-RELEASE=4.4
-
# also update debian/changelog
-KVMVER=2.7.1
-KVMPKGREL=501
+KVMVER=2.9.0
+KVMTAG=$(KVMVER)-rc2
+KVMPKGREL=1~rc2
KVMPACKAGE=pve-qemu-kvm
KVMDIR=qemu-kvm
.PHONY: download
download:
- @echo "--- ---"
- @echo "--- TODO when updating to a new release: ---"
- @echo "--- Check if efi-roms-1182.tar.xz is still required. ---"
- @echo "--- ---"
- @false
rm -rf ${KVMDIR} ${KVMSRC}
- git clone --depth=1 git://git.qemu-project.org/qemu.git -b v${KVMVER} ${KVMDIR}
+ git clone --depth=1 git://git.qemu-project.org/qemu.git -b v${KVMTAG} ${KVMDIR}
tar czf ${KVMSRC} --exclude CVS --exclude .git --exclude .svn ${KVMDIR}
.PHONY: deb kvm
rm -f *.deb
rm -rf ${KVMDIR}
tar xf ${KVMSRC}
- tar -C ${KVMDIR} -xJf efi-roms-1182.tar.xz
cp -a debian ${KVMDIR}/debian
echo "git clone git://git.proxmox.com/git/pve-qemu-kvm.git\\ngit checkout ${GITVERSION}" > ${KVMDIR}/debian/SOURCE
# set package version
+pve-qemu-kvm (2.9.0-1~rc2) unstable; urgency=medium
+
+ * update to qemu 2.9.0-rc2
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 29 Mar 2017 13:33:48 +0200
+
pve-qemu-kvm (2.7.1-501) unstable; urgency=medium
* drop bridge-utils dependency
+++ /dev/null
-From 603c472d61c354c30bc898b0e9ff1914302cbca9 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Mon, 4 Jul 2016 15:02:26 +0200
-Subject: [PATCH 1/3] Revert "target-i386: disable LINT0 after reset"
-
-This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb.
----
- hw/intc/apic_common.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
-index 14ac43c..1ed0511 100644
---- a/hw/intc/apic_common.c
-+++ b/hw/intc/apic_common.c
-@@ -246,6 +246,15 @@ static void apic_reset_common(DeviceState *dev)
- info->vapic_base_update(s);
-
- apic_init_reset(dev);
-+
-+ if (bsp) {
-+ /*
-+ * LINT0 delivery mode on CPU #0 is set to ExtInt at initialization
-+ * time typically by BIOS, so PIC interrupt can be delivered to the
-+ * processor when local APIC is enabled.
-+ */
-+ s->lvt[APIC_LVT_LINT0] = 0x700;
-+ }
- }
-
- /* This function is only used for old state version 1 and 2 */
---
-2.1.4
-
+++ /dev/null
-From 391a9e6fd8c6cf615f2ffe44bb85245df52cc2b6 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 9 Feb 2017 14:02:20 +0100
-Subject: [PATCH 1/2] cirrus: fix patterncopy checks
-
-The blit_region_is_unsafe checks don't work correctly for the
-patterncopy source. It's a fixed-sized region, which doesn't
-depend on cirrus_blt_{width,height}. So go do the check in
-cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
-it doesn't need to verify the source. Also handle the case where we
-blit from cirrus_bitbuf correctly.
-
-This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
-
-Security impact: I think for the most part error on the safe side this
-time, refusing blits which should have been allowed.
-
-Only exception is placing the blit source at the end of the video ram,
-so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
-even in that case I'm not fully sure this actually allows read access to
-host memory. To trick the commit 5858dd18 security checks one has to
-pick very small cirrus_blt_{width,height} values, which in turn implies
-only a fraction of the blit source will actually be used.
-
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------
- 1 file changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 16f27e8..6bd13fc 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
- }
- }
-
--static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
-- const uint8_t * src)
-+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
- {
-+ uint32_t patternsize;
- uint8_t *dst;
-+ uint8_t *src;
-
- dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
-
-- if (blit_is_unsafe(s, false, true)) {
-+ if (videosrc) {
-+ switch (s->vga.get_bpp(&s->vga)) {
-+ case 8:
-+ patternsize = 64;
-+ break;
-+ case 15:
-+ case 16:
-+ patternsize = 128;
-+ break;
-+ case 24:
-+ case 32:
-+ default:
-+ patternsize = 256;
-+ break;
-+ }
-+ s->cirrus_blt_srcaddr &= ~(patternsize - 1);
-+ if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
-+ return 0;
-+ }
-+ src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
-+ } else {
-+ src = s->cirrus_bltbuf;
-+ }
-+
-+ if (blit_is_unsafe(s, true, true)) {
- return 0;
- }
-
-@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
-
- static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
- {
-- return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
-- (s->cirrus_blt_srcaddr & ~7));
-+ return cirrus_bitblt_common_patterncopy(s, true);
- }
-
- static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
-
- if (s->cirrus_srccounter > 0) {
- if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
-- cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf);
-+ cirrus_bitblt_common_patterncopy(s, false);
- the_end:
- s->cirrus_srccounter = 0;
- cirrus_bitblt_reset(s);
---
-2.1.4
-
+++ /dev/null
-From b3ce5aeaacdd0cec5bab1d83ee24bae73b0dd506 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 25 Jan 2017 14:48:57 +0100
-Subject: [PATCH 1/4] cirrus: handle negative pitch in
- cirrus_invalidate_region()
-
-cirrus_invalidate_region() calls memory_region_set_dirty()
-on a per-line basis, always ranging from off_begin to
-off_begin+bytesperline. With a negative pitch off_begin
-marks the top most used address and thus we need to do an
-initial shift backwards by a line for negative pitches of
-backward blits, otherwise the first iteration covers the
-line going from the start offset forwards instead of
-backwards.
-Additionally since the start address is inclusive, if we
-shift by a full `bytesperline` we move to the first address
-*not* included in the blit, so we only shift by one less
-than bytesperline.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
-
-[ kraxel: codestyle fixes ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 379910d..0f05e45 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
- int off_cur;
- int off_cur_end;
-
-+ if (off_pitch < 0) {
-+ off_begin -= bytesperline - 1;
-+ }
-+
- for (y = 0; y < lines; y++) {
- off_cur = off_begin;
- off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
-+ assert(off_cur_end >= off_cur);
- memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
- off_begin += off_pitch;
- }
---
-2.1.4
-
+++ /dev/null
-From f5dc8e6b503fda1ed87c0f4f53c6d2c76a584872 Mon Sep 17 00:00:00 2001
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 9 Jan 2017 13:35:20 -0700
-Subject: [PATCH 1/5] display: cirrus: ignore source pitch value as needed in
- blit_is_unsafe
-
-Commit 4299b90 added a check which is too broad, given that the source
-pitch value is not required to be initialized for solid fill operations.
-This patch refines the blit_is_unsafe() check to ignore source pitch in
-that case. After applying the above commit as a security patch, we
-noticed the SLES 11 SP4 guest gui failed to initialize properly.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Message-id: 20170109203520.5619-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index bdb092e..379910d 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- return false;
- }
-
--static bool blit_is_unsafe(struct CirrusVGAState *s)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
- /* should be the case, see cirrus_bitblt_start */
- assert(s->cirrus_blt_width > 0);
-@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
- return true;
- }
-+ if (dst_only) {
-+ return false;
-+ }
- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
- return true;
-@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
-
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
-
-- if (blit_is_unsafe(s))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- (*s->cirrus_rop) (s, dst, src,
-@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
- cirrus_fill_t rop_func;
-
-- if (blit_is_unsafe(s)) {
-+ if (blit_is_unsafe(s, true)) {
- return 0;
- }
- rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
-- if (blit_is_unsafe(s))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
---
-2.1.4
-
+++ /dev/null
-From cba280fe94eaed53952e2997cac1ee2bed6cfdee Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 10 Feb 2017 08:34:03 +0100
-Subject: [PATCH 2/2] Revert "cirrus: allow zero source pitch in pattern fill
- rops"
-
-This reverts commit cf9c099a7694eb47ded529e1ed40ee8789f32d31.
-
-Conflicts:
- hw/display/cirrus_vga.c
----
- hw/display/cirrus_vga.c | 29 +++++++++--------------------
- 1 file changed, 9 insertions(+), 20 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 6bd13fc..92e7951 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- int32_t pitch, int32_t addr)
- {
-+ if (!pitch) {
-+ return true;
-+ }
- if (pitch < 0) {
- int64_t min = addr
- + ((int64_t)s->cirrus_blt_height - 1) * pitch
-@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- return false;
- }
-
--static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-- bool zero_src_pitch_ok)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
-- int32_t check_pitch;
--
- /* should be the case, see cirrus_bitblt_start */
- assert(s->cirrus_blt_width > 0);
- assert(s->cirrus_blt_height > 0);
-@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
- return true;
- }
-
-- if (!s->cirrus_blt_dstpitch) {
-- return true;
-- }
--
- if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
- s->cirrus_blt_dstaddr)) {
- return true;
-@@ -314,14 +310,8 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
- if (dst_only) {
- return false;
- }
--
-- check_pitch = s->cirrus_blt_srcpitch;
-- if (!zero_src_pitch_ok && !check_pitch) {
-- check_pitch = s->cirrus_blt_width;
-- }
--
-- if (blit_region_is_unsafe(s, check_pitch,
-- s->cirrus_blt_srcaddr)) {
-+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
- return true;
- }
-
-@@ -715,9 +705,8 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
- src = s->cirrus_bltbuf;
- }
-
-- if (blit_is_unsafe(s, true, true)) {
-+ if (blit_is_unsafe(s, true))
- return 0;
-- }
-
- (*s->cirrus_rop) (s, dst, src,
- s->cirrus_blt_dstpitch, 0,
-@@ -734,7 +723,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
- cirrus_fill_t rop_func;
-
-- if (blit_is_unsafe(s, true, true)) {
-+ if (blit_is_unsafe(s, true)) {
- return 0;
- }
- rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -834,7 +823,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
-- if (blit_is_unsafe(s, false, false))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
---
-2.1.4
-
+++ /dev/null
-From cf9c099a7694eb47ded529e1ed40ee8789f32d31 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 24 Jan 2017 16:35:38 +0100
-Subject: [PATCH 2/4] cirrus: allow zero source pitch in pattern fill rops
-
-The rops used by cirrus_bitblt_common_patterncopy only use
-the destination pitch, so the source pitch shoul allowed to
-be zero and the blit with used for the range check around the
-source address.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 27 +++++++++++++++++++--------
- 1 file changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0f05e45..98f089e 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- int32_t pitch, int32_t addr)
- {
-- if (!pitch) {
-- return true;
-- }
- if (pitch < 0) {
- int64_t min = addr
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- return false;
- }
-
--static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
-+ bool zero_src_pitch_ok)
- {
-+ int32_t check_pitch;
-+
- /* should be the case, see cirrus_bitblt_start */
- assert(s->cirrus_blt_width > 0);
- assert(s->cirrus_blt_height > 0);
-@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- return true;
- }
-
-+ if (!s->cirrus_blt_dstpitch) {
-+ return true;
-+ }
-+
- if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
- return true;
-@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- if (dst_only) {
- return false;
- }
-- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-+
-+ check_pitch = s->cirrus_blt_srcpitch;
-+ if (!zero_src_pitch_ok && !check_pitch) {
-+ check_pitch = s->cirrus_blt_width;
-+ }
-+
-+ if (blit_region_is_unsafe(s, check_pitch,
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
- return true;
- }
-@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
-
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
-
-- if (blit_is_unsafe(s, false))
-+ if (blit_is_unsafe(s, false, true)) {
- return 0;
-+ }
-
- (*s->cirrus_rop) (s, dst, src,
- s->cirrus_blt_dstpitch, 0,
-@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
- cirrus_fill_t rop_func;
-
-- if (blit_is_unsafe(s, true)) {
-+ if (blit_is_unsafe(s, true, true)) {
- return 0;
- }
- rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
-- if (blit_is_unsafe(s, false))
-+ if (blit_is_unsafe(s, false, false))
- return 0;
-
- return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
---
-2.1.4
-
+++ /dev/null
-From 1313d27fc347633d0cf6fc2ff8cbe17a740dd658 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Thu, 11 Aug 2016 00:42:20 +0530
-Subject: [PATCH 2/3] net: vmxnet: initialise local tx descriptor
-
-In Vmxnet3 device emulator while processing transmit(tx) queue,
-when it reaches end of packet, it calls vmxnet3_complete_packet.
-In that local 'txcq_descr' object is not initialised, which could
-leak host memory bytes a guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/net/vmxnet3.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index 90f6943..92f6af9 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
-
- VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
-
-+ memset(&txcq_descr, 0, sizeof(txcq_descr));
- txcq_descr.txdIdx = tx_ridx;
- txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
-
---
-2.1.4
-
+++ /dev/null
-From a173829e6ebd8b2d7f29028f106173ba067c8b8c Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 25 Jan 2017 11:09:56 +0100
-Subject: [PATCH 3/4] cirrus: fix blit address mask handling
-
-Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
-right after assigning them, in cirrus_bitblt_start(), instead of having
-this all over the place in the cirrus code, and missing a few places.
-
-Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
----
- hw/display/cirrus_vga.c | 25 ++++++++++++-------------
- 1 file changed, 12 insertions(+), 13 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 98f089e..7db6409 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
- }
-
- if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
-- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
-+ s->cirrus_blt_dstaddr)) {
- return true;
- }
- if (dst_only) {
-@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
- }
-
- if (blit_region_is_unsafe(s, check_pitch,
-- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
-+ s->cirrus_blt_srcaddr)) {
- return true;
- }
-
-@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
- {
- uint8_t *dst;
-
-- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
-+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
-
- if (blit_is_unsafe(s, false, true)) {
- return 0;
-@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- return 0;
- }
- rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
-+ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
- s->cirrus_blt_dstpitch,
- s->cirrus_blt_width, s->cirrus_blt_height);
- cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
-@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
-
- static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
- {
-- return cirrus_bitblt_common_patterncopy(s,
-- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
-- s->cirrus_addr_mask));
-+ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
-+ (s->cirrus_blt_srcaddr & ~7));
- }
-
- static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- if (notify)
- graphic_hw_update(s->vga.con);
-
-- (*s->cirrus_rop) (s, s->vga.vram_ptr +
-- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
-- s->vga.vram_ptr +
-- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
-+ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
-+ s->vga.vram_ptr + s->cirrus_blt_srcaddr,
- s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
- s->cirrus_blt_width, s->cirrus_blt_height);
-
-@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
- } else {
- /* at least one scan line */
- do {
-- (*s->cirrus_rop)(s, s->vga.vram_ptr +
-- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
-+ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
- cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
- s->cirrus_blt_width, 1);
-@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
- s->cirrus_blt_modeext = s->vga.gr[0x33];
- blt_rop = s->vga.gr[0x32];
-
-+ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
-+ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
-+
- #ifdef DEBUG_BITBLT
- printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
- blt_rop,
---
-2.1.4
-
+++ /dev/null
-From 2705772316ff905f3ed08871c602fca1c636f332 Mon Sep 17 00:00:00 2001
-From: Peter Lieven <pl@kamp.de>
-Date: Thu, 30 Jun 2016 11:49:40 +0200
-Subject: [PATCH 3/3] net: limit allocation in nc_sendv_compat
-
-we only need to allocate enough memory to hold the packet. This might be
-less than NET_BUFSIZE. Additionally fail early if the packet is larger
-than NET_BUFSIZE.
-
-Signed-off-by: Peter Lieven <pl@kamp.de>
----
- net/net.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/net.c b/net/net.c
-index c94d93d..2ac46a6 100644
---- a/net/net.c
-+++ b/net/net.c
-@@ -690,9 +690,13 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov,
- buffer = iov[0].iov_base;
- offset = iov[0].iov_len;
- } else {
-- buf = g_new(uint8_t, NET_BUFSIZE);
-+ offset = iov_size(iov, iovcnt);
-+ if (offset > NET_BUFSIZE) {
-+ return -1;
-+ }
-+ buf = g_malloc(offset);
- buffer = buf;
-- offset = iov_to_buf(iov, iovcnt, 0, buf, NET_BUFSIZE);
-+ offset = iov_to_buf(iov, iovcnt, 0, buf, offset);
- }
-
- if (flags & QEMU_NET_PACKET_FLAG_RAW && nc->info->receive_raw) {
---
-2.1.4
-
+++ /dev/null
-From da4c6050712be98934918e348aa34a74be0e4e57 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 31 Jan 2017 17:54:15 +0530
-Subject: [PATCH 3/8] sd: sdhci: check transfer mode register in multi block
- transfer
-
-In SDHCI device emulation the transfer mode register value
-is used during multi block transfer to check if block count
-register is enabled and should be updated. Transfer mode
-register could be set such that, block count register would
-not be updated, thus leading to an infinite loop. Add check
-to avoid it.
-
-Reported-by: Wjjzhang <wjjzhang@tencent.com>
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/sd/sdhci.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 01fbf22..35f953a 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -486,6 +486,12 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
- uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
-
-+ if (!(s->trnmod & SDHC_TRNS_MULTI)
-+ || !(s->trnmod & SDHC_TRNS_BLK_CNT_EN)
-+ || !s->blkcnt) {
-+ return;
-+ }
-+
- /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
- * possible stop at page boundary if initial address is not page aligned,
- * allow them to work properly */
-@@ -797,11 +803,6 @@ static void sdhci_data_transfer(void *opaque)
- if (s->trnmod & SDHC_TRNS_DMA) {
- switch (SDHC_DMA_TYPE(s->hostctl)) {
- case SDHC_CTRL_SDMA:
-- if ((s->trnmod & SDHC_TRNS_MULTI) &&
-- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
-- break;
-- }
--
- if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
- sdhci_sdma_transfer_single_block(s);
- } else {
-@@ -1050,7 +1051,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
- if (!(s->capareg & SDHC_CAN_DO_DMA)) {
- value &= ~SDHC_TRNS_DMA;
- }
-- MASKED_WRITE(s->trnmod, mask, value);
-+ MASKED_WRITE(s->trnmod, mask, value & 0x0037);
- MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
-
- /* Writing to the upper byte of CMDREG triggers SD command generation */
---
-2.1.4
-
+++ /dev/null
-From e3ff618899e53791fdff5dbd3f8fa889a2ed7b1d Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH 4/4] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Message-id: 5887254f.863a240a.2c122.5500@mx.google.com
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
- address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409..16f27e8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
- if (pitch < 0) {
- int64_t min = addr
-- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-- int32_t max = addr
-- + s->cirrus_blt_width;
-- if (min < 0 || max > s->vga.vram_size) {
-+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+ - s->cirrus_blt_width;
-+ if (min < -1 || addr >= s->vga.vram_size) {
- return true;
- }
- } else {
---
-2.1.4
-
+++ /dev/null
-From b9bc05a3a687f9993c5c2a8890b53ab9e8dbc96c Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 31 Jan 2017 17:54:16 +0530
-Subject: [PATCH 4/8] sd: sdhci: block count enable not relevant in single
- block transfer
-
-In SDHCI device emulation the 'Block count enable' bit
-of the Transfer Mode register is only relevant in multi block
-transfers. We need not check it in single block transfers.
-
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/sd/sdhci.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 35f953a..85cac42 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -570,7 +570,6 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- }
-
- /* single block SDMA transfer */
--
- static void sdhci_sdma_transfer_single_block(SDHCIState *s)
- {
- int n;
-@@ -589,10 +588,7 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
- sdbus_write_data(&s->sdbus, s->fifo_buffer[n]);
- }
- }
--
-- if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
-- s->blkcnt--;
-- }
-+ s->blkcnt--;
-
- sdhci_end_transfer(s);
- }
---
-2.1.4
-
+++ /dev/null
-From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 14 Dec 2016 12:31:56 +0530
-Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
-
-Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
-command, retrieves the maximum capabilities size to fill in the
-response object. It continues to fill in capabilities even if
-retrieved 'max_size' is zero(0), thus resulting in OOB access.
-Add check to avoid it.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20161214070156.23368-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
-
-Notes:
- CVE-2016-10028
-
- hw/display/virtio-gpu-3d.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index d98b140..cdd03a4 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-- resp = g_malloc0(sizeof(*resp) + max_size);
-+ if (!max_size) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+ return;
-+ }
-
-+ resp = g_malloc0(sizeof(*resp) + max_size);
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
- gc.capset_version,
---
-2.1.4
-
+++ /dev/null
-From a8341ea109259c17ad18b02597e5e03e99db60ae Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH 1/8] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
-
-Notes:
- CVE-2016-10155
-
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
- /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
-
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+ timer_del(d->timer);
-+ timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
- .wdt_name = "i6300esb",
- .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
- k->config_read = i6300esb_config_read;
- k->config_write = i6300esb_config_write;
- k->realize = i6300esb_realize;
-+ k->exit = i6300esb_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
- k->class_id = PCI_CLASS_SYSTEM_OTHER;
---
-2.1.4
-
+++ /dev/null
-From a8ceb006190b9072b0b9866ec5a07bd6de4eca6d Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 6 Sep 2016 23:23:17 +0530
-Subject: [PATCH 5/6] scsi: pvscsi: avoid infinite loop while building SG list
-
-In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
-long time or go into an infinite loop due to two different bugs:
-
-1) the request descriptor data length is defined to be 64 bit. While
-building SG list from a request descriptor, it gets truncated to 32bit
-in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
-situation for large 'dataLen' values, when data_length is cast to uint32_t
-and chunk_size becomes always zero. Fix this by removing the incorrect
-cast.
