
++ return -EOVERFLOW;
++ }
+ fd = mkstemp(filename);
+- close(fd);
+-}
++ if (fd < 0 || close(fd)) {
++ return -errno;
++ }
++ return 0;
+ #endif
++}
+
+ /*
+ * Detect host devices. By convention, /dev/cdrom[N] is always
+@@ -601,7 +609,10 @@ int bdrv_open(BlockDriverState *bs, cons
+
+ bdrv_delete(bs1);
+
+- get_tmp_filename(tmp_filename, sizeof(tmp_filename));
++ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
++ if (ret < 0) {
++ return ret;
++ }
+
+ /* Real path is meaningless for protocols */
+ if (is_protocol)
+diff -rup qemu-kvm-1.0.1/block_int.h foo/block_int.h
+--- qemu-kvm-1.0.1/block_int.h 2012-04-16 22:15:17.000000000 -0400
++++ foo/block_int.h 2012-07-29 20:00:15.515321504 -0400
+@@ -238,7 +238,7 @@ struct BlockDriverAIOCB {
+ BlockDriverAIOCB *next;
+ };
+
+-void get_tmp_filename(char *filename, int size);
++int get_tmp_filename(char *filename, int size);
+
+ void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,
+ BlockDriverCompletionFunc *cb, void *opaque);
diff --git a/qemu-vhost-fix-dirty-page-handling.patch b/qemu-vhost-fix-dirty-page-handling.patch
deleted file mode 100644
index e3fabb7..0000000
--- a/qemu-vhost-fix-dirty-page-handling.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-vhost was passing a physical address to cpu_physical_memory_set_dirty,
-which is wrong: we need to translate to ram address first.
-
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-
-Note: this lead to crashes during migration, so the patch
-is needed on the stable branch too.
-
----
- hw/vhost.c | 4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
-
-diff --git a/hw/vhost.c b/hw/vhost.c
-index aaa34e4..97a1299 100644
---- a/hw/vhost.c
-+++ b/hw/vhost.c
-@@ -49,8 +49,10 @@ static void vhost_dev_sync_region(struct vhost_dev *dev,
- log = __sync_fetch_and_and(from, 0);
- while ((bit = sizeof(log) > sizeof(int) ?
- ffsll(log) : ffs(log))) {
-+ ram_addr_t ram_addr;
- bit -= 1;
-- cpu_physical_memory_set_dirty(addr + bit * VHOST_LOG_PAGE);
-+ ram_addr = cpu_get_physical_page_desc(addr + bit * VHOST_LOG_PAGE);
-+ cpu_physical_memory_set_dirty(ram_addr);
- log &= ~(0x1ull << bit);
- }
- addr += VHOST_LOG_CHUNK;
---
-1.7.3.2.91.g446ac
-
diff --git a/qemu.spec b/qemu.spec
index 5ac9289..963c14b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -37,9 +37,9 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
-Version: 1.0
-Release: 18%{?dist}
-# Epoch because we pushed a qemu-1.0 package
+Version: 1.0.1
+Release: 1%{?dist}
+# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -75,35 +75,6 @@ Source9: ksmtuned.conf
Source10: qemu-guest-agent.service
Source11: 99-qemu-guest-agent.rules
-# Patches queued for 1.0.1 stable
-Patch01: 0001-malta-Fix-regression-i8259-interrupts-did-not-work.patch
-Patch02: 0002-exec.c-Fix-subpage-memory-access-to-RAM-MemoryRegion.patch
-Patch03: 0003-hw-9pfs-Improve-portability-to-older-systems.patch
-Patch04: 0004-hw-9pfs-use-migration-blockers-to-prevent-live-migra.patch
-Patch05: 0005-hw-9pfs-Reset-server-state-during-TVERSION.patch
-Patch06: 0006-hw-9pfs-Add-qdev.reset-callback-for-virtio-9p-pci-de.patch
-Patch07: 0007-hw-9pfs-Use-the-correct-file-descriptor-in-Fsdriver-.patch
-Patch08: 0008-hw-9pfs-replace-iovec-manipulation-with-QEMUIOVector.patch
-Patch09: 0009-hw-9pfs-Use-the-correct-signed-type-for-different-va.patch
-Patch10: 0010-target-i386-fix-cmpxchg-instruction-emulation.patch
-Patch11: 0011-configure-Enable-build-by-default-PIE-read-only-relo.patch
-Patch12: 0012-cris-Handle-conditional-stores-on-CRISv10.patch
-Patch13: 0013-pc-add-pc-0.15.patch
