Fix CVE-2016-2841, CVE-2016-2857, CVE-2016-2858

[pve-qemu-kvm.git] / debian / patches / internal-snapshot-async.patch

From 46fd4bb673a91d40352c95e9d3f62f63b5021053 Mon Sep 17 00:00:00 2001
From: Stefan Priebe <s.priebe@profihost.ag>
Date: Fri, 29 Nov 2013 22:17:03 +0100
Subject: [PATCH] internal-snapshot-async-qemu1.7.patch

---
 Makefile.objs           |    1 +
 block.c                 |    2 +-
 hmp-commands.hx         |   34 ++++
 hmp.c                   |   57 ++++++
 hmp.h                   |    5 +
 include/block/block.h   |    1 +
 include/sysemu/sysemu.h |    5 +-
 monitor.c               |    7 +
 qapi-schema.json        |   46 +++++
 qemu-options.hx         |   13 ++
 qmp-commands.hx         |   31 +++
 savevm-async.c          |  478 +++++++++++++++++++++++++++++++++++++++++++++++
 savevm.c                |   10 +-
 vl.c                    |    9 +
 14 files changed, 692 insertions(+), 7 deletions(-)
 create mode 100644 savevm-async.c

Index: new/Makefile.objs
===================================================================
--- new.orig/Makefile.objs	2014-11-20 09:13:01.000000000 +0100
+++ new/Makefile.objs	2014-11-20 09:16:47.000000000 +0100
@@ -56,6 +56,7 @@
 common-obj-y += qemu-char.o #aio.o
 common-obj-y += block-migration.o
 common-obj-y += page_cache.o xbzrle.o
+common-obj-y += savevm-async.o
 
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
 
Index: new/block.c
===================================================================
--- new.orig/block.c	2014-11-20 09:13:01.000000000 +0100
+++ new/block.c	2014-11-20 09:16:47.000000000 +0100
@@ -2119,7 +2119,7 @@
     bdrv_set_backing_hd(bs_top, bs_new);
 }
 
-static void bdrv_delete(BlockDriverState *bs)
+void bdrv_delete(BlockDriverState *bs)
 {
     assert(!bs->job);
     assert(bdrv_op_blocker_is_empty(bs));
Index: new/hmp-commands.hx
===================================================================
--- new.orig/hmp-commands.hx	2014-11-20 09:13:01.000000000 +0100
+++ new/hmp-commands.hx	2014-11-20 09:16:47.000000000 +0100
@@ -1799,6 +1799,8 @@
 show current migration capabilities
 @item info migrate_cache_size
 show current migration XBZRLE cache size
+@item info savevm
+show savevm status
 @item info balloon
 show balloon information
 @item info qtree
@@ -1822,3 +1824,35 @@
 STEXI
 @end table
 ETEXI
+
+    {
+        .name       = "savevm-start",
+        .args_type  = "statefile:s?",
+        .params     = "[statefile]",
+        .help       = "Prepare for snapshot and halt VM. Save VM state to statefile.",
+        .mhandler.cmd = hmp_savevm_start,
+    },
+
+    {
+        .name       = "snapshot-drive",
+        .args_type  = "device:s,name:s",
+        .params     = "device name",
+        .help       = "Create internal snapshot.",
+        .mhandler.cmd = hmp_snapshot_drive,
+    },
+
+    {
+        .name       = "delete-drive-snapshot",
+        .args_type  = "device:s,name:s",
+        .params     = "device name",
+        .help       = "Delete internal snapshot.",
+        .mhandler.cmd = hmp_delete_drive_snapshot,
+    },
+
+    {
+        .name       = "savevm-end",
+        .args_type  = "",
+        .params     = "",
+        .help       = "Resume VM after snaphot.",
+        .mhandler.cmd = hmp_savevm_end,
+    },
Index: new/hmp.c
===================================================================
--- new.orig/hmp.c	2014-11-20 09:13:01.000000000 +0100
+++ new/hmp.c	2014-11-20 09:16:47.000000000 +0100
@@ -1849,3 +1849,60 @@
 