-
-2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
-element has a zero length. Get out of the loop early when this happens,
-by introducing an upper limit on the number of SG list elements.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/scsi/vmw_pvscsi.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 22f872c..e43e0a4 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -40,6 +40,8 @@
- #define PVSCSI_MAX_DEVS (64)
- #define PVSCSI_MSIX_NUM_VECTORS (1)
-
-+#define PVSCSI_MAX_SG_ELEM 2048
-+
- #define PVSCSI_MAX_CMD_DATA_WORDS \
- (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
-
-@@ -629,17 +631,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
- static void
- pvscsi_convert_sglist(PVSCSIRequest *r)
- {
-- int chunk_size;
-+ uint32_t chunk_size, elmcnt = 0;
- uint64_t data_length = r->req.dataLen;
- PVSCSISGState sg = r->sg;
-- while (data_length) {
-- while (!sg.resid) {
-+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
-+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
- pvscsi_get_next_sg_elem(&sg);
- trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
- r->sg.resid);
- }
-- assert(data_length > 0);
-- chunk_size = MIN((unsigned) data_length, sg.resid);
-+ chunk_size = MIN(data_length, sg.resid);
- if (chunk_size) {
- qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
- }
---
-2.1.4
-
+++ /dev/null
-From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001
-From: chaojianhu <chaojianhu@hotmail.com>
-Date: Tue, 9 Aug 2016 11:52:54 +0800
-Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
-
-The .receive callback of xlnx.xps-ethernetlite doesn't check the length
-of data before calling memcpy. As a result, the NetClientState object in
-heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
-will be affected.
-
-Reported-by: chaojianhu <chaojianhu@hotmail.com>
-Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/xilinx_ethlite.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
-index bc846e7..12b7419 100644
---- a/hw/net/xilinx_ethlite.c
-+++ b/hw/net/xilinx_ethlite.c
-@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
- }
-
- D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
-+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
-+ D(qemu_log("ethlite packet is too big, size=%x\n", size));
-+ return -1;
-+ }
- memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
-
- s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
---
-2.1.4
-
+++ /dev/null
-From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 8 Sep 2016 18:15:54 +0530
-Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
-
-When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
-the computed BITMAP and PIXMAP size are checked against the
-'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
-Correct these checks to avoid OOB memory access.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/vmware_vga.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index e51a05e..6599cf0 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- cursor.bpp = vmsvga_fifo_read(s);
-
- args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
-- if (cursor.width > 256 ||
-- cursor.height > 256 ||
-- cursor.bpp > 32 ||
-- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
-- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
-+ if (cursor.width > 256
-+ || cursor.height > 256
-+ || cursor.bpp > 32
-+ || SVGA_BITMAP_SIZE(x, y)
-+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
-+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
-+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
- goto badcmd;
- }
-
---
-2.1.4
-
+++ /dev/null
-From 1723b5e7962eb077353bab0772ca8114774b6c60 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 19 Sep 2016 23:55:45 +0530
-Subject: [PATCH 4/7] virtio: add check for descriptor's mapped address
-
-virtio back end uses set of buffers to facilitate I/O operations.
-If its size is too large, 'cpu_physical_memory_map' could return
-a null address. This would result in a null dereference while
-un-mapping descriptors. Add check to avoid it.
-
-Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
----
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 74c085c..eabe573 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
- }
-
- iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
-+ if (!iov[num_sg].iov_base) {
-+ error_report("virtio: bogus descriptor or out of resources");
-+ exit(1);
-+ }
-+
- iov[num_sg].iov_len = len;
- addr[num_sg] = pa;
-
---
-2.1.4
-
+++ /dev/null
-From b53dd4495ced2432a0b652ea895e651d07336f7e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 13 Sep 2016 03:20:03 -0700
-Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
-
-If the xhci uses msix, it doesn't free the corresponding
-memory, thus leading a memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-xhci.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 37c1493..726435c 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -3715,8 +3715,7 @@ static void usb_xhci_exit(PCIDevice *dev)
- /* destroy msix memory region */
- if (dev->msix_table && dev->msix_pba
- && dev->msix_entry_used) {
-- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
-- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
-+ msix_uninit(dev, &xhci->mem, &xhci->mem);
- }
-
- usb_bus_release(&xhci->bus);
---
-2.1.4
-
+++ /dev/null
-From 3798522afcf58abbce6de67446fcae7a34ae919d Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 22 Sep 2016 16:01:38 +0530
-Subject: [PATCH 5/7] net: imx: limit buffer descriptor count
-
-i.MX Fast Ethernet Controller uses buffer descriptors to manage
-data flow to/fro receive & transmit queues. While transmitting
-packets, it could continue to read buffer descriptors if a buffer
-descriptor has length of zero and has crafted values in bd.flags.
-Set an upper limit to number of buffer descriptors.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/net/imx_fec.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
-index 1c415ab..1d74827 100644
---- a/hw/net/imx_fec.c
-+++ b/hw/net/imx_fec.c
-@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
- #define PHY_INT_PARFAULT (1 << 2)
- #define PHY_INT_AUTONEG_PAGE (1 << 1)
-
-+#define IMX_MAX_DESC 1024
-+
- static void imx_eth_update(IMXFECState *s);
-
- /*
-@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
-
- static void imx_fec_do_tx(IMXFECState *s)
- {
-- int frame_size = 0;
-+ int frame_size = 0, descnt = 0;
- uint8_t frame[ENET_MAX_FRAME_SIZE];
- uint8_t *ptr = frame;
- uint32_t addr = s->tx_descriptor;
-
-- while (1) {
-+ while (descnt++ < IMX_MAX_DESC) {
- IMXFECBufDesc bd;
- int len;
-
---
-2.1.4
-
+++ /dev/null
-From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 22 Sep 2016 16:02:37 +0530
-Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count
-
-ColdFire Fast Ethernet Controller uses buffer descriptors to manage
-data flow to/fro receive & transmit queues. While transmitting
-packets, it could continue to read buffer descriptors if a buffer
-descriptor has length of zero and has crafted values in bd.flags.
-Set upper limit to number of buffer descriptors.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/mcf_fec.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
-index 0ee8ad9..d31fea1 100644
---- a/hw/net/mcf_fec.c
-+++ b/hw/net/mcf_fec.c
-@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
- #define DPRINTF(fmt, ...) do {} while(0)
- #endif
-
-+#define FEC_MAX_DESC 1024
- #define FEC_MAX_FRAME_SIZE 2032
-
- typedef struct {
-@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
- uint32_t addr;
- mcf_fec_bd bd;
- int frame_size;
-- int len;
-+ int len, descnt = 0;
- uint8_t frame[FEC_MAX_FRAME_SIZE];
- uint8_t *ptr;
-
-@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
- ptr = frame;
- frame_size = 0;
- addr = s->tx_descriptor;
-- while (1) {
-+ while (descnt++ < FEC_MAX_DESC) {
- mcf_fec_read_bd(&bd, addr);
- DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
- addr, bd.flags, bd.length, bd.data);
---
-2.1.4
-
+++ /dev/null
-From ed825b783750cbe88aa67bbe83cf662082828efa Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 30 Sep 2016 00:27:33 +0530
-Subject: [PATCH 7/7] net: pcnet: check rx/tx descriptor ring length
-
-The AMD PC-Net II emulator has set of control and status(CSR)
-registers. Of these, CSR76 and CSR78 hold receive and transmit
-descriptor ring length respectively. This ring length could range
-from 1 to 65535. Setting ring length to zero leads to an infinite
-loop in pcnet_rdra_addr. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/net/pcnet.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index 198a01f..3078de8 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
- case 47: /* POLLINT */
- case 72:
- case 74:
-+ break;
- case 76: /* RCVRL */
- case 78: /* XMTRL */
-+ val = (val > 0) ? val : 512;
-+ break;
- case 112:
- if (CSR_STOP(s) || CSR_SPND(s))
- break;
---
-2.1.4
-
+++ /dev/null
-From 594fa98211f92ab07ee6d6b6a9eda93a416a1f57 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Sun, 18 Sep 2016 19:07:11 -0700
-Subject: [PATCH 1/2] virtio-gpu: fix memory leak in
- virtio_gpu_resource_create_2d
-
-In virtio gpu resource create dispatch, if the pixman format is zero
-it doesn't free the resource object allocated previously. Thus leading
-a host memory leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
----
- hw/display/virtio-gpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 7fe6ed8..5b6d17b 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
- qemu_log_mask(LOG_GUEST_ERROR,
- "%s: host couldn't handle guest format %d\n",
- __func__, c2d.format);
-+ g_free(res);
- cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
- return;
- }
---
-2.1.4
-
+++ /dev/null
-From 91a16e6e51a4e046d59379fc83b9dfc1e860e9c7 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Sat, 8 Oct 2016 11:58:03 +0300
-Subject: [PATCH 2/2] usb: ehci: fix memory leak in ehci_process_itd
-
-While processing isochronous transfer descriptors(iTD), if the page
-select(PG) field value is out of bands it will return. In this
-situation the ehci's sg list is not freed thus leading to a memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
----
- hw/usb/hcd-ehci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index b093db7..f4ece9a 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
- if (off + len > 4096) {
- /* transfer crosses page border */
- if (pg == 6) {
-+ qemu_sglist_destroy(&ehci->isgl);
- return -1; /* avoid page pg + 1 */
- }
- ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
---
-2.1.4
-
+++ /dev/null
-From b5ef1754de94247de307044b19e6bc3fa0ad5ba8 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 10 Oct 2016 12:46:22 +0200
-Subject: [PATCH 2/4] xhci: limit the number of link trbs we are willing to
- process
-
-Needed to avoid we run in circles forever in case the guest builds
-an endless loop with link trbs.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Tested-by: P J P <ppandit@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
----
- hw/usb/hcd-xhci.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 281a2a5..8a9a31a 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -54,6 +54,8 @@
- * to the specs when it gets them */
- #define ER_FULL_HACK
-
-+#define TRB_LINK_LIMIT 4
-+
- #define LEN_CAP 0x40
- #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
- #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
-@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
- dma_addr_t *addr)
- {
- PCIDevice *pci_dev = PCI_DEVICE(xhci);
-+ uint32_t link_cnt = 0;
-
- while (1) {
- TRBType type;
-@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
- ring->dequeue += TRB_SIZE;
- return type;
- } else {
-+ if (++link_cnt > TRB_LINK_LIMIT) {
-+ return 0;
-+ }
- ring->dequeue = xhci_mask64(trb->parameter);
- if (trb->control & TRB_LK_TC) {
- ring->ccs = !ring->ccs;
-@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
- bool ccs = ring->ccs;
- /* hack to bundle together the two/three TDs that make a setup transfer */
- bool control_td_set = 0;
-+ uint32_t link_cnt = 0;
-
- while (1) {
- TRBType type;
-@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
- type = TRB_TYPE(trb);
-
- if (type == TR_LINK) {
-+ if (++link_cnt > TRB_LINK_LIMIT) {
-+ return -length;
-+ }
- dequeue = xhci_mask64(trb.parameter);
- if (trb.control & TRB_LK_TC) {
- ccs = !ccs;
---
-2.1.4
-
+++ /dev/null
-From 8794fc68736fda80d7191f100c03c960a5ef1224 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 11 Oct 2016 09:27:45 +0200
-Subject: [PATCH 3/4] 9pfs: fix potential host memory leak in v9fs_read
-
-In 9pfs read dispatch function, it doesn't free two QEMUIOVector
-object thus causing potential memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index dfe293d..54e18a2 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque)
- if (len < 0) {
- /* IO error return the error */
- err = len;
-- goto out;
-+ goto out_free_iovec;
- }
- } while (count < max_count && len > 0);
- err = pdu_marshal(pdu, offset, "d", count);
- if (err < 0) {
-- goto out;
-+ goto out_free_iovec;
- }
- err += offset + count;
-+out_free_iovec:
- qemu_iovec_destroy(&qiov);
- qemu_iovec_destroy(&qiov_full);
- } else if (fidp->fid_type == P9_FID_XATTR) {
---
-2.1.4
-
+++ /dev/null
-From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 11 Oct 2016 09:27:45 +0200
-Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings
-
-If a guest sends an empty string paramater to any 9P operation, the current
-code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
-
-This is unfortunate because it can cause NULL pointer dereference to happen
-at various locations in the 9pfs code. And we don't want to check str->data
-everywhere we pass it to strcmp() or any other function which expects a
-dereferenceable pointer.
-
-This patch enforces the allocation of genuine C empty strings instead, so
-callers don't have to bother.
-
-Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
-the returned string is empty. It now uses v9fs_string_size() since
-name.data cannot be NULL anymore.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-[groug, rewritten title and changelog,
- fix empty string check in v9fs_xattrwalk()]
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- fsdev/9p-iov-marshal.c | 2 +-
- hw/9pfs/9p.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
-index 663cad5..1d16f8d 100644
---- a/fsdev/9p-iov-marshal.c
-+++ b/fsdev/9p-iov-marshal.c
-@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
- str->data = g_malloc(str->size + 1);
- copied = v9fs_unpack(str->data, out_sg, out_num, offset,
- str->size);
-- if (copied > 0) {
-+ if (copied >= 0) {
- str->data[str->size] = 0;
- } else {
- v9fs_string_free(str);
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 54e18a2..75ba5f1 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque)
- goto out;
- }
- v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
-- if (name.data == NULL) {
-+ if (!v9fs_string_size(&name)) {
- /*
- * listxattr request. Get the size first
- */
---
-2.1.4
-
+++ /dev/null
-From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 12 Oct 2016 14:40:55 +0530
-Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
-
-Rocker network switch emulator has test registers to help debug
-DMA operations. While testing host DMA access, a buffer address
-is written to register 'TEST_DMA_ADDR' and its size is written to
-register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
-test, if DMA buffer size was greater than 'INT_MAX', it leads to
-an invalid buffer access. Limit the DMA buffer size to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/net/rocker/rocker.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
-index 30f2ce4..e9d215a 100644
---- a/hw/net/rocker/rocker.c
-+++ b/hw/net/rocker/rocker.c
-@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
- rocker_msix_irq(r, val);
- break;
- case ROCKER_TEST_DMA_SIZE:
-- r->test_dma_size = val;
-+ r->test_dma_size = val & 0xFFFF;
- break;
- case ROCKER_TEST_DMA_ADDR + 4:
- r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
---
-2.1.4
-
+++ /dev/null
-From 7e0ebfd13e55a706396197437f375692bbf75d15 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 12 Oct 2016 11:28:08 +0530
-Subject: [PATCH 2/2] char: serial: check divider value against baud base
-
-16550A UART device uses an oscillator to generate frequencies
-(baud base), which decide communication speed. This speed could
-be changed by dividing it by a divider. If the divider is
-greater than the baud base, speed is set to zero, leading to a
-divide by zero error. Add check to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- hw/char/serial.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index 3442f47..eec72b7 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
- int speed, parity, data_bits, stop_bits, frame_size;
- QEMUSerialSetParams ssp;
-
-- if (s->divider == 0)
-+ if (s->divider == 0 || s->divider > s->baudbase) {
- return;
-+ }
-
- /* Start bit. */
- frame_size = 1;
---
-2.1.4
-
+++ /dev/null
-From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 20 Oct 2016 13:10:24 +0530
-Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
- transfer
-
-Intel HDA emulator uses stream of buffers during DMA data
-transfers. Each entry has buffer length and buffer pointer
-position, which are used to derive bytes to 'copy'. If this
-length and buffer pointer were to be same, 'copy' could be
-set to zero(0), leading to an infinite loop. Add check to
-avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/intel-hda.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
-index cd95340..537face 100644
---- a/hw/audio/intel-hda.c
-+++ b/hw/audio/intel-hda.c
-@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
- }
-
- left = len;
-- while (left > 0) {
-+ s = st->bentries;
-+ while (left > 0 && s-- > 0) {
- copy = left;
- if (copy > st->bsize - st->lpib)
- copy = st->bsize - st->lpib;
---
-2.1.4
-
+++ /dev/null
-From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Sat, 8 Oct 2016 05:07:25 -0700
-Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit
-
-The exit dispatch of eepro100 network card device doesn't free
-the 's->vmstate' field which was allocated in device realize thus
-leading a host memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/eepro100.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
-index bab4dbf..4bf71f2 100644
---- a/hw/net/eepro100.c
-+++ b/hw/net/eepro100.c
-@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
- EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
-
- vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
-+ g_free(s->vmstate);
- eeprom93xx_free(&pci_dev->qdev, s->eeprom);
- qemu_del_nic(s->nic);
- }
---
-2.1.4
-
+++ /dev/null
-From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate
-
-The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
-situation that this field has been allocated previously. Every time, it
-will be allocated directly. This leads to a host memory leak issue if
-the client sends another Txattrcreate message with the same fid number
-before the fid from the previous time got clunked.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-[groug, updated the changelog to indicate how the leak can occur]
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 3becdd0..f5af4e3 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
- xattr_fidp->fs.xattr.flags = flags;
- v9fs_string_init(&xattr_fidp->fs.xattr.name);
- v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
-+ g_free(xattr_fidp->fs.xattr.value);
- xattr_fidp->fs.xattr.value = g_malloc0(size);
- err = offset;
- put_fid(pdu, file_fidp);
---
-2.1.4
-
+++ /dev/null
-From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read
-
-9pfs uses g_malloc() to allocate the xattr memory space, if the guest
-reads this memory before writing to it, this will leak host heap memory
-to the guest. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 75ba5f1..3becdd0 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
- xattr_fidp->fs.xattr.flags = flags;
- v9fs_string_init(&xattr_fidp->fs.xattr.name);
- v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
-- xattr_fidp->fs.xattr.value = g_malloc(size);
-+ xattr_fidp->fs.xattr.value = g_malloc0(size);
- err = offset;
- put_fid(pdu, file_fidp);
- out_nofid:
---
-2.1.4
-
+++ /dev/null
-From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 12:00:40 +0100
-Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
-originated offset: they must ensure this offset does not go beyond
-the size of the extended attribute that was set in v9fs_xattrcreate().
-Unfortunately, the current code implement these checks with unsafe
-calculations on 32 and 64 bit values, which may allow a malicious
-guest to cause OOB access anyway.
-
-Fix this by comparing the offset and the xattr size, which are
-both uint64_t, before trying to compute the effective number of bytes
-to read or write.
-
-Suggested-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Reviewed-By: Guido Günther <agx@sigxcpu.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 32 ++++++++++++--------------------
- 1 file changed, 12 insertions(+), 20 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index af07846..fc4f2cd 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
- {
- ssize_t err;
- size_t offset = 7;
-- int read_count;
-- int64_t xattr_len;
-+ uint64_t read_count;
- V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
- VirtQueueElement *elem = v->elems[pdu->idx];
-
-- xattr_len = fidp->fs.xattr.len;
-- read_count = xattr_len - off;
-+ if (fidp->fs.xattr.len < off) {
-+ read_count = 0;
-+ } else {
-+ read_count = fidp->fs.xattr.len - off;
-+ }
- if (read_count > max_count) {
- read_count = max_count;
-- } else if (read_count < 0) {
-- /*
-- * read beyond XATTR value
-- */
-- read_count = 0;
- }
- err = pdu_marshal(pdu, offset, "d", read_count);
- if (err < 0) {
-@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
- {
- int i, to_copy;
- ssize_t err = 0;
-- int write_count;
-- int64_t xattr_len;
-+ uint64_t write_count;
- size_t offset = 7;
-
-
-- xattr_len = fidp->fs.xattr.len;
-- write_count = xattr_len - off;
-- if (write_count > count) {
-- write_count = count;
-- } else if (write_count < 0) {
-- /*
-- * write beyond XATTR value len specified in
-- * xattrcreate
-- */
-+ if (fidp->fs.xattr.len < off) {
- err = -ENOSPC;
- goto out;
- }
-+ write_count = fidp->fs.xattr.len - off;
-+ if (write_count > count) {
-+ write_count = count;
-+ }
- err = pdu_marshal(pdu, offset, "d", write_count);
- if (err < 0) {
- return err;
---
-2.1.4
-
+++ /dev/null
-From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link
-
-The v9fs_link() function keeps a reference on the source fid object. This
-causes a memory leak since the reference never goes down to 0. This patch
-fixes the issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-[groug, rephrased the changelog]
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index f5af4e3..aa2b8c0 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque)
- if (!err) {
- err = offset;
- }
-+ put_fid(pdu, oldfidp);
- out:
- put_fid(pdu, dfidp);
- out_nofid:
---
-2.1.4
-
+++ /dev/null
-From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 17 Oct 2016 14:13:58 +0200
-Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write
-
-If an error occurs when marshalling the transfer length to the guest, the
-v9fs_write() function doesn't free an IO vector, thus leading to a memory
-leak. This patch fixes the issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-[groug, rephrased the changelog]
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index aa2b8c0..af07846 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
- offset = 7;
- err = pdu_marshal(pdu, offset, "d", total);
- if (err < 0) {
-- goto out;
-+ goto out_qiov;
- }
- err += offset;
- trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
---
-2.1.4
-
+++ /dev/null
-From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 29 Nov 2016 00:38:39 +0530
-Subject: [PATCH 01/12] net: mcf: check receive buffer size register value
-
-ColdFire Fast Ethernet Controller uses a receive buffer size
-register(EMRBR) to hold maximum size of all receive buffers.