-Patch14: 0014-pc-fix-event_idx-compatibility-for-virtio-devices.patch
-Patch15: 0015-Fix-parse-of-usb-device-description-with-multiple-co.patch
-Patch16: 0016-usb-storage-cancel-I-O-on-reset.patch
-Patch17: 0017-usb-host-properly-release-port-on-unplug-exit.patch
-Patch18: 0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch
-Patch19: 0019-target-sh4-ignore-ocbp-and-ocbwb-instructions.patch
-Patch20: 0020-PPC-Fix-linker-scripts-on-ppc-hosts.patch
-Patch21: 0021-qiov-prevent-double-free-or-use-after-free.patch
-Patch22: 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
-Patch23: 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
-Patch24: 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
-Patch25: 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
-Patch26: 0026-e1000-bounds-packet-size-against-buffer-size.patch
-Patch27: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
-
# USB-redir patches all upstream for 1.1 except for the chardev flowcontrol set
Patch101: 0101-usb-redir-Clear-iso-irq-error-when-stopping-the-stre.patch
Patch102: 0102-usb-redir-Dynamically-adjust-iso-buffering-size-base.patch
@@ -154,7 +125,6 @@ Patch146: 0146-usb-redir-Not-finding-an-async-urb-id-is-not-an-erro.patch
Patch147: 0147-usb-ehci-Ensure-frindex-writes-leave-a-valid-frindex.patch
# General bug fixes
-Patch201: Fix_save-restore_of_in-kernel_i8259.patch
Patch202: qemu-virtio-9p-noatime.patch
# Feature patches, should be in 1.1 before release
@@ -209,6 +179,13 @@ Patch508: 0508-configure-pa_simple-is-not-needed-anymore.patch
Patch509: 0509-Allow-controlling-volume-with-PulseAudio-backend.patch
# Fix fedora guest hang with virtio console (bz 837925)
Patch510: %{name}-virtio-console-unconnected-pty.patch
+# Fix VNC audio tunnelling (bz 840653)
+Patch511: %{name}-fix-vnc-audio.patch
+# CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
+# 824919)
+Patch512: %{name}-snapshot-symlink-attack.patch
+# Fix systemtap tapsets (bz 831763)
+Patch513: %{name}-fix-systemtap.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -218,7 +195,7 @@ BuildRequires: pciutils-devel
BuildRequires: pulseaudio-libs-devel
BuildRequires: ncurses-devel
BuildRequires: libattr-devel
-BuildRequires: usbredir-devel
+BuildRequires: usbredir-devel >= 0.4.1
BuildRequires: texinfo
%ifarch %{ix86} x86_64
BuildRequires: spice-protocol >= 0.8.1
@@ -267,6 +244,13 @@ Requires: %{name}-img = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-system-ppc
Obsoletes: %{name}-system-sparc
+# Needed for F14->F16+ upgrade
+# https://bugzilla.redhat.com/show_bug.cgi?id=694802
+Obsoletes: openbios-common
+Obsoletes: openbios-ppc
+Obsoletes: openbios-sparc32
+Obsoletes: openbios-sparc64
+
%define qemudocdir %{_docdir}/%{name}-%{version}
%description
@@ -312,9 +296,9 @@ Group: Development/Tools
Requires(post): /usr/bin/getent
Requires(post): /usr/sbin/groupadd
Requires(post): /usr/sbin/useradd
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/service /sbin/chkconfig
-Requires(postun): /sbin/service
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
%description common
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@@ -362,9 +346,8 @@ fi
Summary: QEMU user mode emulation of qemu targets
Group: Development/Tools
Requires: %{name}-common = %{epoch}:%{version}-%{release}
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/service /sbin/chkconfig
-Requires(postun): /sbin/service
+Requires(post): systemd-units
+Requires(postun): systemd-units
%description user
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation.