     qapi_free_MemoryDeviceInfoList(info_list);
 }
+
+void hmp_savevm_start(Monitor *mon, const QDict *qdict)
+{
+    Error *errp = NULL;
+    const char *statefile = qdict_get_try_str(qdict, "statefile");
+
+    qmp_savevm_start(statefile != NULL, statefile, &errp);
+    hmp_handle_error(mon, &errp);
+}
+
+void hmp_snapshot_drive(Monitor *mon, const QDict *qdict)
+{
+    Error *errp = NULL;
+    const char *name = qdict_get_str(qdict, "name");
+    const char *device = qdict_get_str(qdict, "device");
+
+    qmp_snapshot_drive(device, name, &errp);
+    hmp_handle_error(mon, &errp);
+}
+
+void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict)
+{
+    Error *errp = NULL;
+    const char *name = qdict_get_str(qdict, "name");
+    const char *device = qdict_get_str(qdict, "device");
+
+    qmp_delete_drive_snapshot(device, name, &errp);
+    hmp_handle_error(mon, &errp);
+}
+
+void hmp_savevm_end(Monitor *mon, const QDict *qdict)
+{
+    Error *errp = NULL;
+
+    qmp_savevm_end(&errp);
+    hmp_handle_error(mon, &errp);
+}
+
+void hmp_info_savevm(Monitor *mon, const QDict *qdict)
+{
+    SaveVMInfo *info;
+    info = qmp_query_savevm(NULL);
+
+    if (info->has_status) {
+        monitor_printf(mon, "savevm status: %s\n", info->status);
+        monitor_printf(mon, "total time: %" PRIu64 " milliseconds\n",
+                       info->total_time);
+    } else {
+        monitor_printf(mon, "savevm status: not running\n");
+    }
+    if (info->has_bytes) {
+        monitor_printf(mon, "Bytes saved: %"PRIu64"\n", info->bytes);
+    }
+    if (info->has_error) {
+        monitor_printf(mon, "Error: %s\n", info->error);
+    }
+}
Index: new/hmp.h
===================================================================
--- new.orig/hmp.h	2014-11-20 09:13:01.000000000 +0100
+++ new/hmp.h	2014-11-20 09:16:47.000000000 +0100
@@ -26,6 +26,7 @@
 void hmp_info_uuid(Monitor *mon, const QDict *qdict);
 void hmp_info_chardev(Monitor *mon, const QDict *qdict);
 void hmp_info_mice(Monitor *mon, const QDict *qdict);
+void hmp_info_savevm(Monitor *mon, const QDict *qdict);
 void hmp_info_migrate(Monitor *mon, const QDict *qdict);
 void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
 void hmp_info_migrate_cache_size(Monitor *mon, const QDict *qdict);
@@ -85,6 +86,10 @@
 void hmp_netdev_del(Monitor *mon, const QDict *qdict);
 void hmp_getfd(Monitor *mon, const QDict *qdict);
 void hmp_closefd(Monitor *mon, const QDict *qdict);
+void hmp_savevm_start(Monitor *mon, const QDict *qdict);
+void hmp_snapshot_drive(Monitor *mon, const QDict *qdict);
+void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict);
+void hmp_savevm_end(Monitor *mon, const QDict *qdict);
 void hmp_send_key(Monitor *mon, const QDict *qdict);
 void hmp_screen_dump(Monitor *mon, const QDict *qdict);
 void hmp_nbd_server_start(Monitor *mon, const QDict *qdict);
Index: new/include/block/block.h
===================================================================
--- new.orig/include/block/block.h	2014-11-20 09:13:01.000000000 +0100
+++ new/include/block/block.h	2014-11-20 09:16:47.000000000 +0100
@@ -235,6 +235,7 @@
 int bdrv_get_backing_file_depth(BlockDriverState *bs);
 void bdrv_refresh_filename(BlockDriverState *bs);
 int bdrv_truncate(BlockDriverState *bs, int64_t offset);
+void bdrv_delete(BlockDriverState *bs);
 int64_t bdrv_nb_sectors(BlockDriverState *bs);
 int64_t bdrv_getlength(BlockDriverState *bs);
 int64_t bdrv_get_allocated_file_size(BlockDriverState *bs);
Index: new/include/sysemu/sysemu.h
===================================================================
--- new.orig/include/sysemu/sysemu.h	2014-11-20 09:13:01.000000000 +0100
+++ new/include/sysemu/sysemu.h	2014-11-20 09:16:47.000000000 +0100
@@ -76,16 +76,17 @@
 