-It is set by a user before any operation. If it was set to be
-zero, ColdFire emulator would go into an infinite loop while
-receiving data in mcf_fec_receive. Add check to avoid it.
-
-Reported-by: Wjjzhang <wjjzhang@tencent.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/mcf_fec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
-index d31fea1..3d4b3b3 100644
---- a/hw/net/mcf_fec.c
-+++ b/hw/net/mcf_fec.c
-@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
- s->tx_descriptor = s->etdsr;
- break;
- case 0x188:
-- s->emrbr = value & 0x7f0;
-+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
- break;
- default:
- hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
---
-2.1.4
-
+++ /dev/null
-From 71ee39ea06cbcbd1971213aa1f3a9036c50b6a57 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 02:53:11 -0700
-Subject: [PATCH 02/12] virtio-gpu: fix information leak in getting capset info
- dispatch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
-been full initialized before writing to the guest. This will leak
-the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
-patch fix this issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 758d33a..23f39de 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
-
- VIRTIO_GPU_FILL_CMD(info);
-
-+ memset(&resp, 0, sizeof(resp));
- if (info.capset_index == 0) {
- resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
- virgl_renderer_get_cap_set(resp.capset_id,
---
-2.1.4
-
+++ /dev/null
-From 74a46afa58632277063ca4990cf0c954f342dd7d Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 04:06:58 -0700
-Subject: [PATCH 03/12] virtio-gpu: fix memory leak in update_cursor_data_virgl
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In update_cursor_data_virgl function, if the 'width'/ 'height'
-is not equal to current cursor's width/height it will return
-without free the 'data' allocated previously. This will lead
-a memory leak issue. This patch fix this issue.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 5b6d17b..41f8096 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
-
- if (width != s->current_cursor->width ||
- height != s->current_cursor->height) {
-+ free(data);
- return;
- }
-
---
-2.1.4
-
+++ /dev/null
-From 5bbb994dd062eb3950d67db3c6189dab0df7ec9b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 7 Nov 2016 21:57:46 -0800
-Subject: [PATCH 04/12] usbredir: free vm_change_state_handler in usbredir
- destroy dispatch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In usbredir destroy dispatch function, it doesn't free the vm change
-state handler once registered in usbredir_realize function. This will
-lead a memory leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/redirect.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index 444672a..42aeaa4 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -132,6 +132,7 @@ struct USBRedirDevice {
- struct usbredirfilter_rule *filter_rules;
- int filter_rules_count;
- int compatible_speedmask;
-+ VMChangeStateEntry *vmstate;
- };
-
- #define TYPE_USB_REDIR "usb-redir"
-@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
- qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
- usbredir_chardev_read, usbredir_chardev_event, dev);
-
-- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
-+ dev->vmstate =
-+ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
- }
-
- static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
-@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
- }
-
- free(dev->filter_rules);
-+ qemu_del_vm_change_state_handler(dev->vmstate);
- }
-
- static int usbredir_check_filter(USBRedirDevice *dev)
---
-2.1.4
-
+++ /dev/null
-From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 1 Nov 2016 05:37:57 -0700
-Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch
-
-In virgl_cmd_get_capset function, it uses g_malloc to allocate
-a response struct to the guest. As the 'resp'struct hasn't been full
-initialized it will lead the 'resp->padding' field to the guest.
-Use g_malloc0 to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
----
- hw/display/virtio-gpu-3d.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 23f39de..d98b140 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-- resp = g_malloc(sizeof(*resp) + max_size);
-+ resp = g_malloc0(sizeof(*resp) + max_size);
-
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
---
-2.1.4
-
+++ /dev/null
-From 824f78bb0135cff4cb29e26c3de1cb4c2da35b46 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 8 Nov 2016 04:11:10 -0800
-Subject: [PATCH 05/12] usb: ehci: fix memory leak in ehci_init_transfer
-
-In ehci_init_transfer function, if the 'cpage' is bigger than 4,
-it doesn't free the 'p->sgl' once allocated previously thus leading
-a memory leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-ehci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index f4ece9a..7622a3a 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
- while (bytes > 0) {
- if (cpage > 4) {
- fprintf(stderr, "cpage out of range (%d)\n", cpage);
-+ qemu_sglist_destroy(&p->sgl);
- return -1;
- }
-
---
-2.1.4
-
+++ /dev/null
-From efc44f269fe72bab2c496f21809f6bef20d9c398 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Mon, 28 Nov 2016 21:29:25 -0500
-Subject: [PATCH 11/12] virtio-gpu: call cleanup mapping function in resource
- destroy
-
-If the guest destroy the resource before detach banking, the 'iov'
-and 'addrs' field in resource is not freed thus leading memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
----
- hw/display/virtio-gpu.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 41f8096..8903dee 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -28,6 +28,8 @@
- static struct virtio_gpu_simple_resource*
- virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
-
-+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
-+
- #ifdef CONFIG_VIRGL
- #include <virglrenderer.h>
- #define VIRGL(_g, _virgl, _simple, ...) \
-@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
- struct virtio_gpu_simple_resource *res)
- {
- pixman_image_unref(res->image);
-+ virtio_gpu_cleanup_mapping(res);
- QTAILQ_REMOVE(&g->reslist, res, next);
- g_free(res);
- }
---
-2.1.4
-
+++ /dev/null
-From 9be364d4b3bc173103bec0dc76259f40d232eb88 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH 06/12] 9pfs: adjust the order of resource cleanup in device
- unrealize
-
-Unrealize should undo things that were set during realize in
-reverse order. So should do in the error path in realize.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index fc4f2cd..ced7b4c 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3490,8 +3490,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
- rc = 0;
- out:
- if (rc) {
-- g_free(s->ctx.fs_root);
- g_free(s->tag);
-+ g_free(s->ctx.fs_root);
- v9fs_path_free(&path);
- }
- return rc;
-@@ -3499,8 +3499,8 @@ out:
-
- void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
- {
-- g_free(s->ctx.fs_root);
- g_free(s->tag);
-+ g_free(s->ctx.fs_root);
- }
-
- static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)
---
-2.1.4
-
+++ /dev/null
-From f2ef9ae2a512fca1df0d56c226adc24ddf002b8b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH 07/12] 9pfs: add cleanup operation in FileOperations
-
-Currently, the backend of VirtFS doesn't have a cleanup
-function. This will lead resource leak issues if the backed
-driver allocates resources. This patch addresses this issue.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- fsdev/file-op-9p.h | 1 +
- hw/9pfs/9p.c | 6 ++++++
- 2 files changed, 7 insertions(+)
-
-diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
-index 6db9fea..a56dc84 100644
---- a/fsdev/file-op-9p.h
-+++ b/fsdev/file-op-9p.h
-@@ -100,6 +100,7 @@ struct FileOperations
- {
- int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
- int (*init)(struct FsContext *);
-+ void (*cleanup)(struct FsContext *);
- int (*lstat)(FsContext *, V9fsPath *, struct stat *);
- ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
- int (*chmod)(FsContext *, V9fsPath *, FsCred *);
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index ced7b4c..f2a90d4 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -3490,6 +3490,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
- rc = 0;
- out:
- if (rc) {
-+ if (s->ops->cleanup && s->ctx.private) {
-+ s->ops->cleanup(&s->ctx);
-+ }
- g_free(s->tag);
- g_free(s->ctx.fs_root);
- v9fs_path_free(&path);
-@@ -3499,6 +3502,9 @@ out:
-
- void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
- {
-+ if (s->ops->cleanup) {
-+ s->ops->cleanup(&s->ctx);
-+ }
- g_free(s->tag);
- g_free(s->ctx.fs_root);
- }
---
-2.1.4
-
+++ /dev/null
-From 4196726e44c437793294af15d95e53164cf9a02d Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH 08/12] 9pfs: add cleanup operation for handle backend driver
-
-In the init operation of handle backend dirver, it allocates a
-handle_data struct and opens a mount file. We should free these
-resources when the 9pfs device is unrealized. This is what this
-patch does.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p-handle.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
-index 3d77594..1687661 100644
---- a/hw/9pfs/9p-handle.c
-+++ b/hw/9pfs/9p-handle.c
-@@ -649,6 +649,14 @@ out:
- return ret;
- }
-
-+static void handle_cleanup(FsContext *ctx)
-+{
-+ struct handle_data *data = ctx->private;
-+
-+ close(data->mountfd);
-+ g_free(data);
-+}
-+
- static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
- {
- const char *sec_model = qemu_opt_get(opts, "security_model");
-@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
- FileOperations handle_ops = {
- .parse_opts = handle_parse_opts,
- .init = handle_init,
-+ .cleanup = handle_cleanup,
- .lstat = handle_lstat,
- .readlink = handle_readlink,
- .close = handle_close,
---
-2.1.4
-
+++ /dev/null
-From ae9b5c9dae96dd8d3bdf9bb6b9a0f7a2d6f532f7 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Wed, 23 Nov 2016 13:53:34 +0100
-Subject: [PATCH 09/12] 9pfs: add cleanup operation for proxy backend driver
-
-In the init operation of proxy backend dirver, it allocates a
-V9fsProxy struct and some other resources. We should free these
-resources when the 9pfs device is unrealized. This is what this
-patch does.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p-proxy.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
-index f265501..336e9fe 100644
---- a/hw/9pfs/9p-proxy.c
-+++ b/hw/9pfs/9p-proxy.c
-@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx)
- return 0;
- }
-
-+static void proxy_cleanup(FsContext *ctx)
-+{
-+ V9fsProxy *proxy = ctx->private;
-+
-+ g_free(proxy->out_iovec.iov_base);
-+ g_free(proxy->in_iovec.iov_base);
-+ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
-+ close(proxy->sockfd);
-+ }
-+ g_free(proxy);
-+}
-+
- FileOperations proxy_ops = {
- .parse_opts = proxy_parse_opts,
- .init = proxy_init,
-+ .cleanup = proxy_cleanup,
- .lstat = proxy_lstat,
- .readlink = proxy_readlink,
- .close = proxy_close,
---
-2.1.4
-
+++ /dev/null
-From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 18 Oct 2016 13:15:17 +0530
-Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value
-
-In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
-'cirrus_get_bpp' returns zero(0), which could lead to a divide
-by zero error in while copying pixel data. The same could occur
-via blit pitch values. Add check to avoid it.
-
-Reported-by: Huawei PSIRT <psirt@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
-
-Notes:
- CVE-2016-9921
- CVE-2016-9922
-
- hw/display/cirrus_vga.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 3d712d5..bdb092e 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
- static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- int32_t pitch, int32_t addr)
- {
-+ if (!pitch) {
-+ return true;
-+ }
- if (pitch < 0) {
- int64_t min = addr
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
- s->cirrus_addr_mask));
- }
-
--static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- {
- int sx = 0, sy = 0;
- int dx = 0, dy = 0;
-@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- int width, height;
-
- depth = s->vga.get_bpp(&s->vga) / 8;
-+ if (!depth) {
-+ return 0;
-+ }
- s->vga.get_resolution(&s->vga, &width, &height);
-
- /* extra x, y */
-@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
- s->cirrus_blt_dstpitch, s->cirrus_blt_width,
- s->cirrus_blt_height);
-+
-+ return 1;
- }
-
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
-@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- if (blit_is_unsafe(s))
- return 0;
-
-- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
-+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
- s->cirrus_blt_srcaddr - s->vga.start_addr,
- s->cirrus_blt_width, s->cirrus_blt_height);
--
-- return 1;
- }
-
- /***************************************
---
-2.1.4
-
+++ /dev/null
-From d775c497a84a5c4be3f15cca85ca8440dd5880a0 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 22 Feb 2017 13:42:31 +0100
-Subject: [PATCH qemu] cirrus: add blit_is_unsafe call to
- cirrus_bitblt_cputovideo (CVE-2017-2620)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all. Oops. Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1487679663-3264-1-git-send-email-kraxel@redhat.com
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 1deb520..b9e7cb1 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
- int w;
-
-+ if (blit_is_unsafe(s, true)) {
-+ return 0;
-+ }
-+
- s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
- s->cirrus_srcptr = &s->cirrus_bltbuf[0];
- s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- }
- s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
- }
-+
-+ /* the blit_is_unsafe call above should catch this */
-+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
- s->cirrus_srcptr = s->cirrus_bltbuf;
- s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
- cirrus_update_memory_access(s);
---
-2.1.4
-
+++ /dev/null
-From 385c66564aad5fbbe303e0d2ee5e8ffd9c10bc23 Mon Sep 17 00:00:00 2001
-From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Date: Mon, 12 Sep 2016 18:18:35 +0100
-Subject: [PATCH 04/36] x86/lapic: Load LAPIC state at post_load
-
-Load the LAPIC state during post_load (rather than when the CPU
-starts).
-
-This allows an interrupt to be delivered from the ioapic to
-the lapic prior to cpu loading, in particular the RTC that starts
-ticking as soon as we load it's state.
-
-Fixes a case where Windows hangs after migration due to RTC interrupts
-disappearing.
-
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/i386/kvm/apic.c | 26 ++++++++++++++++++++++++--
- include/sysemu/kvm.h | 1 -
- target-i386/kvm.c | 17 -----------------
- 3 files changed, 24 insertions(+), 20 deletions(-)
-
-diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
-index 2bd0de8..feb0002 100644
---- a/hw/i386/kvm/apic.c
-+++ b/hw/i386/kvm/apic.c
-@@ -28,9 +28,8 @@ static inline uint32_t kvm_apic_get_reg(struct kvm_lapic_state *kapic,
- return *((uint32_t *)(kapic->regs + (reg_id << 4)));
- }
-
--void kvm_put_apic_state(DeviceState *dev, struct kvm_lapic_state *kapic)
-+static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
- {
-- APICCommonState *s = APIC_COMMON(dev);
- int i;
-
- memset(kapic, 0, sizeof(*kapic));
-@@ -125,6 +124,26 @@ static void kvm_apic_vapic_base_update(APICCommonState *s)
- }
- }
-
-+static void kvm_apic_put(void *data)
-+{
-+ APICCommonState *s = data;
-+ struct kvm_lapic_state kapic;
-+ int ret;
-+
-+ kvm_put_apic_state(s, &kapic);
-+
-+ ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic);
-+ if (ret < 0) {
-+ fprintf(stderr, "KVM_SET_LAPIC failed: %s\n", strerror(ret));
-+ abort();
-+ }
-+}
-+
-+static void kvm_apic_post_load(APICCommonState *s)
-+{
-+ run_on_cpu(CPU(s->cpu), kvm_apic_put, s);
-+}
-+
- static void do_inject_external_nmi(void *data)
- {
- APICCommonState *s = data;
-@@ -178,6 +197,8 @@ static void kvm_apic_reset(APICCommonState *s)
- {
- /* Not used by KVM, which uses the CPU mp_state instead. */
- s->wait_for_sipi = 0;
-+
-+ run_on_cpu(CPU(s->cpu), kvm_apic_put, s);
- }
-
- static void kvm_apic_realize(DeviceState *dev, Error **errp)
-@@ -206,6 +227,7 @@ static void kvm_apic_class_init(ObjectClass *klass, void *data)
- k->set_base = kvm_apic_set_base;
- k->set_tpr = kvm_apic_set_tpr;
- k->get_tpr = kvm_apic_get_tpr;
-+ k->post_load = kvm_apic_post_load;
- k->enable_tpr_reporting = kvm_apic_enable_tpr_reporting;
- k->vapic_base_update = kvm_apic_vapic_base_update;
- k->external_nmi = kvm_apic_external_nmi;
-diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
-index c9c2436..ae5d81b 100644
---- a/include/sysemu/kvm.h
-+++ b/include/sysemu/kvm.h
-@@ -372,7 +372,6 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg);
-
- void kvm_irqchip_add_irq_route(KVMState *s, int gsi, int irqchip, int pin);
-
--void kvm_put_apic_state(DeviceState *d, struct kvm_lapic_state *kapic);
- void kvm_get_apic_state(DeviceState *d, struct kvm_lapic_state *kapic);
-
- struct kvm_guest_debug;
-diff --git a/target-i386/kvm.c b/target-i386/kvm.c
-index d1a25c5..f1ad805 100644
---- a/target-i386/kvm.c
-+++ b/target-i386/kvm.c
-@@ -2416,19 +2416,6 @@ static int kvm_get_apic(X86CPU *cpu)
- return 0;
- }
-
--static int kvm_put_apic(X86CPU *cpu)
--{
-- DeviceState *apic = cpu->apic_state;
-- struct kvm_lapic_state kapic;
--
-- if (apic && kvm_irqchip_in_kernel()) {
-- kvm_put_apic_state(apic, &kapic);
--
-- return kvm_vcpu_ioctl(CPU(cpu), KVM_SET_LAPIC, &kapic);
-- }
-- return 0;
--}
--
- static int kvm_put_vcpu_events(X86CPU *cpu, int level)
- {
- CPUState *cs = CPU(cpu);
-@@ -2670,10 +2657,6 @@ int kvm_arch_put_registers(CPUState *cpu, int level)
- if (ret < 0) {
- return ret;
- }
-- ret = kvm_put_apic(x86_cpu);
-- if (ret < 0) {
-- return ret;
-- }
- }
-
- ret = kvm_put_tscdeadline_msr(x86_cpu);
---
-2.1.4
-
-From 109c1a773ac37b2dc3d9781ce203a804d3e77651 Mon Sep 17 00:00:00 2001
+From 45b6688a45611bb5818e1b6aa7313c91797aa003 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:15:49 +0100
Subject: [PATCH 01/47] fr-ca keymap corrections
-From 1dfa1a8df7b065e15639d078c0f137f2dec7c3fa Mon Sep 17 00:00:00 2001
+From 392fb50a1c43b47acffb1073a458703da93dfdd8 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:16:49 +0100
Subject: [PATCH 02/47] Adjust network script path to /etc/kvm/
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/net/net.h b/include/net/net.h
-index e8d9e9e..375e81d 100644
+index 99b28d5..40c39f0 100644
--- a/include/net/net.h
+++ b/include/net/net.h
-@@ -216,8 +216,9 @@ void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp);
+@@ -214,8 +214,9 @@ void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp);
int net_hub_id_for_client(NetClientState *nc, int *id);
NetClientState *net_hub_port_find(int hub_id);
-From cf2ef62fc7d4ff7e64eed5a01e499c91b62121b9 Mon Sep 17 00:00:00 2001
+From f3e33fe70da6f9361bd940d2b029d293a71408ca Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:17:38 +0100
Subject: [PATCH 03/47] vnc: altgr emulation
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/ui/vnc.c b/ui/vnc.c
-index 76a3273..b9f36b5 100644
+index 821acdd..29575f8 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
-@@ -1733,6 +1733,10 @@ static void kbd_leds(void *opaque, int ledstate)
+@@ -1625,6 +1625,10 @@ static void kbd_leds(void *opaque, int ledstate)
static void do_key_event(VncState *vs, int down, int keycode, int sym)
{
/* QEMU console switch */
switch(keycode) {
case 0x2a: /* Left Shift */
-@@ -1813,8 +1817,27 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