@@ -454,33 +437,6 @@ such as kvm_stat.
%prep
%setup -q -n qemu-kvm-%{version}
-%patch01 -p1
-%patch02 -p1
-%patch03 -p1
-%patch04 -p1
-%patch05 -p1
-%patch06 -p1
-%patch07 -p1
-%patch08 -p1
-%patch09 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
%patch101 -p1
%patch102 -p1
@@ -530,7 +486,6 @@ such as kvm_stat.
%patch146 -p1
%patch147 -p1
-%patch201 -p1
%patch202 -p1
%patch301 -p1
@@ -581,6 +536,9 @@ such as kvm_stat.
%patch508 -p1
%patch509 -p1
%patch510 -p1
+%patch511 -p1
+%patch512 -p1
+%patch513 -p1
%build
@@ -816,39 +774,47 @@ rm -rf $RPM_BUILD_ROOT
%ifarch %{ix86} x86_64
# load kvm modules now, so we can make sure no reboot is needed.
# If there's already a kvm module installed, we don't mess with it
-sh %{_sysconfdir}/sysconfig/modules/kvm.modules
+sh %{_sysconfdir}/sysconfig/modules/kvm.modules || :
%endif
%post common
+if [ $1 -eq 1 ] ; then
+ # Initial installation
+ /bin/systemctl enable ksm.service >/dev/null 2>&1 || :
+ /bin/systemctl enable ksmtuned.service >/dev/null 2>&1 || :
+fi
+
getent group kvm >/dev/null || groupadd -g 36 -r kvm
getent group qemu >/dev/null || groupadd -g 107 -r qemu
getent passwd qemu >/dev/null || \
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
-c "qemu user" qemu
-/bin/systemctl enable ksm.service
-/bin/systemctl enable ksmtuned.service
-
%preun common
-if [ $1 -eq 0 ]; then
- /bin/systemctl --system stop ksmtuned.service &>/dev/null || :
- /bin/systemctl --system stop ksm.service &>/dev/null || :
- /bin/systemctl disable ksmtuned.service
- /bin/systemctl disable ksm.service
+if [ $1 -eq 0 ] ; then
+ # Package removal, not upgrade
+ /bin/systemctl --no-reload disable ksmtuned.service > /dev/null 2>&1 || :
+ /bin/systemctl --no-reload disable ksm.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ksmtuned.service > /dev/null 2>&1 || :
+ /bin/systemctl stop ksm.service > /dev/null 2>&1 || :
fi
%postun common
-if [ $1 -ge 1 ]; then
- /bin/systemctl --system try-restart ksm.service &>/dev/null || :
- /bin/systemctl --system try-restart ksmtuned.service &>/dev/null || :
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+ # Package upgrade, not uninstall
+ /bin/systemctl try-restart ksmtuned.service >/dev/null 2>&1 || :
+ /bin/systemctl try-restart ksm.service >/dev/null 2>&1 || :
fi
+
%post user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
%postun user
/bin/systemctl --system try-restart systemd-binfmt.service &>/dev/null || :
+
%files
%defattr(-,root,root)
@@ -1012,6 +978,16 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Sun Jul 29 2012 Cole Robinson <crobinso@redhat.com> - 1.0.1-2
+- Fix VNC audio tunnelling (bz 840653)
+- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
+ 824919)
+- Fix systemtap tapsets (bz 831763)
+- Don't renable ksm on update (bz 815156)
+- Bump usbredir dep (bz 812097)
+- Fix RPM install error on non-virt machines (bz 660629)
+- Obsolete openbios to fix upgrade dependency issues (bz 694802)
+
* Wed Jul 18 2012 Cole Robinson <crobinso@redhat.com> - 1.0-18
- Fix fedora guest hang with virtio console (bz 837925)
diff --git a/sources b/sources
index c8f2676..438e28c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-00a825db46a70ba8ef9fc95da9cc7c1e qemu-kvm-1.0.tar.gz
+f23711fb9f3c70f802829b109ba9aa27 qemu-kvm-1.0.1.tar.gz
diff --git a/virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
deleted file mode 100644
index 277e740..0000000
--- a/virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012
-Return-Path: <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>
-Received: from citysiren.linuxtx.org (localhost [127.0.0.1])
- by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454
- for <jmfmail@localhost>; Wed, 11 Jan 2012 03:51:20 -0600
-Delivered-To: jmforbes@linuxtx.org
-Received: from gmail-pop.l.google.com [74.125.81.108]
- by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20)
- for <jmfmail@localhost> (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST)