 void do_savevm(Monitor *mon, const QDict *qdict);
 int load_vmstate(const char *name);
+int load_state_from_blockdev(const char *filename);
 void do_delvm(Monitor *mon, const QDict *qdict);
 void do_info_snapshots(Monitor *mon, const QDict *qdict);
 
 void qemu_announce_self(void);
 
 bool qemu_savevm_state_blocked(Error **errp);
-void qemu_savevm_state_begin(QEMUFile *f,
+int qemu_savevm_state_begin(QEMUFile *f,
                              const MigrationParams *params);
 int qemu_savevm_state_iterate(QEMUFile *f);
-void qemu_savevm_state_complete(QEMUFile *f);
+int qemu_savevm_state_complete(QEMUFile *f);
 void qemu_savevm_state_cancel(void);
 uint64_t qemu_savevm_state_pending(QEMUFile *f, uint64_t max_size);
 int qemu_loadvm_state(QEMUFile *f);
Index: new/monitor.c
===================================================================
--- new.orig/monitor.c	2014-11-20 09:13:01.000000000 +0100
+++ new/monitor.c	2014-11-20 09:16:47.000000000 +0100
@@ -2876,6 +2876,13 @@
         .mhandler.cmd = hmp_info_migrate_cache_size,
     },
     {
+        .name       = "savevm",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show savevm status",
+        .mhandler.cmd = hmp_info_savevm,
+    },
+    {
         .name       = "balloon",
         .args_type  = "",
         .params     = "",
Index: new/qapi-schema.json
===================================================================
--- new.orig/qapi-schema.json	2014-11-20 09:13:01.000000000 +0100
+++ new/qapi-schema.json	2014-11-20 09:16:47.000000000 +0100
@@ -550,6 +550,42 @@
            '*downtime': 'int',
            '*setup-time': 'int'} }
 
+
+# @SaveVMInfo
+#
+# Information about current migration process.
+#
+# @status: #optional string describing the current savevm status.
+#          This can be 'active', 'completed', 'failed'.
+#          If this field is not returned, no savevm process
+#          has been initiated
+#
+# @error: #optional string containing error message is status is failed.
+#
+# @total-time: #optional total amount of milliseconds since savevm started.
+#        If savevm has ended, it returns the total save time
+#
+# @bytes: #optional total amount of data transfered
+#
+# Since: 1.3
+##
+{ 'type': 'SaveVMInfo',
+  'data': {'*status': 'str', '*error': 'str',
+           '*total-time': 'int', '*bytes': 'int'} }
+
+##
+# @query-savevm
+#
+# Returns information about current savevm process.
+#
+# Returns: @SaveVMInfo
+#
+# Since: 1.3
+##
+{ 'command': 'query-savevm', 'returns': 'SaveVMInfo' }
+
+##
+
 ##
 # @query-migrate
 #
@@ -2649,8 +2685,18 @@
 #
 # Since: 1.2.0
 ##
+
 { 'command': 'query-target', 'returns': 'TargetInfo' }
 