+@@ -1705,8 +1709,27 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
}
if (qemu_console_is_graphic(NULL)) {
} else {
bool numlock = vs->modifiers_state[0x45];
bool control = (vs->modifiers_state[0x1d] ||
-@@ -1954,7 +1977,8 @@ static void key_event(VncState *vs, int down, uint32_t sym)
+@@ -1846,7 +1869,8 @@ static void key_event(VncState *vs, int down, uint32_t sym)
lsym = lsym - 'A' + 'a';
}
-From baf469b28e3f1bfd5b03e449ffcd8f41c80a5387 Mon Sep 17 00:00:00 2001
+From adea2808e62d32a9b22bbe3d16c84c92289983a8 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:18:46 +0100
Subject: [PATCH 04/47] qemu-img: return success on info without snapshots
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/qemu-img.c b/qemu-img.c
-index f204d041..99be68f 100644
+index b220cf7..4f7f458 100644
--- a/qemu-img.c
+++ b/qemu-img.c
-@@ -2389,7 +2389,8 @@ static int img_info(int argc, char **argv)
+@@ -2596,7 +2596,8 @@ static int img_info(int argc, char **argv)
list = collect_image_info_list(image_opts, filename, fmt, chain);
if (!list) {
-From c5405c552945f19b36ecc748a2a0e0ec14dff31e Mon Sep 17 00:00:00 2001
+From bd3aa97864804b5b37421f199b9fe64e3b16b52c Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:27:05 +0100
Subject: [PATCH 05/47] use kvm by default
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/accel.c b/accel.c
-index 403eb5e..dd2ebea 100644
+index 664bb88..ddb23a3 100644
--- a/accel.c
+++ b/accel.c
-@@ -88,8 +88,8 @@ void configure_accelerator(MachineState *ms)
+@@ -87,8 +87,8 @@ void configure_accelerator(MachineState *ms)
p = qemu_opt_get(qemu_get_machine_opts(), "accel");
if (p == NULL) {
-From 132444451193736847c68d91f74c09cb76a16e6a Mon Sep 17 00:00:00 2001
+From 5921bc0360f6964a5bb5355c2707c806425f4734 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:27:49 +0100
Subject: [PATCH 06/47] virtio-balloon: fix query
hmp.c | 30 +++++++++++++++++++++++++++++-
hw/virtio/virtio-balloon.c | 33 +++++++++++++++++++++++++++++++--
qapi-schema.json | 23 +++++++++++++++++++++--
- qmp-commands.hx | 13 +++++++++++++
- 4 files changed, 94 insertions(+), 5 deletions(-)
+ 3 files changed, 81 insertions(+), 5 deletions(-)
diff --git a/hmp.c b/hmp.c
-index bb45f7f..3b0dd81 100644
+index edb8970..904542d 100644
--- a/hmp.c
+++ b/hmp.c
-@@ -704,7 +704,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict)
+@@ -723,7 +723,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict)
return;
}
qapi_free_BalloonInfo(info);
}
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
-index ad4189a..b3a17f4 100644
+index a705e0e..158e13e 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
-@@ -376,8 +376,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
+@@ -379,8 +379,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
static void virtio_balloon_stat(void *opaque, BalloonInfo *info)
{
VirtIOBalloon *dev = opaque;
static void virtio_balloon_to_target(void *opaque, ram_addr_t target)
diff --git a/qapi-schema.json b/qapi-schema.json
-index 5658723..4bf7222 100644
+index b921994..e7a8117 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -1278,10 +1278,29 @@
+@@ -1900,10 +1900,29 @@
#
# @actual: the number of bytes the balloon currently contains
#
-# Since: 0.14.0
-+# @last_update: #optional time when stats got updated from guest
++# @last_update: time when stats got updated from guest
+#
-+# @mem_swapped_in: #optional number of pages swapped in within the guest
++# @mem_swapped_in: number of pages swapped in within the guest
+#
-+# @mem_swapped_out: #optional number of pages swapped out within the guest
++# @mem_swapped_out: number of pages swapped out within the guest
+#
-+# @major_page_faults: #optional number of major page faults within the guest
++# @major_page_faults: number of major page faults within the guest
#
-+# @minor_page_faults: #optional number of minor page faults within the guest
++# @minor_page_faults: number of minor page faults within the guest
+#
-+# @free_mem: #optional amount of memory (in bytes) free in the guest
++# @free_mem: amount of memory (in bytes) free in the guest
+#
-+# @total_mem: #optional amount of memory (in bytes) visible to the guest
++# @total_mem: amount of memory (in bytes) visible to the guest
+#
+# @max_mem: amount of memory (in bytes) assigned to the guest
+#
##
# @query-balloon:
-diff --git a/qmp-commands.hx b/qmp-commands.hx
-index 6866264..6de28d4 100644
---- a/qmp-commands.hx
-+++ b/qmp-commands.hx
-@@ -3854,6 +3854,13 @@ Make an asynchronous request for balloon info. When the request completes a
- json-object will be returned containing the following data:
-
- - "actual": current balloon value in bytes (json-int)
-+- "mem_swapped_in": Amount of memory swapped in bytes (json-int, optional)
-+- "mem_swapped_out": Amount of memory swapped out in bytes (json-int, optional)
-+- "major_page_faults": Number of major faults (json-int, optional)
-+- "minor_page_faults": Number of minor faults (json-int, optional)
-+- "free_mem": Total amount of free and unused memory in
-+ bytes (json-int, optional)
-+- "total_mem": Total amount of available memory in bytes (json-int, optional)
-
- Example:
-
-@@ -3861,6 +3868,12 @@ Example:
- <- {
- "return":{
- "actual":1073741824,
-+ "mem_swapped_in":0,
-+ "mem_swapped_out":0,
-+ "major_page_faults":142,
-+ "minor_page_faults":239245,
-+ "free_mem":1014185984,
-+ "total_mem":1044668416
- }
- }
-
--
2.1.4
-From 118ca6343a48aaab7d1a8f252fb36008c823e551 Mon Sep 17 00:00:00 2001
+From bc04d6e5e09d517a9c8833fd407a655be3cf21fe Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:30:21 +0100
Subject: [PATCH 07/47] set the CPU model to kvm64/32 instead of qemu64/32
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index 022dd1b..ba8a5a1 100644
+index d24388e..81e91a4 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
-@@ -1160,9 +1160,9 @@ void pc_cpus_init(PCMachineState *pcms)
+@@ -1151,9 +1151,9 @@ void pc_cpus_init(PCMachineState *pcms)
/* init CPUs */
if (machine->cpu_model == NULL) {
#ifdef TARGET_X86_64
-From dc5b92fbb2d405fd86228409b1f25c0bb2d6d973 Mon Sep 17 00:00:00 2001
+From e453e9a98f7f0c2a213fe5bee04ece37ce10e625 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:31:18 +0100
Subject: [PATCH 08/47] qapi: modify query machines
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/qapi-schema.json b/qapi-schema.json
-index 4bf7222..63507f5 100644
+index e7a8117..2c40928 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -3027,6 +3027,8 @@
+@@ -4245,6 +4245,8 @@
#
- # @default: #optional whether the machine is default
+ # @is-default: whether the machine is default
#
-+# @current: #optional whether this machine is currently used
++# @is-current: whether this machine is currently used
+#
# @cpu-max: maximum number of CPUs supported by the machine type
# (since 1.5.0)
#
-@@ -3036,7 +3038,7 @@
+@@ -4254,7 +4256,7 @@
##
{ 'struct': 'MachineInfo',
'data': { 'name': 'str', '*alias': 'str',
##
diff --git a/vl.c b/vl.c
-index 6a218ce..b226e0b 100644
+index 0b4ed52..868c489 100644
--- a/vl.c
+++ b/vl.c
-@@ -1509,6 +1509,11 @@ MachineInfoList *qmp_query_machines(Error **errp)
+@@ -1518,6 +1518,11 @@ MachineInfoList *qmp_query_machines(Error **errp)
info->cpu_max = !mc->max_cpus ? 1 : mc->max_cpus;
- info->hotpluggable_cpus = !!mc->query_hotpluggable_cpus;
+ info->hotpluggable_cpus = mc->has_hotpluggable_cpus;
+ if (strcmp(mc->name, MACHINE_GET_CLASS(current_machine)->name) == 0) {
+ info->has_is_current = true;
-From c09467afaf37989942076b45f6ffa7bb8ebde2ca Mon Sep 17 00:00:00 2001
+From c51f39a5741210b7df2ac212a8ced14ef950d415 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:32:11 +0100
Subject: [PATCH 09/47] qapi: modify spice query
2 files changed, 8 insertions(+)
diff --git a/qapi-schema.json b/qapi-schema.json
-index 63507f5..518c2ea 100644
+index 2c40928..ca534cc 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -1253,11 +1253,14 @@
+@@ -1841,11 +1841,14 @@
#
# @channels: a list of @SpiceChannel for each active spice channel
#
-+# @ticket: #optional The last ticket set with set_password
++# @ticket: The last ticket set with set_password
+#
# Since: 0.14.0
##
##
diff --git a/ui/spice-core.c b/ui/spice-core.c
-index da05054..acf5a73 100644
+index 804abc5..4a41731 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
-@@ -543,6 +543,11 @@ SpiceInfo *qmp_query_spice(Error **errp)
+@@ -552,6 +552,11 @@ SpiceInfo *qmp_query_spice(Error **errp)
micro = SPICE_SERVER_VERSION & 0xff;
info->compiled_version = g_strdup_printf("%d.%d.%d", major, minor, micro);
-From 78cc6a38bfa2c986ff75a322d750a548bf2291b9 Mon Sep 17 00:00:00 2001
+From 1434b9fad738e852f789cd8b951f2f4e1e08d3e5 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:33:34 +0100
Subject: [PATCH 10/47] ui/spice: default to pve certs unless otherwise
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ui/spice-core.c b/ui/spice-core.c
-index acf5a73..4f1cf45 100644
+index 4a41731..af1dc8c 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
-@@ -676,32 +676,35 @@ void qemu_spice_init(void)
+@@ -685,32 +685,35 @@ void qemu_spice_init(void)
if (tls_port) {
x509_dir = qemu_opt_get(opts, "x509-dir");
-From 183d526538782e8c3644db303846cf0a70595009 Mon Sep 17 00:00:00 2001
+From c1338b34ccac2c5e6d7d1aca3ca3e3457a3f744c Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 13 Nov 2012 11:11:38 +0100
Subject: [PATCH 11/47] introduce new vma archive format
Makefile.objs | 1 +
vma-reader.c | 797 +++++++++++++++++++++++++++++++++++++++++++++++++++++
vma-writer.c | 870 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- vma.c | 585 +++++++++++++++++++++++++++++++++++++++
+ vma.c | 586 +++++++++++++++++++++++++++++++++++++++
vma.h | 146 ++++++++++
- 6 files changed, 2401 insertions(+), 1 deletion(-)
+ 6 files changed, 2402 insertions(+), 1 deletion(-)
create mode 100644 vma-reader.c
create mode 100644 vma-writer.c
create mode 100644 vma.c
create mode 100644 vma.h
diff --git a/Makefile b/Makefile
-index 50b4b3a..d92d905 100644
+index 6c359b2..edbc8b5 100644
--- a/Makefile
+++ b/Makefile
-@@ -165,7 +165,7 @@ ifneq ($(wildcard config-host.mak),)
+@@ -284,7 +284,7 @@ ifneq ($(wildcard config-host.mak),)
include $(SRC_PATH)/tests/Makefile.include
endif
qemu-version.h: FORCE
$(call quiet-command, \
-@@ -256,6 +256,7 @@ qemu-img.o: qemu-img-cmds.h
- qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
- qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
- qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
-+vma$(EXESUF): vma.o vma-reader.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
+@@ -377,6 +377,7 @@ qemu-img.o: qemu-img-cmds.h
+ qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
+ qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
+ qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
++vma$(EXESUF): vma.o vma-reader.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
- qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o libqemuutil.a libqemustub.a
+ qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o $(COMMON_LDADDS)
diff --git a/Makefile.objs b/Makefile.objs
-index 6d5ddcf..845edd0 100644
+index 6167e7b..9b12ee6 100644
--- a/Makefile.objs
+++ b/Makefile.objs
-@@ -15,6 +15,7 @@ block-obj-$(CONFIG_POSIX) += aio-posix.o
- block-obj-$(CONFIG_WIN32) += aio-win32.o
+@@ -14,6 +14,7 @@ block-obj-y += block.o blockjob.o
block-obj-y += block/
block-obj-y += qemu-io-cmds.o
+ block-obj-$(CONFIG_REPLICATION) += replication.o
+block-obj-y += vma-writer.o
block-obj-m = block/
+}
diff --git a/vma.c b/vma.c
new file mode 100644
-index 0000000..8014090
+index 0000000..8732bfa
--- /dev/null
+++ b/vma.c
-@@ -0,0 +1,585 @@
+@@ -0,0 +1,586 @@
+/*
+ * VMA: Virtual Machine Archive
+ *
+#include "qemu-common.h"
+#include "qemu/error-report.h"
+#include "qemu/main-loop.h"
++#include "qapi/qmp/qstring.h"
+#include "sysemu/char.h" /* qstring_from_str */
+
+static void help(void)
-From 144e613eeca6a3383b981f9ca8b82c4a354b36c2 Mon Sep 17 00:00:00 2001
+From f6a9d9269a4f07eb7b2161884dde52a65f58c9f6 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 11 Mar 2013 07:07:46 +0100
Subject: [PATCH 12/47] vma: add verify command
+}
+
diff --git a/vma.c b/vma.c
-index 8014090..d55874a 100644
+index 8732bfa..ab7b766 100644
--- a/vma.c
+++ b/vma.c
-@@ -28,6 +28,7 @@ static void help(void)
+@@ -29,6 +29,7 @@ static void help(void)
"vma list <filename>\n"
"vma create <filename> [-c config] <archive> pathname ...\n"
"vma extract <filename> [-r <fifo>] <targetdir>\n"
;
printf("%s", help_msg);
-@@ -332,6 +333,58 @@ static int extract_content(int argc, char **argv)
+@@ -333,6 +334,58 @@ static int extract_content(int argc, char **argv)
return ret;
}
typedef struct BackupJob {
BlockDriverState *bs;
int64_t len;
-@@ -578,6 +631,8 @@ int main(int argc, char **argv)
+@@ -579,6 +632,8 @@ int main(int argc, char **argv)
return create_archive(argc, argv);
} else if (!strcmp(cmdname, "extract")) {
return extract_content(argc, argv);
-From 48896281bebc5c69760f4e47625e4db81e3a9004 Mon Sep 17 00:00:00 2001
+From cfc9d20b832a3db40b4e61fa6af0fbcda911ec2e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 14:46:49 +0100
Subject: [PATCH 13/47] vma: add 'config' command to dump the config
1 file changed, 64 insertions(+)
diff --git a/vma.c b/vma.c
-index d55874a..79bdd00 100644
+index ab7b766..8925407 100644
--- a/vma.c
+++ b/vma.c
-@@ -26,6 +26,7 @@ static void help(void)
+@@ -27,6 +27,7 @@ static void help(void)
"usage: vma command [command options]\n"
"\n"
"vma list <filename>\n"
"vma create <filename> [-c config] <archive> pathname ...\n"
"vma extract <filename> [-r <fifo>] <targetdir>\n"
"vma verify <filename> [-v]\n"
-@@ -604,6 +605,67 @@ static int create_archive(int argc, char **argv)
+@@ -605,6 +606,67 @@ static int create_archive(int argc, char **argv)
return 0;
}
int main(int argc, char **argv)
{
const char *cmdname;
-@@ -633,6 +695,8 @@ int main(int argc, char **argv)
+@@ -634,6 +696,8 @@ int main(int argc, char **argv)
return extract_content(argc, argv);
} else if (!strcmp(cmdname, "verify")) {
return verify_content(argc, argv);
-From 1078c0f6acc1bfba04b7d5cdfdeb02b161b5f7c4 Mon Sep 17 00:00:00 2001
+From 46f9d5c97a466bc121c99d9f178a4c1bdc74e9f9 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:04:57 +0100
Subject: [PATCH 14/47] backup: modify job api
for backup_start. For a dump-backup the target parameter
can now be NULL so access to target needs to be guarded now.
---
- block/backup.c | 82 +++++++++++++++++++++++++++++++----------------
- blockdev.c | 6 ++--
- include/block/block_int.h | 5 +++
- 3 files changed, 63 insertions(+), 30 deletions(-)
+ block/backup.c | 116 ++++++++++++++++++++++++++++------------------
+ block/replication.c | 3 +-
+ blockdev.c | 4 +-
+ include/block/block_int.h | 5 ++
+ 4 files changed, 81 insertions(+), 47 deletions(-)
diff --git a/block/backup.c b/block/backup.c
-index 2c05323..f3c0ba3 100644
+index a4fb288..3a230b5 100644
--- a/block/backup.c
+++ b/block/backup.c
-@@ -41,6 +41,7 @@ typedef struct BackupBlockJob {
+@@ -36,6 +36,7 @@ typedef struct BackupBlockJob {
BdrvDirtyBitmap *sync_bitmap;
MirrorSyncMode sync_mode;
RateLimit limit;
BlockdevOnError on_source_error;
BlockdevOnError on_target_error;
CoRwlock flush_rwlock;
-@@ -149,12 +150,23 @@ static int coroutine_fn backup_do_cow(BackupBlockJob *job,
+@@ -145,13 +146,24 @@ static int coroutine_fn backup_do_cow(BackupBlockJob *job,
goto out;
}
+ }
} else {
- ret = blk_co_pwritev(job->target, start * job->cluster_size,
-- bounce_qiov.size, &bounce_qiov, 0);
+- bounce_qiov.size, &bounce_qiov,
+- job->compress ? BDRV_REQ_WRITE_COMPRESSED : 0);
+ if (job->dump_cb) {
+ ret = job->dump_cb(job->common.opaque, job->target, start_sec, n, bounce_buffer);
+ }
+ if (job->target) {
+ ret = blk_co_pwritev(job->target, start * job->cluster_size,
-+ bounce_qiov.size, &bounce_qiov, 0);
++ bounce_qiov.size, &bounce_qiov,
++ job->compress ? BDRV_REQ_WRITE_COMPRESSED : 0);
+ }
}
if (ret < 0) {
trace_backup_do_cow_write_fail(job, start, ret);
-@@ -268,9 +280,11 @@ static BlockErrorAction backup_error_action(BackupBlockJob *job,
+@@ -330,9 +342,11 @@ static BlockErrorAction backup_error_action(BackupBlockJob *job,
if (read) {
return block_job_error_action(&job->common, job->on_source_error,
true, error);
}
}
-@@ -393,6 +407,7 @@ static void coroutine_fn backup_run(void *opaque)
+@@ -453,6 +467,7 @@ static void coroutine_fn backup_run(void *opaque)
job->done_bitmap = bitmap_new(end);
job->before_write.notify = backup_before_write_notify;
bdrv_add_before_write_notifier(bs, &job->before_write);
-@@ -467,7 +482,9 @@ static void coroutine_fn backup_run(void *opaque)
- qemu_co_rwlock_unlock(&job->flush_rwlock);
- g_free(job->done_bitmap);
-
-- bdrv_op_unblock_all(blk_bs(target), job->common.blocker);
-+ if (target) {
-+ bdrv_op_unblock_all(blk_bs(target), job->common.blocker);
-+ }
-
- data = g_malloc(sizeof(*data));
- data->ret = ret;
-@@ -479,7 +496,9 @@ void backup_start(const char *job_id, BlockDriverState *bs,
- MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
+@@ -557,7 +572,9 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
BlockdevOnError on_source_error,
BlockdevOnError on_target_error,
+ int creation_flags,
+ BackupDumpFunc *dump_cb,
BlockCompletionFunc *cb, void *opaque,
+ int pause_count,
BlockJobTxn *txn, Error **errp)
{
int64_t len;
-@@ -488,7 +507,7 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+@@ -566,7 +583,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
int ret;
assert(bs);
if (bs == target) {
error_setg(errp, "Source and target cannot be the same");
-@@ -501,7 +520,7 @@ void backup_start(const char *job_id, BlockDriverState *bs,
- return;
+@@ -579,13 +596,13 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+ return NULL;
}
- if (!bdrv_is_inserted(target)) {
+ if (target && !bdrv_is_inserted(target)) {
error_setg(errp, "Device is not inserted: %s",
bdrv_get_device_name(target));
- return;
-@@ -511,7 +530,7 @@ void backup_start(const char *job_id, BlockDriverState *bs,
- return;
+ return NULL;
+ }
+
+- if (compress && target->drv->bdrv_co_pwritev_compressed == NULL) {
++ if (target && compress && target->drv->bdrv_co_pwritev_compressed == NULL) {
+ error_setg(errp, "Compression is not supported for this drive %s",
+ bdrv_get_device_name(target));
+ return NULL;
+@@ -595,7 +612,7 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+ return NULL;
}
- if (bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) {
+ if (target && bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) {
- return;
+ return NULL;
}
-@@ -547,34 +566,43 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+@@ -635,15 +652,18 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
goto error;
}
-- job->target = blk_new();
-- blk_insert_bs(job->target, target);
+- /* The target must match the source in size, so no resize here either */
+- job->target = blk_new(BLK_PERM_WRITE,
+- BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE |
+- BLK_PERM_WRITE_UNCHANGED | BLK_PERM_GRAPH_MOD);
+- ret = blk_insert_bs(job->target, target, errp);
+- if (ret < 0) {
+- goto error;
+ if (target) {
-+ job->target = blk_new();
-+ blk_insert_bs(job->target, target);
-+ }
++ /* The target must match the source in size, so no resize here either */
++ job->target = blk_new(BLK_PERM_WRITE,
++ BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE |
++ BLK_PERM_WRITE_UNCHANGED | BLK_PERM_GRAPH_MOD);
++ ret = blk_insert_bs(job->target, target, errp);
++ if (ret < 0) {
++ goto error;
++ }
+ }
+ job->dump_cb = dump_cb;
job->on_source_error = on_source_error;
job->on_target_error = on_target_error;
job->sync_mode = sync_mode;
- job->sync_bitmap = sync_mode == MIRROR_SYNC_MODE_INCREMENTAL ?