-Received: by 10.180.102.100 with SMTP id fn4cs34060wib;
- Wed, 11 Jan 2012 01:48:56 -0800 (PST)
-Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564;
- Wed, 11 Jan 2012 01:48:54 -0800 (PST)
-Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17])
- by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54
- (version=TLSv1/SSLv3 cipher=OTHER);
- Wed, 11 Jan 2012 01:48:54 -0800 (PST)
-Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17;
-Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
-Received: from localhost ([::1]:48473 helo=lists.gnu.org)
- by lists.gnu.org with esmtp (Exim 4.71)
- (envelope-from <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>)
- id 1Rkund-0003iT-UQ
- for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500
-Received: from eggs.gnu.org ([140.186.70.92]:40037)
- by lists.gnu.org with esmtp (Exim 4.71)
- (envelope-from <pbonzini@redhat.com>) id 1RkunV-0003fY-Vl
- for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500
-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
- (envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004zL-Nl
- for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500
-Received: from mx1.redhat.com ([209.132.183.28]:23781)
- by eggs.gnu.org with esmtp (Exim 4.71)
- (envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004vY-3c
- for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500
-Received: from int-mx11.intmail.prod.int.phx2.redhat.com
- (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
- by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348
- (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
- for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:38 -0500
-Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com
- [10.36.112.23])
- by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
- id q0B9magG031084
- for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:37 -0500
-From: Paolo Bonzini <pbonzini@redhat.com>
-To: qemu-stable@nongnu.org
-Date: Wed, 11 Jan 2012 10:48:33 +0100
-Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com>
-X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
-X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
-X-Received-From: 209.132.183.28
-Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with
- scsi=off
-X-BeenThere: qemu-stable@nongnu.org
-X-Mailman-Version: 2.1.14
-Precedence: list
-List-Id: <qemu-stable.nongnu.org>
-List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-stable>,
- <mailto:qemu-stable-request@nongnu.org?subject=unsubscribe>
-List-Archive: <http://lists.nongnu.org/archive/html/qemu-stable>
-List-Post: <mailto:qemu-stable@nongnu.org>
-List-Help: <mailto:qemu-stable-request@nongnu.org?subject=help>
-List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-stable>,
- <mailto:qemu-stable-request@nongnu.org?subject=subscribe>
-Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
-Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
-X-UID: 32
-Status: RO
-Content-Length: 1003
-Lines: 38
-
-QEMU does have a "scsi" option (to be used like -device
-virtio-blk-pci,drive=foo,scsi=off). However, it only
-masks the feature bit, and does not reject the command
-if a malicious guest disregards the feature bits and
-issues a request.
-
-Without this patch, using scsi=off does not protect you
-from CVE-2011-4127.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/virtio-blk.c | 6 ++++++
- 1 files changed, 6 insertions(+), 0 deletions(-)
-
-diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
-index b70d116..6cd3164 100644
---- a/hw/virtio-blk.c
-+++ b/hw/virtio-blk.c
-@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
- int status;
- int i;
-
-+ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
-+ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
-+ g_free(req);
-+ return;
-+ }
-+
- /*
- * We require at least one output segment each for the virtio_blk_outhdr
- * and the SCSI command block.
---
-1.7.7.1
-
-
-
-
-
-