+{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } }
+
+{ 'command': 'snapshot-drive', 'data': { 'device': 'str', 'name': 'str' } }
+
+{ 'command': 'delete-drive-snapshot', 'data': { 'device': 'str', 'name': 'str' } }
+
+{ 'command': 'savevm-end' }
+
+
 ##
 # @QKeyCode:
 #
Index: new/qemu-options.hx
===================================================================
--- new.orig/qemu-options.hx	2014-11-20 09:13:01.000000000 +0100
+++ new/qemu-options.hx	2014-11-20 09:16:47.000000000 +0100
@@ -2975,6 +2975,19 @@
 Start right away with a saved state (@code{loadvm} in monitor)
 ETEXI
 
+DEF("loadstate", HAS_ARG, QEMU_OPTION_loadstate, \
+    "-loadstate file\n" \
+    "                start right away with a saved state\n",
+    QEMU_ARCH_ALL)
+STEXI
+@item -loadstate @var{file}
+@findex -loadstate
+Start right away with a saved state. This option does not rollback
+disk state like @code{loadvm}, so user must make sure that disk
+have correct state. @var{file} can be any valid device URL. See the section
+for "Device URL Syntax" for more information.
+ETEXI
+
 #ifndef _WIN32
 DEF("daemonize", 0, QEMU_OPTION_daemonize, \
     "-daemonize      daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
Index: new/qmp-commands.hx
===================================================================
--- new.orig/qmp-commands.hx	2014-11-20 09:13:01.000000000 +0100
+++ new/qmp-commands.hx	2014-11-20 09:16:47.000000000 +0100
@@ -3883,3 +3883,34 @@
 <- { "return": {} }
 