+@@ -651,36 +671,44 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
sync_bitmap : NULL;
+ job->compress = compress;
- /* If there is no backing file on the target, we cannot rely on COW if our
- * backup cluster size is smaller than the target cluster size. Even for
- * targets with a backing file, try to avoid COW if possible. */
- ret = bdrv_get_info(target, &bdi);
-- if (ret < 0 && !target->backing) {
+- if (ret == -ENOTSUP && !target->backing) {
+- /* Cluster size is not defined */
+- error_report("WARNING: The target block device doesn't provide "
+- "information about the block size and it doesn't have a "
+- "backing file. The default block size of %u bytes is "
+- "used. If the actual block size of the target exceeds "
+- "this default, the backup may be unusable",
+- BACKUP_CLUSTER_SIZE_DEFAULT);
+- job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
+- } else if (ret < 0 && !target->backing) {
- error_setg_errno(errp, -ret,
- "Couldn't determine the cluster size of the target image, "
- "which has no backing file");
+ * backup cluster size is smaller than the target cluster size. Even for
+ * targets with a backing file, try to avoid COW if possible. */
+ ret = bdrv_get_info(target, &bdi);
-+ if (ret < 0 && !target->backing) {
++ if (ret == -ENOTSUP && !target->backing) {
++ /* Cluster size is not defined */
++ error_report("WARNING: The target block device doesn't provide "
++ "information about the block size and it doesn't have a "
++ "backing file. The default block size of %u bytes is "
++ "used. If the actual block size of the target exceeds "
++ "this default, the backup may be unusable",
++ BACKUP_CLUSTER_SIZE_DEFAULT);
++ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
++ } else if (ret < 0 && !target->backing) {
+ error_setg_errno(errp, -ret,
+ "Couldn't determine the cluster size of the target image, "
+ "which has no backing file");
+ /* Not fatal; just trudge on ahead. */
+ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
+ } else {
-+ job->cluster_size = MAX(BACKUP_CLUSTER_SIZE_DEFAULT, bdi.cluster_size);
++ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
+ }
-+
-+ bdrv_op_block_all(target, job->common.blocker);
} else {
- job->cluster_size = MAX(BACKUP_CLUSTER_SIZE_DEFAULT, bdi.cluster_size);
+ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
}
-- bdrv_op_block_all(target, job->common.blocker);
-+ job->common.pause_count = pause_count;
+- /* Required permissions are already taken with target's blk_new() */
+- block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL,
+- &error_abort);
++ if (target) {
++ /* Required permissions are already taken with target's blk_new() */
++ block_job_add_bdrv(&job->common, "target", target, 0, BLK_PERM_ALL,
++ &error_abort);
++ } else {
++ job->common.pause_count = pause_count;
++ }
job->common.len = len;
- job->common.co = qemu_coroutine_create(backup_run, job);
block_job_txn_add_job(txn, &job->common);
+
+diff --git a/block/replication.c b/block/replication.c
+index bf3c395..60c6524 100644
+--- a/block/replication.c
++++ b/block/replication.c
+@@ -531,7 +531,8 @@ static void replication_start(ReplicationState *rs, ReplicationMode mode,
+ 0, MIRROR_SYNC_MODE_NONE, NULL, false,
+ BLOCKDEV_ON_ERROR_REPORT,
+ BLOCKDEV_ON_ERROR_REPORT, BLOCK_JOB_INTERNAL,
+- backup_job_completed, bs, NULL, &local_err);
++ NULL,
++ backup_job_completed, bs, 0, NULL, &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ backup_job_cleanup(bs);
diff --git a/blockdev.c b/blockdev.c
-index 2161400..5e3707d 100644
+index 040c152..bb3fc5b 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3277,8 +3277,8 @@ static void do_drive_backup(const char *job_id, const char *device,
- }
-
- backup_start(job_id, bs, target_bs, speed, sync, bmap,
-- on_source_error, on_target_error,
-- block_job_cb, bs, txn, &local_err);
-+ on_source_error, on_target_error, NULL,
-+ block_job_cb, bs, 0, txn, &local_err);
+@@ -3273,7 +3273,7 @@ static BlockJob *do_drive_backup(DriveBackup *backup, BlockJobTxn *txn,
+ job = backup_job_create(backup->job_id, bs, target_bs, backup->speed,
+ backup->sync, bmap, backup->compress,
+ backup->on_source_error, backup->on_target_error,
+- BLOCK_JOB_DEFAULT, NULL, NULL, txn, &local_err);
++ BLOCK_JOB_DEFAULT, NULL, NULL, NULL, 0, txn, &local_err);
bdrv_unref(target_bs);
if (local_err != NULL) {
error_propagate(errp, local_err);
-@@ -3371,7 +3371,7 @@ void do_blockdev_backup(const char *job_id, const char *device,
- }
- }
- backup_start(job_id, bs, target_bs, speed, sync, NULL, on_source_error,
-- on_target_error, block_job_cb, bs, txn, &local_err);
-+ on_target_error, NULL, block_job_cb, bs, 0, txn, &local_err);
+@@ -3352,7 +3352,7 @@ BlockJob *do_blockdev_backup(BlockdevBackup *backup, BlockJobTxn *txn,
+ job = backup_job_create(backup->job_id, bs, target_bs, backup->speed,
+ backup->sync, NULL, backup->compress,
+ backup->on_source_error, backup->on_target_error,
+- BLOCK_JOB_DEFAULT, NULL, NULL, txn, &local_err);
++ BLOCK_JOB_DEFAULT, NULL, NULL, NULL, 0, txn, &local_err);
if (local_err != NULL) {
error_propagate(errp, local_err);
}
diff --git a/include/block/block_int.h b/include/block/block_int.h
-index 1e939de..db4650e 100644
+index 59400bd..ec65581 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -59,6 +59,9 @@
enum BdrvTrackedRequestType {
BDRV_TRACKED_READ,
BDRV_TRACKED_WRITE,
-@@ -767,7 +770,9 @@ void backup_start(const char *job_id, BlockDriverState *bs,
- MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
- BlockdevOnError on_source_error,
- BlockdevOnError on_target_error,
-+ BackupDumpFunc *dump_cb,
- BlockCompletionFunc *cb, void *opaque,
-+ int pause_count,
- BlockJobTxn *txn, Error **errp);
+@@ -877,7 +880,9 @@ BlockJob *backup_job_create(const char *job_id, BlockDriverState *bs,
+ BlockdevOnError on_source_error,
+ BlockdevOnError on_target_error,
+ int creation_flags,
++ BackupDumpFunc *dump_cb,
+ BlockCompletionFunc *cb, void *opaque,
++ int pause_count,
+ BlockJobTxn *txn, Error **errp);
void hmp_drive_add_node(Monitor *mon, const char *optstr);
--
-From 798846b48b31d8231a3af5858285845d932d1d6b Mon Sep 17 00:00:00 2001
+From 8c04a78d763014aa9efb179a451ea332cf7d5454 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:20:56 +0100
Subject: [PATCH 15/47] backup: add pve monitor commands
---
- blockdev.c | 439 ++++++++++++++++++++++++++++++++++++++++++++++
- blockjob.c | 3 +-
+ blockdev.c | 465 ++++++++++++++++++++++++++++++++++++++++++++++
+ blockjob.c | 11 +-
hmp-commands-info.hx | 13 ++
hmp-commands.hx | 29 +++
- hmp.c | 61 +++++++
+ hmp.c | 61 ++++++
hmp.h | 3 +
include/block/block_int.h | 2 +-
- qapi-schema.json | 89 ++++++++++
- qmp-commands.hx | 18 ++
- 9 files changed, 655 insertions(+), 2 deletions(-)
+ qapi-schema.json | 90 +++++++++
+ 8 files changed, 668 insertions(+), 6 deletions(-)
diff --git a/blockdev.c b/blockdev.c
-index 5e3707d..5417bb0 100644
+index bb3fc5b..3e5c9ce 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -52,6 +52,7 @@
- #include "sysemu/arch_init.h"
+@@ -35,6 +35,7 @@
+ #include "sysemu/blockdev.h"
+ #include "hw/block/block.h"
+ #include "block/blockjob.h"
++#include "block/blockjob_int.h"
+ #include "block/throttle-groups.h"
+ #include "monitor/monitor.h"
+ #include "qemu/error-report.h"
+@@ -53,6 +54,7 @@
#include "qemu/cutils.h"
#include "qemu/help_option.h"
+ #include "qemu/throttle-options.h"
+#include "vma.h"
static QTAILQ_HEAD(, BlockDriverState) monitor_bdrv_states =
QTAILQ_HEAD_INITIALIZER(monitor_bdrv_states);
-@@ -2976,6 +2977,444 @@ static void block_job_cb(void *opaque, int ret)
- }
+@@ -2956,6 +2958,469 @@ out:
+ aio_context_release(aio_context);
}
++void block_job_event_cancelled(BlockJob *job);
++void block_job_event_completed(BlockJob *job, const char *msg);
++static void block_job_cb(void *opaque, int ret)
++{
++ /* Note that this function may be executed from another AioContext besides
++ * the QEMU main loop. If you need to access anything that assumes the
++ * QEMU global mutex, use a BH or introduce a mutex.
++ */
++
++ BlockDriverState *bs = opaque;
++ const char *msg = NULL;
++
++ assert(bs->job);
++
++ if (ret < 0) {
++ msg = strerror(-ret);
++ }
++
++ if (block_job_is_cancelled(bs->job)) {
++ block_job_event_cancelled(bs->job);
++ } else {
++ block_job_event_completed(bs->job, msg);
++ }
++}
++
+/* PVE backup related function */
+
+static struct PVEBackupState {
+ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
+ l = g_list_next(l);
+
-+ backup_start(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL,
-+ BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
-+ pvebackup_dump_cb, pvebackup_complete_cb, di,
-+ 1, NULL, &local_err);
++ backup_job_create(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL,
++ BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
++ pvebackup_dump_cb, pvebackup_complete_cb, di,
++ 1, NULL, &local_err);
+ if (local_err != NULL) {
+ error_setg(&backup_state.error, "backup_job_create failed");
+ pvebackup_cancel(NULL);
+
void qmp_block_stream(bool has_job_id, const char *job_id, const char *device,
bool has_base, const char *base,
- bool has_backing_file, const char *backing_file,
+ bool has_base_node, const char *base_node,
diff --git a/blockjob.c b/blockjob.c
-index a5ba3be..a550458 100644
+index 9b619f385..54bd34a 100644
--- a/blockjob.c
+++ b/blockjob.c
-@@ -331,7 +331,8 @@ void block_job_pause(BlockJob *job)
- job->pause_count++;
+@@ -37,8 +37,8 @@
+ #include "qemu/timer.h"
+ #include "qapi-event.h"
+
+-static void block_job_event_cancelled(BlockJob *job);
+-static void block_job_event_completed(BlockJob *job, const char *msg);
++void block_job_event_cancelled(BlockJob *job);
++void block_job_event_completed(BlockJob *job, const char *msg);
+
+ /* Transactional group of block jobs */
+ struct BlockJobTxn {
+@@ -473,7 +473,8 @@ void block_job_user_pause(BlockJob *job)
+ block_job_pause(job);
}
-static bool block_job_should_pause(BlockJob *job)
{
return job->pause_count > 0;
}
+@@ -687,7 +688,7 @@ static void block_job_iostatus_set_err(BlockJob *job, int error)
+ }
+ }
+
+-static void block_job_event_cancelled(BlockJob *job)
++void block_job_event_cancelled(BlockJob *job)
+ {
+ if (block_job_is_internal(job)) {
+ return;
+@@ -701,7 +702,7 @@ static void block_job_event_cancelled(BlockJob *job)
+ &error_abort);
+ }
+
+-static void block_job_event_completed(BlockJob *job, const char *msg)
++void block_job_event_completed(BlockJob *job, const char *msg)
+ {
+ if (block_job_is_internal(job)) {
+ return;
diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
-index 74446c6..7616fe2 100644
+index a53f105..1a18380 100644
--- a/hmp-commands-info.hx
+++ b/hmp-commands-info.hx
-@@ -502,6 +502,19 @@ STEXI
+@@ -487,6 +487,19 @@ STEXI
Show CPU statistics.
ETEXI
+ .args_type = "",
+ .params = "",
+ .help = "show backup status",
-+ .mhandler.cmd = hmp_info_backup,
++ .cmd = hmp_info_backup,
+ },
+
+STEXI
{
.name = "usernet",
diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 848efee..8f2f3e0 100644
+index 8819281..aea39d0 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -87,6 +87,35 @@ STEXI
+ .args_type = "backupfile:s,speed:o?,devlist:s?",
+ .params = "backupfile [speed [devlist]]",
+ .help = "create a VM Backup.",
-+ .mhandler.cmd = hmp_backup,
++ .cmd = hmp_backup,
+ },
+
+STEXI
+ .args_type = "",
+ .params = "",
+ .help = "cancel the current VM backup",
-+ .mhandler.cmd = hmp_backup_cancel,
++ .cmd = hmp_backup_cancel,
+ },
+
+STEXI
.name = "block_job_set_speed",
.args_type = "device:B,speed:o",
diff --git a/hmp.c b/hmp.c
-index 3b0dd81..95da164 100644
+index 904542d..c685ba5 100644
--- a/hmp.c
+++ b/hmp.c
-@@ -149,6 +149,44 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
+@@ -151,6 +151,44 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
qapi_free_MouseInfoList(mice_list);
}
void hmp_info_migrate(Monitor *mon, const QDict *qdict)
{
MigrationInfo *info;
-@@ -1493,6 +1531,29 @@ void hmp_block_stream(Monitor *mon, const QDict *qdict)
+@@ -1613,6 +1651,29 @@ void hmp_block_stream(Monitor *mon, const QDict *qdict)
hmp_handle_error(mon, &error);
}
{
Error *error = NULL;
diff --git a/hmp.h b/hmp.h
-index 0876ec0..9a4c1f6 100644
+index 799fd37..17a65b2 100644
--- a/hmp.h
+++ b/hmp.h
@@ -30,6 +30,7 @@ void hmp_info_migrate(Monitor *mon, const QDict *qdict);
void hmp_info_cpus(Monitor *mon, const QDict *qdict);
void hmp_info_block(Monitor *mon, const QDict *qdict);
void hmp_info_blockstats(Monitor *mon, const QDict *qdict);
-@@ -76,6 +77,8 @@ void hmp_eject(Monitor *mon, const QDict *qdict);
+@@ -79,6 +80,8 @@ void hmp_eject(Monitor *mon, const QDict *qdict);
void hmp_change(Monitor *mon, const QDict *qdict);
void hmp_block_set_io_throttle(Monitor *mon, const QDict *qdict);
void hmp_block_stream(Monitor *mon, const QDict *qdict);
void hmp_block_job_cancel(Monitor *mon, const QDict *qdict);
void hmp_block_job_pause(Monitor *mon, const QDict *qdict);
diff --git a/include/block/block_int.h b/include/block/block_int.h
-index db4650e..0f79b51 100644
+index ec65581..278da16 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -59,7 +59,7 @@
enum BdrvTrackedRequestType {
diff --git a/qapi-schema.json b/qapi-schema.json
-index 518c2ea..89d9ea6 100644
+index ca534cc..059cbfc 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -356,6 +356,95 @@
- ##
+@@ -570,6 +570,96 @@
{ 'command': 'query-events', 'returns': ['EventInfo'] }
+ ##
+# @BackupStatus:
+#
+# Detailed backup status.
+#
-+# @status: #optional string describing the current backup status.
++# @status: string describing the current backup status.
+# This can be 'active', 'done', 'error'. If this field is not
+# returned, no backup process has been initiated
+#
-+# @errmsg: #optional error message (only returned if status is 'error')
++# @errmsg: error message (only returned if status is 'error')
+#
-+# @total: #optional total amount of bytes involved in the backup process
++# @total: total amount of bytes involved in the backup process
+#
-+# @transferred: #optional amount of bytes already backed up.
++# @transferred: amount of bytes already backed up.
+#
-+# @zero-bytes: #optional amount of 'zero' bytes detected.
++# @zero-bytes: amount of 'zero' bytes detected.
+#
-+# @start-time: #optional time (epoch) when backup job started.
++# @start-time: time (epoch) when backup job started.
+#
-+# @end-time: #optional time (epoch) when backup job finished.
++# @end-time: time (epoch) when backup job finished.
+#
-+# @backupfile: #optional backup file name
++# @backup-file: backup file name
+#
-+# @uuid: #optional uuid for this backup job
++# @uuid: uuid for this backup job
+#
+##
+{ 'struct': 'BackupStatus',
+ '*backup-file': 'str', '*uuid': 'str' } }
+
+##
-+# @BackupFormat
++# @BackupFormat:
+#
+# An enumeration of supported backup formats.
+#
+#
+# @format: format of the backup file
+#
-+# @config-filename: #optional name of a configuration file to include into
++# @config-file: a configuration file to include into
+# the backup archive.
+#
-+# @speed: #optional the maximum speed, in bytes per second
++# @speed: the maximum speed, in bytes per second
+#
-+# @devlist: #optional list of block device names (separated by ',', ';'
++# @devlist: list of block device names (separated by ',', ';'
+# or ':'). By default the backup includes all writable block devices.
+#
+# Returns: the uuid of the backup job
+ 'returns': 'UuidInfo' }
+
+##
-+# @query-backup
++# @query-backup:
+#
+# Returns information about current/last backup task.
+#
+{ 'command': 'query-backup', 'returns': 'BackupStatus' }
+
+##
-+# @backup-cancel
++# @backup-cancel:
+#
+# Cancel the current executing backup process.
+#
+##
+{ 'command': 'backup-cancel' }
+
- ##
- # @MigrationStats
++##
+ # @MigrationStats:
#
-diff --git a/qmp-commands.hx b/qmp-commands.hx
-index 6de28d4..a8e8522 100644
---- a/qmp-commands.hx
-+++ b/qmp-commands.hx
-@@ -1314,6 +1314,24 @@ Example:
- EQMP
-
- {
-+ .name = "backup",
-+ .args_type = "backup-file:s,format:s?,config-file:F?,speed:o?,devlist:s?",
-+ .mhandler.cmd_new = qmp_marshal_backup,
-+ },
-+
-+ {
-+ .name = "backup-cancel",
-+ .args_type = "",
-+ .mhandler.cmd_new = qmp_marshal_backup_cancel,
-+ },
-+
-+ {
-+ .name = "query-backup",
-+ .args_type = "",
-+ .mhandler.cmd_new = qmp_marshal_query_backup,
-+ },
-+
-+ {
- .name = "block-job-set-speed",
- .args_type = "device:B,speed:o",
- .mhandler.cmd_new = qmp_marshal_block_job_set_speed,
+ # Detailed migration status.
--
2.1.4
-From 210be0fc498989e7b029de90b9d2599fdcc343d3 Mon Sep 17 00:00:00 2001
+From 7a74d0bf611d5a700970ae5000235d9345104bf3 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:21:54 +0100
Subject: [PATCH 16/47] backup: vma: add dir format
---
- blockdev.c | 124 +++++++++++++++++++++++++++++++++++++++++--------------
+ blockdev.c | 127 +++++++++++++++++++++++++++++++++++++++++--------------
hmp-commands.hx | 8 ++--
hmp.c | 4 +-
qapi-schema.json | 2 +-
vma.c | 2 +-
- 5 files changed, 103 insertions(+), 37 deletions(-)
+ 5 files changed, 105 insertions(+), 38 deletions(-)
diff --git a/blockdev.c b/blockdev.c
-index 5417bb0..d8b1db8 100644
+index 3e5c9ce..e065922 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3001,6 +3001,8 @@ typedef struct PVEBackupDevInfo {
+@@ -3007,6 +3007,8 @@ typedef struct PVEBackupDevInfo {
uint8_t dev_id;
//bool started;
bool completed;
} PVEBackupDevInfo;
static void pvebackup_run_next_job(void);
-@@ -3069,8 +3071,6 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -3075,8 +3077,6 @@ static void pvebackup_complete_cb(void *opaque, int ret)
{
PVEBackupDevInfo *di = opaque;
di->completed = true;
if (ret < 0 && !backup_state.error) {
-@@ -3081,8 +3081,11 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -3087,8 +3087,11 @@ static void pvebackup_complete_cb(void *opaque, int ret)
BlockDriverState *bs = di->bs;
di->bs = NULL;
block_job_cb(bs, ret);
-@@ -3162,6 +3165,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+@@ -3168,6 +3171,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
{
BlockBackend *blk;
BlockDriverState *bs = NULL;
Error *local_err = NULL;
uuid_t uuid;
VmaWriter *vmaw = NULL;
-@@ -3179,11 +3183,6 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+@@ -3185,11 +3189,6 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
/* Todo: try to auto-detect format based on file name */
format = has_format ? format : BACKUP_FORMAT_VMA;
if (has_devlist) {
devs = g_strsplit_set(devlist, ",;:", -1);
-@@ -3252,27 +3251,62 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+@@ -3258,27 +3257,62 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
uuid_generate(uuid);
}
/* add configuration file to archive */
-@@ -3285,12 +3319,27 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+@@ -3291,12 +3325,27 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
goto err;
}
g_free(cdata);
}
-@@ -3330,7 +3379,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+@@ -3336,8 +3385,9 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
l = g_list_next(l);
-- backup_start(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL,
-+ backup_start(NULL, di->bs, di->target, speed, MIRROR_SYNC_MODE_FULL, NULL,
- BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
- pvebackup_dump_cb, pvebackup_complete_cb, di,
- 1, NULL, &local_err);
-@@ -3352,8 +3401,17 @@ err:
+- backup_job_create(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL,
+- BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
++ backup_job_create(NULL, di->bs, di->target, speed, MIRROR_SYNC_MODE_FULL, NULL,
++ false, BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
++ BLOCK_JOB_DEFAULT,
+ pvebackup_dump_cb, pvebackup_complete_cb, di,
+ 1, NULL, &local_err);
+ if (local_err != NULL) {
+@@ -3358,8 +3408,17 @@ err:
l = di_list;
while (l) {
}
g_list_free(di_list);
-@@ -3367,6 +3425,10 @@ err:
+@@ -3373,6 +3432,10 @@ err:
unlink(backup_file);
}
}
diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 8f2f3e0..0e20ef9 100644
+index aea39d0..7288203 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -89,9 +89,11 @@ ETEXI
+ .help = "create a VM Backup."