 EQMP
+
+
+    {
+        .name       = "savevm-start",
+        .args_type  = "statefile:s?",
+        .mhandler.cmd_new = qmp_marshal_input_savevm_start,
+    },
+
+    {
+        .name       = "snapshot-drive",
+        .args_type  = "device:s,name:s",
+        .mhandler.cmd_new = qmp_marshal_input_snapshot_drive,
+    },
+
+    {
+        .name       = "delete-drive-snapshot",
+        .args_type  = "device:s,name:s",
+        .mhandler.cmd_new = qmp_marshal_input_delete_drive_snapshot,
+    },
+
+    {
+        .name       = "savevm-end",
+        .args_type  = "",
+        .mhandler.cmd_new = qmp_marshal_input_savevm_end,
+    },
+
+    {
+        .name       = "query-savevm",
+        .args_type  = "",
+        .mhandler.cmd_new = qmp_marshal_input_query_savevm,
+    },
Index: new/savevm-async.c
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ new/savevm-async.c	2014-11-20 09:17:48.000000000 +0100
@@ -0,0 +1,497 @@
+#include "qemu-common.h"
+#include "qapi/qmp/qerror.h"
+#include "sysemu/sysemu.h"
+#include "qmp-commands.h"
+#include "qemu-options.h"
+#include "migration/qemu-file.h"
+#include "qom/qom-qobject.h"
+#include "migration/migration.h"
+#include "block/snapshot.h"
+#include "block/qapi.h"
+#include "block/block.h"
+#include "qemu/timer.h"
+
+/* #define DEBUG_SAVEVM_STATE */
+
+#ifdef DEBUG_SAVEVM_STATE
+#define DPRINTF(fmt, ...) \
+    do { printf("savevm-async: " fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) \
+    do { } while (0)
+#endif
+
+enum {
+    SAVE_STATE_DONE,
+    SAVE_STATE_ERROR,
+    SAVE_STATE_ACTIVE,
+    SAVE_STATE_COMPLETED,
+    SAVE_STATE_CANCELLED
+};
+
+
+static struct SnapshotState {
+    BlockDriverState *bs;
+    size_t bs_pos;
+    int state;
+    Error *error;
+    Error *blocker;
+    int saved_vm_running;
+    QEMUFile *file;
+    int64_t total_time;
+} snap_state;
+
+SaveVMInfo *qmp_query_savevm(Error **errp)
+{
+    SaveVMInfo *info = g_malloc0(sizeof(*info));
+    struct SnapshotState *s = &snap_state;
+
+    if (s->state != SAVE_STATE_DONE) {
+        info->has_bytes = true;
+        info->bytes = s->bs_pos;
+        switch (s->state) {
+        case SAVE_STATE_ERROR:
+            info->has_status = true;
+            info->status = g_strdup("failed");
+            info->has_total_time = true;
+            info->total_time = s->total_time;
+            if (s->error) {
+                info->has_error = true;
+                info->error = g_strdup(error_get_pretty(s->error));
+            }
+            break;
+        case SAVE_STATE_ACTIVE:
+            info->has_status = true;
+            info->status = g_strdup("active");
+            info->has_total_time = true;
+            info->total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME)
+                - s->total_time;
+            break;
+        case SAVE_STATE_COMPLETED:
+            info->has_status = true;
+            info->status = g_strdup("completed");
+            info->has_total_time = true;
+            info->total_time = s->total_time;
+            break;
+        }
+    }
+
+    return info;
+}
+
+static int save_snapshot_cleanup(void)
+{
+    int ret = 0;
+
+    DPRINTF("save_snapshot_cleanup\n");
+
+    snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME) -
+        snap_state.total_time;
+
+    if (snap_state.file) {
+        ret = qemu_fclose(snap_state.file);
+    }
+
+    if (snap_state.bs) {
+        /* try to truncate, but ignore errors (will fail on block devices).
+         * note: bdrv_read() need whole blocks, so we round up
+         */
+        size_t size = (snap_state.bs_pos + BDRV_SECTOR_SIZE) & BDRV_SECTOR_MASK;
+        bdrv_truncate(snap_state.bs, size);
+        bdrv_op_unblock_all(snap_state.bs, snap_state.blocker);
+        error_free(snap_state.blocker);
+        snap_state.blocker = NULL;
+        bdrv_unref(snap_state.bs);
+        snap_state.bs = NULL;
+    }
+
+    return ret;
+}
+
+static void save_snapshot_error(const char *fmt, ...)
+{
+    va_list ap;
+    char *msg;
+
+    va_start(ap, fmt);
+    msg = g_strdup_vprintf(fmt, ap);
+    va_end(ap);
+
+    DPRINTF("save_snapshot_error: %s\n", msg);
+
+    if (!snap_state.error) {
+        error_set(&snap_state.error, ERROR_CLASS_GENERIC_ERROR, "%s", msg);
+    }
+
+    g_free (msg);
+
+    snap_state.state = SAVE_STATE_ERROR;
+
+    save_snapshot_cleanup();
+}
+
+static void save_snapshot_completed(void)
+{
+    DPRINTF("save_snapshot_completed\n");
+
+    if (save_snapshot_cleanup() < 0) {
+        snap_state.state = SAVE_STATE_ERROR;
+    } else {
+        snap_state.state = SAVE_STATE_COMPLETED;
+    }
+}
+
+static int block_state_close(void *opaque)
+{
+    snap_state.file = NULL;
+    return bdrv_flush(snap_state.bs);
+}
+
+static int block_state_put_buffer(void *opaque, const uint8_t *buf,
+                                  int64_t pos, int size)
+{
+    int ret;
+
+    assert(pos == snap_state.bs_pos);
+
+    if ((ret = bdrv_pwrite(snap_state.bs, snap_state.bs_pos, buf, size)) > 0) {
+        snap_state.bs_pos += ret;
+    }
+
+    return ret;
+}
+
+static void process_savevm_co(void *opaque)
+{
+    int ret;
+    int64_t maxlen;
+    MigrationParams params = {
+        .blk = 0,
+        .shared = 0
+    };
+
+    snap_state.state = SAVE_STATE_ACTIVE;
+
+    qemu_mutex_unlock_iothread();
+    ret = qemu_savevm_state_begin(snap_state.file, &params);
+    qemu_mutex_lock_iothread();
+
+    if (ret < 0) {
+        save_snapshot_error("qemu_savevm_state_begin failed");
+        return;
+    }
+
+    while (snap_state.state == SAVE_STATE_ACTIVE) {
+        uint64_t pending_size;
+
+        pending_size = qemu_savevm_state_pending(snap_state.file, 0);
+
+        if (pending_size) {
+                ret = qemu_savevm_state_iterate(snap_state.file);
+                if (ret < 0) {
+                    save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
+                    break;
+                }
+                DPRINTF("savevm inerate pending size %lu ret %d\n", pending_size, ret);
+        } else {
+            DPRINTF("done iterating\n");
+            if (runstate_is_running()) {
+                vm_stop(RUN_STATE_SAVE_VM);
+            }
+            DPRINTF("savevm inerate finished\n");
+            qemu_savevm_state_complete(snap_state.file);
+            DPRINTF("save complete\n");
+            save_snapshot_completed();
+            break;
+        }
+
+        /* stop the VM if we get to the end of available space,
+         * or if pending_size is just a few MB
+         */
+        maxlen = bdrv_getlength(snap_state.bs) - 30*1024*1024;
+        if ((pending_size < 100000) ||
+            ((snap_state.bs_pos + pending_size) >= maxlen)) {
+            if (runstate_is_running()) {
+                vm_stop(RUN_STATE_SAVE_VM);
+            }
+        }
+    }
+
+    if(snap_state.state == SAVE_STATE_CANCELLED) {
+        save_snapshot_completed();
+        Error *errp = NULL;
+        qmp_savevm_end(&errp);
+    }
+
+}
+
+static const QEMUFileOps block_file_ops = {
+    .put_buffer =     block_state_put_buffer,
+    .close =          block_state_close,
+};
+
+
+void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+{
+    BlockDriver *drv = NULL;
+    Error *local_err = NULL;
+
+    int bdrv_oflags = BDRV_O_CACHE_WB | BDRV_O_RDWR;
+    int ret;
+
+    if (snap_state.state != SAVE_STATE_DONE) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "VM snapshot already started\n");
+        return;
+    }
+
+    /* initialize snapshot info */
+    snap_state.saved_vm_running = runstate_is_running();
+    snap_state.bs_pos = 0;
+    snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
+    snap_state.blocker = NULL;
+
+    if (snap_state.error) {
+        error_free(snap_state.error);
+        snap_state.error = NULL;
+    }
+
+    if (!has_statefile) {
+        vm_stop(RUN_STATE_SAVE_VM);
+        snap_state.state = SAVE_STATE_COMPLETED;
+        return;
+    }
+
+    if (qemu_savevm_state_blocked(errp)) {
+        return;
+    }
+
+    /* Open the image */
+    snap_state.bs = bdrv_new();
+ 
+    ret = bdrv_open(&snap_state.bs, statefile, NULL, NULL, bdrv_oflags, drv, &local_err);
+    if (ret < 0) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
+        goto restart;
+    }
+
+    snap_state.file = qemu_fopen_ops(&snap_state, &block_file_ops);
+
+    if (!snap_state.file) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
+        goto restart;
+    }
+
+
+    error_setg(&snap_state.blocker, "block device is in use by savevm");
+    bdrv_op_block_all(snap_state.bs, snap_state.blocker);
+
+    Coroutine *co = qemu_coroutine_create(process_savevm_co);
+    qemu_coroutine_enter(co, NULL);
+
+    return;
+
+restart:
+
+    save_snapshot_error("setup failed");
+
+    if (snap_state.saved_vm_running) {
+        vm_start();
+    }
+}
+
+void qmp_savevm_end(Error **errp)
+{
+    if (snap_state.state == SAVE_STATE_DONE) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "VM snapshot not started\n");
+        return;
+    }
+
+    if (snap_state.state == SAVE_STATE_ACTIVE) {
+        snap_state.state = SAVE_STATE_CANCELLED;
+        return;
+    }
+
+    if (snap_state.saved_vm_running) {