+ "\n\t\t\t Use -d to dump data into a directory instead"
+ "\n\t\t\t of using VMA format.",
- .mhandler.cmd = hmp_backup,
+ .cmd = hmp_backup,
},
diff --git a/hmp.c b/hmp.c
-index 95da164..c23cf2f 100644
+index c685ba5..465d7fa 100644
--- a/hmp.c
+++ b/hmp.c
-@@ -1544,11 +1544,13 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1664,11 +1664,13 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
{
Error *error = NULL;
hmp_handle_error(mon, &error);
diff --git a/qapi-schema.json b/qapi-schema.json
-index 89d9ea6..147137d 100644
+index 059cbfc..1127f2c 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -395,7 +395,7 @@
+@@ -609,7 +609,7 @@
# @vma: Proxmox vma backup format
##
{ 'enum': 'BackupFormat',
##
# @backup:
diff --git a/vma.c b/vma.c
-index 79bdd00..c88a4358 100644
+index 8925407..1ffaced 100644
--- a/vma.c
+++ b/vma.c
-@@ -263,7 +263,7 @@ static int extract_content(int argc, char **argv)
+@@ -264,7 +264,7 @@ static int extract_content(int argc, char **argv)
g_free(statefn);
} else if (di) {
char *devfn = NULL;
-From 8a10cce2efa3d8906617939a5c644c9cb7104ef6 Mon Sep 17 00:00:00 2001
+From 73a40d757cc27aea304115ef52e37d530ea1237e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:22:19 +0100
Subject: [PATCH 17/47] backup: do not return errors in dump callback
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/blockdev.c b/blockdev.c
-index d8b1db8..fb71cdc 100644
+index e065922..7d2b76d 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3013,6 +3013,11 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+@@ -3019,6 +3019,11 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
{
PVEBackupDevInfo *di = opaque;
if (sector_num & 0x7f) {
if (!backup_state.error) {
error_setg(&backup_state.error,
-@@ -3023,7 +3028,6 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+@@ -3029,7 +3034,6 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
}
int64_t cluster_num = sector_num >> 7;
int ret = -1;
-@@ -3031,17 +3035,27 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+@@ -3037,17 +3041,27 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
size_t zero_bytes = 0;
ret = vma_writer_write(backup_state.vmaw, di->dev_id, cluster_num,
buf, &zero_bytes);
}
static void pvebackup_cleanup(void)
-@@ -3113,7 +3127,7 @@ static void pvebackup_cancel(void *opaque)
+@@ -3119,7 +3133,7 @@ static void pvebackup_cancel(void *opaque)
BlockJob *job = di->bs->job;
if (job) {
if (!di->completed) {
-From c31ba8ff9485b7648ca45952b9e7ccd74c50ac40 Mon Sep 17 00:00:00 2001
+From a67a085623f567045aaef34951227426a09238eb Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:39:36 +0100
Subject: [PATCH 18/47] backup: vma: correctly propagate error
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/blockdev.c b/blockdev.c
-index fb71cdc..2e51913 100644
+index 7d2b76d..30dd870 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3037,7 +3037,7 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+@@ -3043,7 +3043,7 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
buf, &zero_bytes);
if (ret < 0) {
if (!backup_state.error) {
-From fb3d52b336cd8404055bf0b3b8d825c6f5247fef Mon Sep 17 00:00:00 2001
+From 8f6fa3dfca3b69fdc3562fade652990eb4768a73 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:40:00 +0100
Subject: [PATCH 19/47] backup: vma: remove async queue
2 files changed, 38 insertions(+), 147 deletions(-)
diff --git a/blockdev.c b/blockdev.c
-index 2e51913..1491c2d 100644
+index 30dd870..22b564e 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3116,6 +3116,11 @@ static void pvebackup_cancel(void *opaque)
+@@ -3122,6 +3122,11 @@ static void pvebackup_cancel(void *opaque)
error_setg(&backup_state.error, "backup cancelled");
}
/* drain all i/o (awake jobs waiting for aio) */
bdrv_drain_all();
-@@ -3128,6 +3133,7 @@ static void pvebackup_cancel(void *opaque)
+@@ -3134,6 +3139,7 @@ static void pvebackup_cancel(void *opaque)
if (job) {
if (!di->completed) {
block_job_cancel_sync(job);
}
}
diff --git a/vma-writer.c b/vma-writer.c
-index 689e988..6d3119d 100644
+index 689e988..ec8da53 100644
--- a/vma-writer.c
+++ b/vma-writer.c
@@ -28,14 +28,8 @@
- DPRINTF("vma_co_write starting %zd\n", bytes);
-
while (done < bytes) {
-+ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, vmaw);
++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, NULL, vmaw);
+ qemu_coroutine_yield();
-+ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL);
++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL, NULL);
+ if (vmaw->status < 0) {
+ DPRINTF("vma_queue_write detected canceled backup\n");
+ done = -1;
-From 3e0869f3ef3fc5537d90d22cde89f1384b164e70 Mon Sep 17 00:00:00 2001
+From 5b7a8ffffc109f55b3e66694af49960daad4b528 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:40:42 +0100
Subject: [PATCH 20/47] backup: vma: run flush inside coroutine
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/blockdev.c b/blockdev.c
-index 1491c2d..f3c0c58 100644
+index 22b564e..a3203c0 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3081,6 +3081,13 @@ static void pvebackup_cleanup(void)
+@@ -3087,6 +3087,13 @@ static void pvebackup_cleanup(void)
}
}
static void pvebackup_complete_cb(void *opaque, int ret)
{
PVEBackupDevInfo *di = opaque;
-@@ -3098,7 +3105,8 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+@@ -3104,7 +3111,8 @@ static void pvebackup_complete_cb(void *opaque, int ret)
di->target = NULL;
if (backup_state.vmaw) {
block_job_cb(bs, ret);
diff --git a/vma-writer.c b/vma-writer.c
-index 6d3119d..79b7fd4 100644
+index ec8da53..216577a 100644
--- a/vma-writer.c
+++ b/vma-writer.c
@@ -700,6 +700,10 @@ int vma_writer_close(VmaWriter *vmaw, Error **errp)
-From e7cf613192638f5ac24629961c4010a3b3575ad6 Mon Sep 17 00:00:00 2001
+From 417647b8cfefa4c0653f50ddb630bbcc91a0764c Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 15:41:13 +0100
Subject: [PATCH 21/47] backup: do not use bdrv_drain_all
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/blockdev.c b/blockdev.c
-index f3c0c58..2371cf3 100644
+index a3203c0..70f04bf 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3129,9 +3129,6 @@ static void pvebackup_cancel(void *opaque)
+@@ -3135,9 +3135,6 @@ static void pvebackup_cancel(void *opaque)
vma_writer_set_error(backup_state.vmaw, "backup cancelled");
}
GList *l = backup_state.di_list;
while (l) {
PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
-@@ -3140,8 +3137,7 @@ static void pvebackup_cancel(void *opaque)
+@@ -3146,8 +3143,7 @@ static void pvebackup_cancel(void *opaque)
BlockJob *job = di->bs->job;
if (job) {
if (!di->completed) {
-From ddfc29076293a794f0d9cc74c0c822c144e7ecbc Mon Sep 17 00:00:00 2001
+From 15215ea4cb52cf95d68063289bb185dae7de5433 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 16:04:32 +0100
Subject: [PATCH 22/47] internal snapshot async
include/block/block.h | 1 +
include/sysemu/sysemu.h | 5 +-
migration/savevm.c | 12 +-
- qapi-schema.json | 46 +++++
+ qapi-schema.json | 68 +++++++
qemu-options.hx | 13 ++
- qmp-commands.hx | 30 +++
- savevm-async.c | 526 ++++++++++++++++++++++++++++++++++++++++++++++++
+ savevm-async.c | 525 ++++++++++++++++++++++++++++++++++++++++++++++++
vl.c | 8 +
- 14 files changed, 743 insertions(+), 8 deletions(-)
+ 13 files changed, 734 insertions(+), 8 deletions(-)
create mode 100644 savevm-async.c
diff --git a/Makefile.objs b/Makefile.objs
-index 845edd0..7d9d2d7 100644
+index 9b12ee6..f5f8dba 100644
--- a/Makefile.objs
+++ b/Makefile.objs
-@@ -53,6 +53,7 @@ common-obj-$(CONFIG_LINUX) += fsdev/
+@@ -51,6 +51,7 @@ common-obj-$(CONFIG_LINUX) += fsdev/
+
common-obj-y += migration/
- common-obj-y += qemu-char.o #aio.o
- common-obj-y += page_cache.o
+ common-obj-y += page_cache.o #aio.o
+common-obj-y += savevm-async.o
common-obj-$(CONFIG_SPICE) += spice-qemu-char.o
diff --git a/block.c b/block.c
-index 30d64e6..95c1d32 100644
+index 6e906ec..5563a4f 100644
--- a/block.c
+++ b/block.c
-@@ -2288,7 +2288,7 @@ void bdrv_replace_in_backing_chain(BlockDriverState *old, BlockDriverState *new)
- bdrv_unref(old);
+@@ -3045,7 +3045,7 @@ out:
+ bdrv_unref(bs_new);
}
-static void bdrv_delete(BlockDriverState *bs)
assert(!bs->job);
assert(bdrv_op_blocker_is_empty(bs));
diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
-index 7616fe2..3046f9d 100644
+index 1a18380..3b5a0f9 100644
--- a/hmp-commands-info.hx
+++ b/hmp-commands-info.hx
-@@ -588,6 +588,19 @@ Show current migration xbzrle cache size.
+@@ -573,6 +573,19 @@ Show current migration xbzrle cache size.
ETEXI
{
+ .args_type = "",
+ .params = "",
+ .help = "show savevm status",
-+ .mhandler.cmd = hmp_info_savevm,
++ .cmd = hmp_info_savevm,
+ },
+
+STEXI
.args_type = "",
.params = "",
diff --git a/hmp-commands.hx b/hmp-commands.hx
-index 0e20ef9..4d735cb 100644
+index 7288203..a2867b5 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
-@@ -1791,3 +1791,35 @@ ETEXI
+@@ -1808,3 +1808,35 @@ ETEXI
STEXI
@end table
ETEXI
+ .args_type = "statefile:s?",
+ .params = "[statefile]",
+ .help = "Prepare for snapshot and halt VM. Save VM state to statefile.",
-+ .mhandler.cmd = hmp_savevm_start,
++ .cmd = hmp_savevm_start,
+ },
+
+ {
+ .args_type = "device:s,name:s",
+ .params = "device name",
+ .help = "Create internal snapshot.",
-+ .mhandler.cmd = hmp_snapshot_drive,
++ .cmd = hmp_snapshot_drive,
+ },
+
+ {
+ .args_type = "device:s,name:s",
+ .params = "device name",
+ .help = "Delete internal snapshot.",
-+ .mhandler.cmd = hmp_delete_drive_snapshot,
++ .cmd = hmp_delete_drive_snapshot,
+ },
+
+ {
+ .args_type = "",
+ .params = "",
+ .help = "Resume VM after snaphot.",
-+ .mhandler.cmd = hmp_savevm_end,
++ .cmd = hmp_savevm_end,
+ },
diff --git a/hmp.c b/hmp.c
-index c23cf2f..030fd97 100644
+index 465d7fa..aaf0de1 100644
--- a/hmp.c
+++ b/hmp.c
-@@ -2117,6 +2117,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
+@@ -2270,6 +2270,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
qapi_free_MemoryDeviceInfoList(info_list);
}
{
IOThreadInfoList *info_list = qmp_query_iothreads(NULL);
diff --git a/hmp.h b/hmp.h
-index 9a4c1f6..b74ddbf 100644
+index 17a65b2..8c1b484 100644
--- a/hmp.h
+++ b/hmp.h
@@ -26,6 +26,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict);
void hmp_info_migrate(Monitor *mon, const QDict *qdict);
void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict);
-@@ -92,6 +93,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict);
+@@ -95,6 +96,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict);
void hmp_netdev_del(Monitor *mon, const QDict *qdict);
void hmp_getfd(Monitor *mon, const QDict *qdict);
void hmp_closefd(Monitor *mon, const QDict *qdict);
void hmp_screendump(Monitor *mon, const QDict *qdict);
void hmp_nbd_server_start(Monitor *mon, const QDict *qdict);
diff --git a/include/block/block.h b/include/block/block.h
-index acddf3b..0f70a9d 100644
+index 5149260..b29c69d 100644
--- a/include/block/block.h
+++ b/include/block/block.h
-@@ -256,6 +256,7 @@ BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
+@@ -295,6 +295,7 @@ BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
int bdrv_get_backing_file_depth(BlockDriverState *bs);
void bdrv_refresh_filename(BlockDriverState *bs);
- int bdrv_truncate(BlockDriverState *bs, int64_t offset);
+ int bdrv_truncate(BdrvChild *child, int64_t offset);
+void bdrv_delete(BlockDriverState *bs);
int64_t bdrv_nb_sectors(BlockDriverState *bs);
int64_t bdrv_getlength(BlockDriverState *bs);
int64_t bdrv_get_allocated_file_size(BlockDriverState *bs);
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
-index ee7c760..4875441 100644
+index 576c7ce..74623de 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
-@@ -79,6 +79,7 @@ void qemu_remove_machine_init_done_notifier(Notifier *notify);
-
+@@ -78,6 +78,7 @@ void qemu_remove_machine_init_done_notifier(Notifier *notify);
void hmp_savevm(Monitor *mon, const QDict *qdict);
+ int save_vmstate(Monitor *mon, const char *name);
int load_vmstate(const char *name);
+int load_state_from_blockdev(const char *filename);
void hmp_delvm(Monitor *mon, const QDict *qdict);
void hmp_info_snapshots(Monitor *mon, const QDict *qdict);
-@@ -106,13 +107,13 @@ enum qemu_vm_cmd {
+@@ -105,13 +106,13 @@ enum qemu_vm_cmd {
#define MAX_VM_CMD_PACKAGED_SIZE (1ul << 24)
bool qemu_savevm_state_blocked(Error **errp);
uint64_t *res_non_postcopiable,
uint64_t *res_postcopiable);
diff --git a/migration/savevm.c b/migration/savevm.c
-index 33a2911..b1bdfb6 100644
+index 3b19a4a..feb0dc6 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
-@@ -879,11 +879,11 @@ void qemu_savevm_state_header(QEMUFile *f)
+@@ -970,11 +970,11 @@ void qemu_savevm_state_header(QEMUFile *f)
}
trace_savevm_state_begin();
QTAILQ_FOREACH(se, &savevm_state.handlers, entry) {
-@@ -911,6 +911,7 @@ void qemu_savevm_state_begin(QEMUFile *f,
+@@ -1002,6 +1002,7 @@ void qemu_savevm_state_begin(QEMUFile *f,
break;
}
}
}
/*
-@@ -1014,7 +1015,7 @@ void qemu_savevm_state_complete_postcopy(QEMUFile *f)
+@@ -1105,7 +1106,7 @@ void qemu_savevm_state_complete_postcopy(QEMUFile *f)
qemu_fflush(f);
}
{
QJSON *vmdesc;
int vmdesc_len;
-@@ -1048,12 +1049,12 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+@@ -1139,12 +1140,12 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
save_section_footer(f, se);
if (ret < 0) {
qemu_file_set_error(f, ret);
}
vmdesc = qjson_new();
-@@ -1100,6 +1101,7 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+@@ -1191,6 +1192,7 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
qjson_destroy(vmdesc);
qemu_fflush(f);
/* Give an estimate of the amount left to be transferred,
diff --git a/qapi-schema.json b/qapi-schema.json
-index 147137d..0c0faf7 100644
+index 1127f2c..c33ebb3 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -594,6 +594,42 @@
- '*cpu-throttle-percentage': 'int',
+@@ -813,6 +813,40 @@
'*error-desc': 'str'} }
-+
-+# @SaveVMInfo
+ ##
++# @SaveVMInfo:
+#
+# Information about current migration process.
+#
-+# @status: #optional string describing the current savevm status.
++# @status: string describing the current savevm status.
+# This can be 'active', 'completed', 'failed'.
+# If this field is not returned, no savevm process
+# has been initiated
+#
-+# @error: #optional string containing error message is status is failed.
++# @error: string containing error message is status is failed.
+#
-+# @total-time: #optional total amount of milliseconds since savevm started.
++# @total-time: total amount of milliseconds since savevm started.
+# If savevm has ended, it returns the total save time
+#
-+# @bytes: #optional total amount of data transfered
++# @bytes: total amount of data transfered
+#
+# Since: 1.3
+##
+ '*total-time': 'int', '*bytes': 'int'} }
+
+##
-+# @query-savevm
++# @query-savevm:
+#
+# Returns information about current savevm process.
+#
+{ 'command': 'query-savevm', 'returns': 'SaveVMInfo' }
+
+##
-+
- ##
- # @query-migrate
+ # @query-migrate:
#
-@@ -3286,8 +3322,18 @@
+ # Returns information about current migration process. If migration
+@@ -4828,9 +4862,43 @@
#
# Since: 1.2.0
##
+
{ 'command': 'query-target', 'returns': 'TargetInfo' }
+ ##
++# @savevm-start:
++#
++# Prepare for snapshot and halt VM. Save VM state to statefile.
++#
++##
+{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } }
+
++##
++# @snapshot-drive:
++#
++# Create an internal drive snapshot.
++#
++##
+{ 'command': 'snapshot-drive', 'data': { 'device': 'str', 'name': 'str' } }
+
++##
++# @delete-drive-snapshot:
++#
++# Delete a drive snapshot.
++#
++##
+{ 'command': 'delete-drive-snapshot', 'data': { 'device': 'str', 'name': 'str' } }
+
++##
++# @savevm-end:
++#
++# Resume VM after a snapshot.
++#
++##
+{ 'command': 'savevm-end' }
+
+
- ##
++##
# @QKeyCode:
#
+ # An enumeration of key name.
diff --git a/qemu-options.hx b/qemu-options.hx
-index a71aaf8..37fad3b 100644
+index 99af8ed..10f0e81 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
-@@ -3302,6 +3302,19 @@ STEXI
+@@ -3396,6 +3396,19 @@ STEXI
Start right away with a saved state (@code{loadvm} in monitor)
ETEXI
#ifndef _WIN32
DEF("daemonize", 0, QEMU_OPTION_daemonize, \
"-daemonize daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
-diff --git a/qmp-commands.hx b/qmp-commands.hx
-index a8e8522..6342cd2 100644
---- a/qmp-commands.hx
-+++ b/qmp-commands.hx
-@@ -4904,6 +4904,36 @@ Example:
- EQMP
-
- {
-+ .name = "savevm-start",
-+ .args_type = "statefile:s?",
-+ .mhandler.cmd_new = qmp_marshal_savevm_start,
-+ },
-+
-+ {
-+ .name = "snapshot-drive",
-+ .args_type = "device:s,name:s",
-+ .mhandler.cmd_new = qmp_marshal_snapshot_drive,
-+ },
-+
-+ {
-+ .name = "delete-drive-snapshot",
-+ .args_type = "device:s,name:s",
-+ .mhandler.cmd_new = qmp_marshal_delete_drive_snapshot,
-+ },
-+
-+ {
-+ .name = "savevm-end",
-+ .args_type = "",
-+ .mhandler.cmd_new = qmp_marshal_savevm_end,
-+ },
-+
-+ {
-+ .name = "query-savevm",
-+ .args_type = "",
-+ .mhandler.cmd_new = qmp_marshal_query_savevm,
-+ },
-+
-+ {
- .name = "query-rocker",
- .args_type = "name:s",
- .mhandler.cmd_new = qmp_marshal_query_rocker,
diff --git a/savevm-async.c b/savevm-async.c
new file mode 100644
-index 0000000..ae7ea84
+index 0000000..9704a41
--- /dev/null
+++ b/savevm-async.c
-@@ -0,0 +1,526 @@
+@@ -0,0 +1,525 @@
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qapi/qmp/qerror.h"
+ BlockDriver *drv = NULL;
+ Error *local_err = NULL;
+
-+ int bdrv_oflags = BDRV_O_RDWR;
++ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE;
+ int ret;
+
+ if (snap_state.state != SAVE_STATE_DONE) {
+ }
+
+ qemu_system_reset(VMRESET_SILENT);
-+ migration_incoming_state_new(f);
+ ret = qemu_loadvm_state(f);
+
+ qemu_fclose(f);
+ return ret;
+}
diff --git a/vl.c b/vl.c
-index b226e0b..c01b1b5 100644
+index 868c489..19afd47 100644
--- a/vl.c
+++ b/vl.c
-@@ -2962,6 +2962,7 @@ int main(int argc, char **argv, char **envp)
+@@ -2960,6 +2960,7 @@ int main(int argc, char **argv, char **envp)
int optind;
const char *optarg;
const char *loadvm = NULL;
MachineClass *machine_class;
const char *cpu_model;
const char *vga_model = NULL;
-@@ -3603,6 +3604,9 @@ int main(int argc, char **argv, char **envp)
+@@ -3631,6 +3632,9 @@ int main(int argc, char **argv, char **envp)
case QEMU_OPTION_loadvm:
loadvm = optarg;
break;
case QEMU_OPTION_full_screen:
full_screen = 1;
break;
-@@ -4597,6 +4601,10 @@ int main(int argc, char **argv, char **envp)
+@@ -4689,6 +4693,10 @@ int main(int argc, char **argv, char **envp)
if (load_vmstate(loadvm) < 0) {
autostart = 0;
}
-From e9b9fd9156a6631998ec4b4254fe2e91859b340a Mon Sep 17 00:00:00 2001
+From 2b80d33fbafd332233f0b49fe7b921d00809d8a5 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 16:31:51 +0100
Subject: [PATCH 23/47] backup: vma: allow empty backups
}
return ret;
diff --git a/vma-writer.c b/vma-writer.c
-index 79b7fd4..0d26fc6 100644
+index 216577a..0dd668b 100644
--- a/vma-writer.c
+++ b/vma-writer.c
@@ -252,7 +252,7 @@ vma_queue_write(VmaWriter *vmaw, const void *buf, size_t bytes)
return open_drives;
diff --git a/vma.c b/vma.c
-index c88a4358..08e4725 100644
+index 1ffaced..c7c0538 100644
--- a/vma.c
+++ b/vma.c
-@@ -27,7 +27,7 @@ static void help(void)
+@@ -28,7 +28,7 @@ static void help(void)
"\n"
"vma list <filename>\n"
"vma config <filename> [-c config]\n"
"vma extract <filename> [-r <fifo>] <targetdir>\n"
"vma verify <filename> [-v]\n"
;
-@@ -395,6 +395,18 @@ typedef struct BackupJob {
+@@ -396,6 +396,18 @@ typedef struct BackupJob {
#define BACKUP_SECTORS_PER_CLUSTER (VMA_CLUSTER_SIZE / BDRV_SECTOR_SIZE)
static void coroutine_fn backup_run(void *opaque)
{
BackupJob *job = (BackupJob *)opaque;
-@@ -468,8 +480,8 @@ static int create_archive(int argc, char **argv)
+@@ -469,8 +481,8 @@ static int create_archive(int argc, char **argv)
}
help();
}
-@@ -504,11 +516,11 @@ static int create_archive(int argc, char **argv)
+@@ -505,11 +517,11 @@ static int create_archive(int argc, char **argv)
l = g_list_next(l);
}
Error *errp = NULL;
BlockDriverState *bs;
-@@ -539,37 +551,39 @@ static int create_archive(int argc, char **argv)
+@@ -540,37 +552,39 @@ static int create_archive(int argc, char **argv)
int percent = 0;
int last_percent = -1;
-From e933992419bd8da2689a527ae95000891e687a2d Mon Sep 17 00:00:00 2001
+From 3d27ec44c65694724190ef86d3e5893fafc10b59 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 16:34:41 +0100
Subject: [PATCH 24/47] qmp: add get_link_status
---
net/net.c | 27 +++++++++++++++++++++++++++
- qapi-schema.json | 15 +++++++++++++++
- qmp-commands.hx | 23 +++++++++++++++++++++++
- scripts/qapi.py | 2 ++
- 4 files changed, 67 insertions(+)
+ qapi-schema.json | 16 ++++++++++++++++
+ 2 files changed, 43 insertions(+)
diff --git a/net/net.c b/net/net.c
-index 19b4d9e..5f890b7 100644
+index 0ac3b9e..7410c1e 100644
--- a/net/net.c
+++ b/net/net.c
-@@ -1362,6 +1362,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
+@@ -1373,6 +1373,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
}
}
{
NetClientState *ncs[MAX_QUEUE_NUM];
diff --git a/qapi-schema.json b/qapi-schema.json
-index 0c0faf7..d75e932 100644
+index c33ebb3..79bfd97 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -1786,6 +1786,21 @@
+@@ -56,6 +56,7 @@
+ { 'pragma': {
+ # Commands allowed to return a non-dictionary:
+ 'returns-whitelist': [
++ 'get_link_status',
+ 'human-monitor-command',
+ 'qom-get',
+ 'query-migrate-cache-size',
+@@ -2627,6 +2628,21 @@
{ 'command': 'set_link', 'data': {'name': 'str', 'up': 'bool'} }
##
-+# @get_link_status
++# @get_link_status:
+#
+# Get the current link state of the nics or nic.
+#
# @balloon:
#
# Request the balloon driver to change its balloon size.
-diff --git a/qmp-commands.hx b/qmp-commands.hx
-index 6342cd2..a84932a 100644
---- a/qmp-commands.hx
-+++ b/qmp-commands.hx
-@@ -1883,6 +1883,29 @@ Example:
- EQMP
-
- {
-+ .name = "get_link_status",
-+ .args_type = "name:s",
-+ .mhandler.cmd_new = qmp_marshal_get_link_status,
-+ },
-+
-+SQMP
-+get_link_status
-+--------
-+
-+Get the link status of a network adapter.
-+
-+Arguments:
-+
-+- "name": network device name (json-string)
-+
-+Example:
-+
-+-> { "execute": "get_link_status", "arguments": { "name": "e1000.0" } }
-+<- { "return": {1} }
-+
-+EQMP
-+
-+ {
- .name = "getfd",
- .args_type = "fdname:s",
- .params = "getfd name",
-diff --git a/scripts/qapi.py b/scripts/qapi.py
-index 21bc32f..f900659 100644
---- a/scripts/qapi.py
-+++ b/scripts/qapi.py
-@@ -39,6 +39,8 @@ builtin_types = {
-
- # Whitelist of commands allowed to return a non-dictionary
- returns_whitelist = [
-+ 'get_link_status',
-+
- # From QMP:
- 'human-monitor-command',
- 'qom-get',
--
2.1.4
-From e1682387e4bed2357e1030933481ab63f648249b Mon Sep 17 00:00:00 2001
+From b4c3d5bd99807290626339b25e555a0187c195b8 Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 29 Sep 2015 15:37:44 +0200
Subject: [PATCH 25/47] smm_available = false
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index ba8a5a1..9c206fc 100644
+index 81e91a4..4161a45 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
-@@ -2084,7 +2084,7 @@ bool pc_machine_is_smm_enabled(PCMachineState *pcms)
+@@ -2123,7 +2123,7 @@ bool pc_machine_is_smm_enabled(PCMachineState *pcms)
if (tcg_enabled() || qtest_enabled()) {
smm_available = true;
} else if (kvm_enabled()) {
-From 017016151cb8f9a364f0b0006603772620966d5a Mon Sep 17 00:00:00 2001
+From a2a88a65d4c89ecc105f3eddba7ee3e8c023f16d Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 16:50:05 +0100
Subject: [PATCH 26/47] use whitespace between VERSION and PKGVERSION
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vl.c b/vl.c
-index c01b1b5..0b5a721 100644
+index 19afd47..d0780a4 100644
--- a/vl.c
+++ b/vl.c
-@@ -1920,7 +1920,7 @@ static void main_loop(void)
+@@ -1909,7 +1909,7 @@ static void main_loop(void)
static void version(void)
{
-- printf("QEMU emulator version " QEMU_VERSION QEMU_PKGVERSION ", "
-+ printf("QEMU emulator version " QEMU_VERSION " " QEMU_PKGVERSION ", "
+- printf("QEMU emulator version " QEMU_VERSION QEMU_PKGVERSION "\n"
++ printf("QEMU emulator version " QEMU_VERSION " " QEMU_PKGVERSION "\n"
QEMU_COPYRIGHT "\n");
}
-From 3400a70a51015f119c12d3600943baae97aabb0f Mon Sep 17 00:00:00 2001
+From f12b170f30566d50ff52ee20a2075e806c62f38e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 9 Dec 2015 16:51:23 +0100
Subject: [PATCH 27/47] vma: add firewall
blockdev.c | 78 ++++++++++++++++++++++++++++++++++----------------------
hmp.c | 2 +-
qapi-schema.json | 1 +
- qmp-commands.hx | 2 +-
- 4 files changed, 51 insertions(+), 32 deletions(-)
+ 3 files changed, 50 insertions(+), 31 deletions(-)
diff --git a/blockdev.c b/blockdev.c
-index 2371cf3..bbb1502 100644
+index 70f04bf..3335a33 100644
--- a/blockdev.c
+++ b/blockdev.c
-@@ -3157,6 +3157,44 @@ void qmp_backup_cancel(Error **errp)
+@@ -3163,6 +3163,44 @@ void qmp_backup_cancel(Error **errp)
}
}
bool block_job_should_pause(BlockJob *job);
static void pvebackup_run_next_job(void)
{
-@@ -3184,6 +3222,7 @@ static void pvebackup_run_next_job(void)
+@@ -3190,6 +3228,7 @@ static void pvebackup_run_next_job(void)
UuidInfo *qmp_backup(const char *backup_file, bool has_format,
BackupFormat format,
bool has_config_file, const char *config_file,
bool has_devlist, const char *devlist,
bool has_speed, int64_t speed, Error **errp)
{
-@@ -3335,38 +3374,17 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+@@ -3341,38 +3380,17 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
/* add configuration file to archive */
if (has_config_file) {
backup_state.cancel = false;
diff --git a/hmp.c b/hmp.c
-index 030fd97..5c5e8ed 100644
+index aaf0de1..12f1f46 100644
--- a/hmp.c
+++ b/hmp.c
-@@ -1550,7 +1550,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+@@ -1670,7 +1670,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
int64_t speed = qdict_get_try_int(qdict, "speed", 0);
qmp_backup(backup_file, true, dir ? BACKUP_FORMAT_DIR : BACKUP_FORMAT_VMA,
hmp_handle_error(mon, &error);
diff --git a/qapi-schema.json b/qapi-schema.json
-index d75e932..7bb0ee0 100644
+index 79bfd97..6334018 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
-@@ -420,6 +420,7 @@
+@@ -635,6 +635,7 @@
{ 'command': 'backup', 'data': { 'backup-file': 'str',
'*format': 'BackupFormat',
'*config-file': 'str',
'*devlist': 'str', '*speed': 'int' },
'returns': 'UuidInfo' }
-diff --git a/qmp-commands.hx b/qmp-commands.hx
-index a84932a..94cfac2 100644
---- a/qmp-commands.hx
-+++ b/qmp-commands.hx
-@@ -1315,7 +1315,7 @@ EQMP
-
- {
- .name = "backup",
-- .args_type = "backup-file:s,format:s?,config-file:F?,speed:o?,devlist:s?",
-+ .args_type = "backup-file:s,format:s?,config-file:F?,firewall-file:F?,speed:o?,devlist:s?",
- .mhandler.cmd_new = qmp_marshal_backup,
- },
-
--
2.1.4
-From d5ef7dd4d2b53e4868289dca3770724cb9597ec5 Mon Sep 17 00:00:00 2001
+From 5f0372c41d41e886e7e901cc88bc060ef565db04 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 10 Dec 2015 15:14:00 +0100
Subject: [PATCH 28/47] savevm-async: migration and bdrv_open update
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/savevm-async.c b/savevm-async.c
-index ae7ea84..7979435 100644
+index 9704a41..6ac03af 100644
--- a/savevm-async.c
+++ b/savevm-async.c
@@ -154,10 +154,10 @@ static int block_state_close(void *opaque)
- BlockDriver *drv = NULL;
Error *local_err = NULL;
- int bdrv_oflags = BDRV_O_RDWR;
+ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE;
@@ -289,7 +289,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
QDict *options = NULL;
options = qdict_new();
-From d42052d75321a1af75b039f8e31127b98485ec93 Mon Sep 17 00:00:00 2001
+From 96d45d67af5ef5033273a39e953ac86f7e693dbb Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 12 Jan 2016 09:09:49 +0100
Subject: [PATCH 29/47] vnc: make x509 imply tls again
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
-index b9f36b5..acbe3bd 100644
+index 29575f8..039b3ed 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
-@@ -3729,9 +3729,8 @@ void vnc_display_open(const char *id, Error **errp)
+@@ -3878,9 +3878,8 @@ void vnc_display_open(const char *id, Error **errp)
const char *path;
bool tls = false, x509 = false, x509verify = false;
tls = qemu_opt_get_bool(opts, "tls", false);
-From 51dd4df80640e1671de73c014c6273b154df920a Mon Sep 17 00:00:00 2001
+From 3eb9bb595a7ddc0ef8108f2f8cf28f4bbbf2b229 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 11 Jan 2016 10:40:31 +0100
Subject: [PATCH 30/47] PVE VNC authentication
---
crypto/tlscreds.c | 47 +++++++++++
crypto/tlscredspriv.h | 2 +
- crypto/tlscredsx509.c | 13 ++--
+ crypto/tlscredsx509.c | 13 +--
crypto/tlssession.c | 1 +
include/crypto/tlscreds.h | 1 +
include/ui/console.h | 1 +
qemu-options.hx | 3 +
- ui/vnc-auth-vencrypt.c | 194 ++++++++++++++++++++++++++++++++++++++--------
+ ui/vnc-auth-vencrypt.c | 196 ++++++++++++++++++++++++++++++++++++++--------
ui/vnc.c | 140 ++++++++++++++++++++++++++++++++-
ui/vnc.h | 4 +
vl.c | 9 +++
- 11 files changed, 375 insertions(+), 40 deletions(-)
+ 11 files changed, 376 insertions(+), 41 deletions(-)
diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
index a896553..e9ae13c 100644
#endif /* QCRYPTO_TLSCREDSPRIV_H */
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
-index 520d34d..1ba971c 100644
+index 50eb54f..09f7364 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -555,22 +555,23 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
goto cleanup;
}
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
-index 2de42c6..768466a 100644
+index 96a02de..c453e29 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -23,6 +23,7 @@
diff --git a/include/ui/console.h b/include/ui/console.h
-index 2703a3a..db6dd22 100644
+index d759338..69f010e 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
-@@ -456,6 +456,7 @@ static inline void cocoa_display_init(DisplayState *ds, int full_screen)
+@@ -462,6 +462,7 @@ static inline void cocoa_display_init(DisplayState *ds, int full_screen)
#endif
/* vnc.c */
void vnc_display_open(const char *id, Error **errp);
void vnc_display_add_client(const char *id, int csock, bool skipauth);
diff --git a/qemu-options.hx b/qemu-options.hx
-index 37fad3b..f943ae6 100644
+index 10f0e81..fbd1a1c 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
-@@ -473,6 +473,9 @@ STEXI
+@@ -513,6 +513,9 @@ STEXI
@table @option
ETEXI
"-fda/-fdb file use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL)
DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL)
diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c
-index 11c8c9a..d11f1df 100644
+index ffaab57..de1c194 100644
--- a/ui/vnc-auth-vencrypt.c
+++ b/ui/vnc-auth-vencrypt.c
@@ -28,6 +28,107 @@
case VNC_AUTH_VENCRYPT_TLSVNC:
case VNC_AUTH_VENCRYPT_X509VNC:
VNC_DEBUG("Start TLS auth VNC\n");
-@@ -87,44 +199,63 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len
+@@ -88,45 +200,64 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len
{
int auth = read_u32(data, 0);
+ vs->ioc_tag = 0;
+ }
+- qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls");
- VNC_DEBUG("Start TLS VeNCrypt handshake process\n");
- object_unref(OBJECT(vs->ioc));
- vs->ioc = QIO_CHANNEL(tls);
+ return 0;
+ }
+ }
++ qio_channel_set_name(QIO_CHANNEL(tls), "vnc-server-tls");
- qio_channel_tls_handshake(tls,
- vnc_tls_handshake_done,
}
return 0;
}
-@@ -138,10 +269,11 @@ static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len
+@@ -140,10 +271,11 @@ static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len
vnc_flush(vs);
vnc_client_error(vs);
} else {
vnc_read_when(vs, protocol_client_vencrypt_auth, 4);
}
diff --git a/ui/vnc.c b/ui/vnc.c
-index acbe3bd..2a18a20 100644
+index 039b3ed..a34ba08 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
-@@ -55,6 +55,125 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
+@@ -56,6 +56,125 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
#include "vnc_keysym.h"
#include "crypto/cipher.h"
static QTAILQ_HEAD(, VncDisplay) vnc_displays =
QTAILQ_HEAD_INITIALIZER(vnc_displays);
-@@ -3413,11 +3532,17 @@ vnc_display_setup_auth(VncDisplay *vs,
- if (object_dynamic_cast(OBJECT(vs->tlscreds),
- TYPE_QCRYPTO_TLS_CREDS_X509)) {
+@@ -3350,10 +3469,16 @@ vnc_display_setup_auth(int *auth,
+ if (password) {
+ if (is_x509) {
VNC_DEBUG("Initializing VNC server with x509 password auth\n");
-- vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
-+ if (vs->tlscreds->pve)
-+ vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
+- *subauth = VNC_AUTH_VENCRYPT_X509VNC;
++ if (tlscreds->pve)
++ *subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
+ else
-+ vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
- } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
- TYPE_QCRYPTO_TLS_CREDS_ANON)) {
++ *subauth = VNC_AUTH_VENCRYPT_X509VNC;
+ } else {
VNC_DEBUG("Initializing VNC server with TLS password auth\n");
-- vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
-+ if (vs->tlscreds->pve)
-+ vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
+- *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
++ if (tlscreds->pve)
++ *subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
+ else
-+ vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
- } else {
- error_setg(errp,
- "Unsupported TLS cred type %s",
-@@ -3508,6 +3633,7 @@ vnc_display_create_creds(bool x509,
++ *subauth = VNC_AUTH_VENCRYPT_TLSVNC;
+ }
+
+ } else if (sasl) {
+@@ -3387,6 +3512,7 @@ vnc_display_create_creds(bool x509,
bool x509verify,
const char *dir,
const char *id,
Error **errp)
{
gchar *credsid = g_strdup_printf("tlsvnc%s", id);
-@@ -3523,6 +3649,7 @@ vnc_display_create_creds(bool x509,
+@@ -3402,6 +3528,7 @@ vnc_display_create_creds(bool x509,
"endpoint", "server",
"dir", dir,
"verify-peer", x509verify ? "yes" : "no",
NULL);
} else {
creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
-@@ -3530,6 +3657,7 @@ vnc_display_create_creds(bool x509,
+@@ -3409,6 +3536,7 @@ vnc_display_create_creds(bool x509,
credsid,
&err,
"endpoint", "server",
NULL);
}
-@@ -3727,12 +3855,17 @@ void vnc_display_open(const char *id, Error **errp)
+@@ -3876,12 +4004,17 @@ void vnc_display_open(const char *id, Error **errp)
}
} else {
const char *path;
} else {
path = qemu_opt_get(opts, "x509verify");
if (path) {
-@@ -3744,6 +3877,7 @@ void vnc_display_open(const char *id, Error **errp)
+@@ -3893,6 +4026,7 @@ void vnc_display_open(const char *id, Error **errp)
x509verify,
path,
- vs->id,
+ vd->id,
+ pve,
errp);
- if (!vs->tlscreds) {
+ if (!vd->tlscreds) {
goto fail;
diff --git a/ui/vnc.h b/ui/vnc.h
-index ab5f244..2fde9d3 100644
+index 694cf32..78d622a 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
-@@ -282,6 +282,8 @@ struct VncState
+@@ -284,6 +284,8 @@ struct VncState
int auth;
int subauth; /* Used by VeNCrypt */
char challenge[VNC_AUTH_CHALLENGE_SIZE];
+
#endif /* QEMU_VNC_H */
diff --git a/vl.c b/vl.c
-index 0b5a721..4742300 100644
+index d0780a4..2496b06 100644
--- a/vl.c
+++ b/vl.c
-@@ -2950,6 +2950,7 @@ static int global_init_func(void *opaque, QemuOpts *opts, Error **errp)
+@@ -2947,6 +2947,7 @@ static int qemu_read_default_config_file(void)
int main(int argc, char **argv, char **envp)
{
int i;
int snapshot, linux_boot;
const char *initrd_filename;
const char *kernel_filename, *kernel_cmdline;
-@@ -3722,6 +3723,14 @@ int main(int argc, char **argv, char **envp)
+@@ -3774,6 +3775,14 @@ int main(int argc, char **argv, char **envp)
exit(1);
}
break;
-From e4958531f423dd635053559d05e8c86c208ceb02 Mon Sep 17 00:00:00 2001
+From 48b17fc67daf24eb83a75fd9fbc6c8b717799314 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 8 Feb 2016 08:23:34 +0100
Subject: [PATCH 31/47] vma-writer: don't bail out on zero-length files
1 file changed, 1 deletion(-)
diff --git a/vma-writer.c b/vma-writer.c
-index 0d26fc6..a378762 100644
+index 0dd668b..70dcca0 100644
--- a/vma-writer.c
+++ b/vma-writer.c
@@ -130,7 +130,6 @@ int vma_writer_add_config(VmaWriter *vmaw, const char *name, gpointer data,
-From 2dc69ead56b7ecd60eb513ab5b6c9978e06070ef Mon Sep 17 00:00:00 2001
+From 9b2434933e9a4bd411111dad716d4239e163af9e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 23 Feb 2016 15:48:41 +0100
Subject: [PATCH 32/47] vma: better driver guessing for bdrv_open
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/vma.c b/vma.c
-index 08e4725..8a27704 100644
+index c7c0538..4903568 100644
--- a/vma.c
+++ b/vma.c
-@@ -293,7 +293,20 @@ static int extract_content(int argc, char **argv)
+@@ -294,7 +294,20 @@ static int extract_content(int argc, char **argv)
}
BlockDriverState *bs = bdrv_new();
-From 6f6f38d2ef8f22a12f72e4d60f8a1fa978ac569a Mon Sep 17 00:00:00 2001
+From ce85aff058a3e87030111e7c3b1a9e34fc2c7f55 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 17 Mar 2016 11:33:37 +0100
Subject: [PATCH 33/47] block: add the zeroinit block driver filter
---
block/Makefile.objs | 1 +
- block/zeroinit.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 221 insertions(+)
+ block/zeroinit.c | 219 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 220 insertions(+)
create mode 100644 block/zeroinit.c
diff --git a/block/Makefile.objs b/block/Makefile.objs
-index 2593a2f..930ca33 100644
+index de96f8e..8cdac08 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -4,6 +4,7 @@ block-obj-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
block-obj-y += qed-check.o
- block-obj-$(CONFIG_VHDX) += vhdx.o vhdx-endian.o vhdx-log.o
+ block-obj-y += vhdx.o vhdx-endian.o vhdx-log.o
block-obj-y += quorum.o
+block-obj-y += zeroinit.o
block-obj-y += parallels.o blkdebug.o blkverify.o blkreplay.o
block-obj-y += block-backend.o snapshot.o qapi.o
- block-obj-$(CONFIG_WIN32) += raw-win32.o win32-aio.o
+ block-obj-$(CONFIG_WIN32) += file-win32.o win32-aio.o
diff --git a/block/zeroinit.c b/block/zeroinit.c
new file mode 100644
-index 0000000..c56a446
+index 0000000..0a8c7f9
--- /dev/null
+++ b/block/zeroinit.c
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,219 @@
+/*
+ * Filter to fake a zero-initialized block device.