+        vm_start();
+    }
+
+    snap_state.state = SAVE_STATE_DONE;
+}
+
+void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
+{
+    BlockDriverState *bs;
+    QEMUSnapshotInfo sn1, *sn = &sn1;
+    int ret;
+#ifdef _WIN32
+    struct _timeb tb;
+#else
+    struct timeval tv;
+#endif
+
+    if (snap_state.state != SAVE_STATE_COMPLETED) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "VM snapshot not ready/started\n");
+        return;
+    }
+
+    bs = bdrv_find(device);
+    if (!bs) {
+        error_set(errp, QERR_DEVICE_NOT_FOUND, device);
+        return;
+    }
+
+    if (!bdrv_is_inserted(bs)) {
+        error_set(errp, QERR_DEVICE_HAS_NO_MEDIUM, device);
+        return;
+    }
+
+    if (bdrv_is_read_only(bs)) {
+        error_set(errp, QERR_DEVICE_IS_READ_ONLY, device);
+        return;
+    }
+
+    if (!bdrv_can_snapshot(bs)) {
+        error_set(errp, QERR_UNSUPPORTED);
+        return;
+    }
+
+    if (bdrv_snapshot_find(bs, sn, name) >= 0) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "snapshot '%s' already exists", name);
+        return;
+    }
+
+    sn = &sn1;
+    memset(sn, 0, sizeof(*sn));
+
+#ifdef _WIN32
+    _ftime(&tb);
+    sn->date_sec = tb.time;
+    sn->date_nsec = tb.millitm * 1000000;
+#else
+    gettimeofday(&tv, NULL);
+    sn->date_sec = tv.tv_sec;
+    sn->date_nsec = tv.tv_usec * 1000;
+#endif
+    sn->vm_clock_nsec = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+
+    pstrcpy(sn->name, sizeof(sn->name), name);
+
+    sn->vm_state_size = 0; /* do not save state */
+
+    ret = bdrv_snapshot_create(bs, sn);
+    if (ret < 0) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "Error while creating snapshot on '%s'\n", device);
+        return;
+    }
+}
+
+void qmp_delete_drive_snapshot(const char *device, const char *name,
+                               Error **errp)
+{
+    BlockDriverState *bs;
+    QEMUSnapshotInfo sn1, *sn = &sn1;
+    Error *local_err = NULL;
+
+    int ret;
+
+    bs = bdrv_find(device);
+    if (!bs) {
+        error_set(errp, QERR_DEVICE_NOT_FOUND, device);
+        return;
+    }
+    if (bdrv_is_read_only(bs)) {
+        error_set(errp, QERR_DEVICE_IS_READ_ONLY, device);
+        return;
+    }
+
+    if (!bdrv_can_snapshot(bs)) {
+        error_set(errp, QERR_UNSUPPORTED);
+        return;
+    }
+
+    if (bdrv_snapshot_find(bs, sn, name) < 0) {
+        /* return success if snapshot does not exists */
+        return;
+    }
+
+    ret = bdrv_snapshot_delete(bs, NULL, name, &local_err);
+    if (ret < 0) {
+        error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+                  "Error while deleting snapshot on '%s'\n", device);
+        return;
+    }
+}
+
+static int loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
+                                int size)
+{
+    BlockDriverState *bs = (BlockDriverState *)opaque;
+    int64_t maxlen = bdrv_getlength(bs);
+    if (pos > maxlen) {
+        return -EIO;
+    }
+    if ((pos + size) > maxlen) {
+        size = maxlen - pos - 1;
+    }
+    if (size == 0) {
+        return 0;
+    }
+    return bdrv_pread(bs, pos, buf, size);
+}
+
+static const QEMUFileOps loadstate_file_ops = {
+    .get_buffer = loadstate_get_buffer,
+};
+
+int load_state_from_blockdev(const char *filename)
+{
+    BlockDriverState *bs = NULL;
+    BlockDriver *drv = NULL;
+    Error *local_err = NULL;
+    Error *blocker = NULL;
+
+    QEMUFile *f;
+    int ret = -1;
+
+    bs = bdrv_new();
+    ret = bdrv_open(&bs, filename, NULL, NULL, BDRV_O_CACHE_WB, drv, &local_err);
+    error_setg(&blocker, "block device is in use by load state");
+    bdrv_op_block_all(bs, blocker);
+
+    if (ret < 0) {
+        error_report("Could not open VM state file");
+        goto the_end;
+    }
+
+    /* restore the VM state */
+    f = qemu_fopen_ops(bs, &loadstate_file_ops);
+    if (!f) {
+        error_report("Could not open VM state file");
+        ret = -EINVAL;
+        goto the_end;
+    }
+
+    qemu_system_reset(VMRESET_SILENT);
+    ret = qemu_loadvm_state(f);
+
+    qemu_fclose(f);
+    if (ret < 0) {
+        error_report("Error %d while loading VM state", ret);
+        goto the_end;
+    }
+
+    ret = 0;
+
+ the_end:
+    if (bs) {
+        bdrv_op_unblock_all(bs, blocker);
+        error_free(blocker);
+        bdrv_unref(bs);
+    }
+    return ret;
+}
Index: new/savevm.c
===================================================================
--- new.orig/savevm.c	2014-11-20 09:13:01.000000000 +0100
+++ new/savevm.c	2014-11-20 09:16:47.000000000 +0100
@@ -596,11 +596,11 @@
     return false;
 }
 
-void qemu_savevm_state_begin(QEMUFile *f,
+int qemu_savevm_state_begin(QEMUFile *f,
                              const MigrationParams *params)
 {
     SaveStateEntry *se;
-    int ret;
+    int ret = 0;
 
     trace_savevm_state_begin();
     QTAILQ_FOREACH(se, &savevm_handlers, entry) {
@@ -642,6 +642,7 @@
             break;
         }
     }
+    return ret;
 }
 
 /*
@@ -690,7 +691,7 @@
     return ret;
 }
 
-void qemu_savevm_state_complete(QEMUFile *f)
+int qemu_savevm_state_complete(QEMUFile *f)
 {
     SaveStateEntry *se;
     int ret;
@@ -717,7 +718,7 @@
         trace_savevm_section_end(se->idstr, se->section_id);
         if (ret < 0) {
             qemu_file_set_error(f, ret);
-            return;
+            return ret;
         }
     }
 
@@ -746,6 +747,7 @@
 
     qemu_put_byte(f, QEMU_VM_EOF);
     qemu_fflush(f);
+    return qemu_file_get_error(f);
 }
 
 uint64_t qemu_savevm_state_pending(QEMUFile *f, uint64_t max_size)
Index: new/vl.c
===================================================================
--- new.orig/vl.c	2014-11-20 09:13:01.000000000 +0100
+++ new/vl.c	2014-11-20 09:16:47.000000000 +0100
@@ -2760,6 +2760,7 @@
     int optind;
     const char *optarg;
     const char *loadvm = NULL;
+    const char *loadstate = NULL;
     MachineClass *machine_class;
     const char *cpu_model;
     const char *vga_model = NULL;
@@ -3457,6 +3458,9 @@
 	    case QEMU_OPTION_loadvm:
 		loadvm = optarg;
 		break;
+            case QEMU_OPTION_loadstate:
+                loadstate = optarg;
+                break;
             case QEMU_OPTION_full_screen:
                 full_screen = 1;
                 break;
@@ -4428,6 +4432,10 @@
         if (load_vmstate(loadvm) < 0) {
             autostart = 0;
         }
+    } else if (loadstate) {
+        if (load_state_from_blockdev(loadstate) < 0) {
+            autostart = 0;
+        }
     }
 
     qdev_prop_check_globals();