+ *
+ return bdrv_get_block_status(bs->file->bs, sector_num, nb_sectors, pnum, file);
+}
+
-+static coroutine_fn BlockAIOCB *zeroinit_aio_pdiscard(BlockDriverState *bs,
-+ int64_t offset, int count,
-+ BlockCompletionFunc *cb, void *opaque)
++static int coroutine_fn zeroinit_co_pdiscard(BlockDriverState *bs,
++ int64_t offset, int count)
+{
-+ return bdrv_aio_pdiscard(bs->file->bs, offset, count, cb, opaque);
++ return bdrv_co_pdiscard(bs->file->bs, offset, count);
+}
+
+static int zeroinit_truncate(BlockDriverState *bs, int64_t offset)
+{
-+ return bdrv_truncate(bs->file->bs, offset);
++ return bdrv_truncate(bs->file, offset);
+}
+
+static int zeroinit_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
+
+ .bdrv_co_get_block_status = zeroinit_co_get_block_status,
+
-+ .bdrv_aio_pdiscard = zeroinit_aio_pdiscard,
++ .bdrv_co_pdiscard = zeroinit_co_pdiscard,
+
+ .bdrv_truncate = zeroinit_truncate,
+ .bdrv_get_info = zeroinit_get_info,
-From 10ae69c411df788752628c8950bf9e76c8cf6af1 Mon Sep 17 00:00:00 2001
+From 87c344c964eac376a816b081acb6796893ce0992 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 12 Apr 2016 13:49:44 +0200
Subject: [PATCH 34/47] vma: add format option to device mapping
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/vma.c b/vma.c
-index 8a27704..c8ad6c0 100644
+index 4903568..f71e5a5 100644
--- a/vma.c
+++ b/vma.c
-@@ -130,6 +130,7 @@ static int list_content(int argc, char **argv)
+@@ -131,6 +131,7 @@ static int list_content(int argc, char **argv)
typedef struct RestoreMap {
char *devname;
char *path;
bool write_zero;
} RestoreMap;
-@@ -217,13 +218,24 @@ static int extract_content(int argc, char **argv)
+@@ -218,13 +219,24 @@ static int extract_content(int argc, char **argv)
}
}
write_zero = true;
} else {
g_error("read map failed - parse error ('%s')", inbuf);
-@@ -239,6 +251,7 @@ static int extract_content(int argc, char **argv)
+@@ -240,6 +252,7 @@ static int extract_content(int argc, char **argv)
RestoreMap *map = g_new0(RestoreMap, 1);
map->devname = g_strdup(devname);
map->path = g_strdup(path);
map->write_zero = write_zero;
g_hash_table_insert(devmap, map->devname, map);
-@@ -263,6 +276,7 @@ static int extract_content(int argc, char **argv)
+@@ -264,6 +277,7 @@ static int extract_content(int argc, char **argv)
g_free(statefn);
} else if (di) {
char *devfn = NULL;
int flags = BDRV_O_RDWR;
bool write_zero = true;
-@@ -273,6 +287,7 @@ static int extract_content(int argc, char **argv)
+@@ -274,6 +288,7 @@ static int extract_content(int argc, char **argv)
g_error("no device name mapping for %s", di->devname);
}
devfn = map->path;
write_zero = map->write_zero;
} else {
devfn = g_strdup_printf("%s/tmp-disk-%s.raw",
-@@ -295,15 +310,20 @@ static int extract_content(int argc, char **argv)
+@@ -296,15 +311,20 @@ static int extract_content(int argc, char **argv)
BlockDriverState *bs = bdrv_new();
size_t devlen = strlen(devfn);
-From 927da5e2426aac5bef37c97604740deddedbda41 Mon Sep 17 00:00:00 2001
+From a072638a678b59f6c60d9542ffa7220cea493d8d Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Wed, 6 Apr 2016 16:45:15 +0200
Subject: [PATCH 35/47] fix possible unitialised return value
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/migration/savevm.c b/migration/savevm.c
-index b1bdfb6..cebba77 100644
+index feb0dc6..d2615f4 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
-@@ -1020,7 +1020,7 @@ int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+@@ -1111,7 +1111,7 @@ int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
QJSON *vmdesc;
int vmdesc_len;
SaveStateEntry *se;
-From e6af4497017e37cb31f7cbd80137f41ce297d702 Mon Sep 17 00:00:00 2001
+From 7142892fdd63de719b7b2e434914314e9357ecac Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Wed, 6 Apr 2016 16:47:54 +0200
Subject: [PATCH 36/47] vnc: refactor to QIOChannelSocket
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c
-index d11f1df..a529520 100644
+index de1c194..594ca73 100644
--- a/ui/vnc-auth-vencrypt.c
+++ b/ui/vnc-auth-vencrypt.c
@@ -28,27 +28,23 @@
-From 0d4b69786584eec1386183b259c22f7cae6df69d Mon Sep 17 00:00:00 2001
+From 7e3891e9d570f0c432bcfd076c17eb742e0e1350 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Fri, 1 Jul 2016 15:47:29 +0200
Subject: [PATCH 37/47] vma: use BlockBackend on extract
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/vma.c b/vma.c
-index c8ad6c0..a2ddd32 100644
+index f71e5a5..ad51090 100644
--- a/vma.c
+++ b/vma.c
-@@ -19,6 +19,7 @@
- #include "qemu/error-report.h"
+@@ -20,6 +20,7 @@
#include "qemu/main-loop.h"
+ #include "qapi/qmp/qstring.h"
#include "sysemu/char.h" /* qstring_from_str */
+#include "sysemu/block-backend.h"
static void help(void)
{
-@@ -263,6 +264,8 @@ static int extract_content(int argc, char **argv)
+@@ -264,6 +265,8 @@ static int extract_content(int argc, char **argv)
int vmstate_fd = -1;
guint8 vmstate_stream = 0;
for (i = 1; i < 255; i++) {
VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i);
if (di && (strcmp(di->devname, "vmstate") == 0)) {
-@@ -307,8 +310,6 @@ static int extract_content(int argc, char **argv)
+@@ -308,8 +311,6 @@ static int extract_content(int argc, char **argv)
write_zero = false;
}
size_t devlen = strlen(devfn);
QDict *options = NULL;
if (format) {
-@@ -326,10 +327,14 @@ static int extract_content(int argc, char **argv)
+@@ -327,10 +328,14 @@ static int extract_content(int argc, char **argv)
qdict_put(options, "driver", qstring_from_str("raw"));
}
if (vma_reader_register_bs(vmar, i, bs, write_zero, &errp) < 0) {
g_error("%s", error_get_pretty(errp));
}
-@@ -362,6 +367,8 @@ static int extract_content(int argc, char **argv)
+@@ -363,6 +368,8 @@ static int extract_content(int argc, char **argv)
vma_reader_destroy(vmar);
-From 1209cadf111aaf73b53e568f78104340b4ffb0bd Mon Sep 17 00:00:00 2001
+From 8ff103236a11af9b2fa7f6df67af5383f16eb95b Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 9 Sep 2016 14:51:28 +0200
Subject: [PATCH 38/47] vma: byte based write calls
return -1;
}
diff --git a/vma.c b/vma.c
-index a2ddd32..ff974bd 100644
+index ad51090..aafdc2d 100644
--- a/vma.c
+++ b/vma.c
-@@ -333,9 +333,7 @@ static int extract_content(int argc, char **argv)
+@@ -334,9 +334,7 @@ static int extract_content(int argc, char **argv)
error_get_pretty(errp));
}
g_error("%s", error_get_pretty(errp));
}
-@@ -427,7 +425,7 @@ static int verify_content(int argc, char **argv)
+@@ -428,7 +426,7 @@ static int verify_content(int argc, char **argv)
}
typedef struct BackupJob {
int64_t len;
VmaWriter *vmaw;
uint8_t dev_id;
-@@ -456,7 +454,7 @@ static void coroutine_fn backup_run(void *opaque)
+@@ -457,7 +455,7 @@ static void coroutine_fn backup_run(void *opaque)
int64_t start, end;
int ret = 0;
start = 0;
end = DIV_ROUND_UP(job->len / BDRV_SECTOR_SIZE,
-@@ -467,8 +465,8 @@ static void coroutine_fn backup_run(void *opaque)
+@@ -468,8 +466,8 @@ static void coroutine_fn backup_run(void *opaque)
iov.iov_len = VMA_CLUSTER_SIZE;
qemu_iovec_init_external(&qiov, &iov, 1);
if (ret < 0) {
vma_writer_set_error(job->vmaw, "read error", -1);
goto out;
-@@ -563,14 +561,14 @@ static int create_archive(int argc, char **argv)
+@@ -564,14 +562,14 @@ static int create_archive(int argc, char **argv)
path = extract_devname(path, &devname, devcount++);
Error *errp = NULL;
int dev_id = vma_writer_register_stream(vmaw, devname, size);
if (dev_id <= 0) {
unlink(archivename);
-@@ -579,7 +577,7 @@ static int create_archive(int argc, char **argv)
+@@ -580,7 +578,7 @@ static int create_archive(int argc, char **argv)
BackupJob *job = g_new0(BackupJob, 1);
job->len = size;
-From 8aaa1a8108aabdca93d866eeaa9308deae81cd70 Mon Sep 17 00:00:00 2001
+From cff67c37625c0cbf988702ef3a69c161024eba3a Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 26 Jul 2016 16:51:00 +0200
Subject: [PATCH 39/47] rbd: disable rbd_cache_writethrough_until_flush with
1 file changed, 4 insertions(+)
diff --git a/block/rbd.c b/block/rbd.c
-index 5cefdbb..b0bb516 100644
+index 498322b..e9c02c6 100644
--- a/block/rbd.c
+++ b/block/rbd.c
-@@ -552,6 +552,10 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags,
+@@ -616,6 +616,10 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags,
rados_conf_set(s->cluster, "rbd_cache", "true");
}
-From 383a94de8f4f887a95b8089b2f0141321d94f5fe Mon Sep 17 00:00:00 2001
+From 821b6e565433da3132e6a4c69b8ce57912427f35 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 1 Aug 2016 10:52:46 +0200
Subject: [PATCH 40/47] enable cache=unsafe for vma extract_content and
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/savevm-async.c b/savevm-async.c
-index 7979435..76cd8fa 100644
+index 6ac03af..46c1be7 100644
--- a/savevm-async.c
+++ b/savevm-async.c
@@ -253,7 +253,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
{
Error *local_err = NULL;
-- int bdrv_oflags = BDRV_O_RDWR;
-+ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_NO_FLUSH;
+- int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE;
++ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE | BDRV_O_NO_FLUSH;
int ret;
if (snap_state.state != SAVE_STATE_DONE) {
diff --git a/vma.c b/vma.c
-index ff974bd..a8fa4ff 100644
+index aafdc2d..4f55799 100644
--- a/vma.c
+++ b/vma.c
-@@ -280,7 +280,7 @@ static int extract_content(int argc, char **argv)
+@@ -281,7 +281,7 @@ static int extract_content(int argc, char **argv)
} else if (di) {
char *devfn = NULL;
const char *format = NULL;
-From 9ea20572325cbc6df31293b863ccb8d2ae0e1dbd Mon Sep 17 00:00:00 2001
+From aa7a8a709827e37bd49c65018627799c6eced431 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 9 Sep 2016 15:21:19 +0200
Subject: [PATCH 41/47] savevm-async updates
1 file changed, 39 insertions(+), 40 deletions(-)
diff --git a/savevm-async.c b/savevm-async.c
-index 76cd8fa..8c76137 100644
+index 46c1be7..2f4766c 100644
--- a/savevm-async.c
+++ b/savevm-async.c
@@ -20,6 +20,8 @@
@@ -254,7 +257,6 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
Error *local_err = NULL;
- int bdrv_oflags = BDRV_O_RDWR | BDRV_O_NO_FLUSH;
+ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_RESIZE | BDRV_O_NO_FLUSH;
- int ret;
if (snap_state.state != SAVE_STATE_DONE) {
goto the_end;
}
-@@ -516,10 +515,10 @@ int load_state_from_blockdev(const char *filename)
+@@ -515,10 +514,10 @@ int load_state_from_blockdev(const char *filename)
ret = 0;
the_end:
-From 704d008790dbccfd38aa55463c9e8bd873d08a3d Mon Sep 17 00:00:00 2001
+From ab26cbc8d8aab8ded854193994352216854904c7 Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 13 Sep 2016 01:57:56 +0200
Subject: [PATCH 42/47] qmp_snapshot_drive: add aiocontext
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/savevm-async.c b/savevm-async.c
-index 8c76137..99ba132 100644
+index 2f4766c..5913a90 100644
--- a/savevm-async.c
+++ b/savevm-async.c
@@ -345,6 +345,7 @@ void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
-From ed8e3b7faeb3a36e1105aac4813cd9876735bd81 Mon Sep 17 00:00:00 2001
+From f51a30dbfc454e79b98c7a823db95d7b1532ea83 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 21 Oct 2016 09:09:26 +0200
Subject: [PATCH 43/47] vma: sizes passed to blk_co_preadv should be bytes now
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/vma.c b/vma.c
-index a8fa4ff..752a21b 100644
+index 4f55799..0491542 100644
--- a/vma.c
+++ b/vma.c
-@@ -465,8 +465,8 @@ static void coroutine_fn backup_run(void *opaque)
+@@ -466,8 +466,8 @@ static void coroutine_fn backup_run(void *opaque)
iov.iov_len = VMA_CLUSTER_SIZE;
qemu_iovec_init_external(&qiov, &iov, 1);
+++ /dev/null
-From a7613eb93e702d5de5b40d17c4d4e95e8e5a010d Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Mon, 24 Oct 2016 09:32:36 +0200
-Subject: [PATCH 44/47] glusterfs: daemonize
-
----
- block/gluster.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/block/gluster.c b/block/gluster.c
-index 01b479f..6dcf926 100644
---- a/block/gluster.c
-+++ b/block/gluster.c
-@@ -341,9 +341,11 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
- }
- }
-
-- ret = glfs_set_logging(glfs, "-", gconf->debug_level);
-- if (ret < 0) {
-- goto out;
-+ if (!is_daemonized()) {
-+ ret = glfs_set_logging(glfs, "-", gconf->debug_level);
-+ if (ret < 0) {
-+ goto out;
-+ }
- }
-
- ret = glfs_init(glfs);
---
-2.1.4
-
--- /dev/null
+From 77846c1104d083aa09194b415b367d1b7021e4ee Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 24 Oct 2016 09:32:36 +0200
+Subject: [PATCH 44/47] glusterfs: no default logfile if daemonized
+
+---
+ block/gluster.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index a577dae..e712dc7 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -33,7 +33,7 @@
+ #define GLUSTER_DEBUG_DEFAULT 4
+ #define GLUSTER_DEBUG_MAX 9
+ #define GLUSTER_OPT_LOGFILE "logfile"
+-#define GLUSTER_LOGFILE_DEFAULT "-" /* handled in libgfapi as /dev/stderr */
++#define GLUSTER_LOGFILE_DEFAULT NULL
+
+ #define GERR_INDEX_HINT "hint: check in 'server' array index '%d'\n"
+
+@@ -398,6 +398,7 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
+ int old_errno;
+ SocketAddressFlatList *server;
+ unsigned long long port;
++ const char *logfile;
+
+ glfs = glfs_find_preopened(gconf->volume);
+ if (glfs) {
+@@ -433,9 +434,15 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
+ }
+ }
+
+- ret = glfs_set_logging(glfs, gconf->logfile, gconf->debug);
+- if (ret < 0) {
+- goto out;
++ logfile = gconf->logfile;
++ if (!logfile && !is_daemonized()) {
++ logfile = "-";
++ }
++ if (logfile) {
++ ret = glfs_set_logging(glfs, logfile, gconf->debug);
++ if (ret < 0) {
++ goto out;
++ }
+ }
+
+ ret = glfs_init(glfs);
+--
+2.1.4
+
-From 41cd2dcf03fe0187221a8d005f423cc091d76dfc Mon Sep 17 00:00:00 2001
+From 94ca45e2ec3ae7327465d17d765e694486a08ad7 Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Mon, 7 Nov 2016 11:47:50 +0100
Subject: [PATCH 45/47] qmp_delete_drive_snapshot : add aiocontext
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/savevm-async.c b/savevm-async.c
-index 99ba132..660b25b 100644
+index 5913a90..3adf89f 100644
--- a/savevm-async.c
+++ b/savevm-async.c
@@ -427,6 +427,7 @@ void qmp_delete_drive_snapshot(const char *device, const char *name,
-From 593664f6efe07973f54d3cbcc4203c05ad68f6cf Mon Sep 17 00:00:00 2001
+From 37b358b0aa7b60c0a609e16394a89f5b3e1904f1 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 8 Nov 2016 11:13:06 +0100
Subject: [PATCH 46/47] convert savevm-async to threads
1 file changed, 88 insertions(+), 56 deletions(-)
diff --git a/savevm-async.c b/savevm-async.c
-index 660b25b..7b4c219 100644
+index 3adf89f..9f839fa 100644
--- a/savevm-async.c
+++ b/savevm-async.c
@@ -48,6 +48,8 @@ static struct SnapshotState {
-From 519bcfc6d86a42a643ee65a0741bb2418c7d2e67 Mon Sep 17 00:00:00 2001
+From 78c0d9821117e00137f67ed8e0503094771817cd Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 30 Nov 2016 10:27:47 +0100
Subject: [PATCH 47/47] glusterfs: allow partial reads
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/block/gluster.c b/block/gluster.c
-index 6dcf926..17c51ed 100644
+index e712dc7..daf6cec 100644
--- a/block/gluster.c
+++ b/block/gluster.c
-@@ -39,6 +39,7 @@ typedef struct GlusterAIOCB {
- QEMUBH *bh;
+@@ -42,6 +42,7 @@ typedef struct GlusterAIOCB {
+ int ret;
Coroutine *coroutine;
AioContext *aio_context;
+ bool is_write;
} GlusterAIOCB;
typedef struct BDRVGlusterState {
-@@ -623,8 +624,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg)
+@@ -705,8 +706,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg)
acb->ret = 0; /* Success */
} else if (ret < 0) {
acb->ret = -errno; /* Read/Write failed */
+ acb->ret = 0; /* Success */
}
- acb->bh = aio_bh_new(acb->aio_context, qemu_gluster_complete_aio, acb);
-@@ -861,6 +864,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs,
+ aio_co_schedule(acb->aio_context, acb->coroutine);
+@@ -954,6 +957,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs,
acb.ret = 0;
acb.coroutine = qemu_coroutine_self();
acb.aio_context = bdrv_get_aio_context(bs);
ret = glfs_zerofill_async(s->fd, offset, size, gluster_finish_aiocb, &acb);
if (ret < 0) {
-@@ -979,9 +983,11 @@ static coroutine_fn int qemu_gluster_co_rw(BlockDriverState *bs,
+@@ -1076,9 +1080,11 @@ static coroutine_fn int qemu_gluster_co_rw(BlockDriverState *bs,
acb.aio_context = bdrv_get_aio_context(bs);
if (write) {
ret = glfs_preadv_async(s->fd, qiov->iov, qiov->niov, offset, 0,
gluster_finish_aiocb, &acb);
}
-@@ -1044,6 +1050,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs)
+@@ -1142,6 +1148,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs)
acb.ret = 0;
acb.coroutine = qemu_coroutine_self();
acb.aio_context = bdrv_get_aio_context(bs);
ret = glfs_fsync_async(s->fd, gluster_finish_aiocb, &acb);
if (ret < 0) {
-@@ -1090,6 +1097,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs,
+@@ -1188,6 +1195,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs,
acb.ret = 0;
acb.coroutine = qemu_coroutine_self();
acb.aio_context = bdrv_get_aio_context(bs);
pve/0041-savevm-async-updates.patch
pve/0042-qmp_snapshot_drive-add-aiocontext.patch
pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch
-pve/0044-glusterfs-daemonize.patch
+pve/0044-glusterfs-no-default-logfile-if-daemonized.patch
pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch
pve/0046-convert-savevm-async-to-threads.patch
pve/0047-glusterfs-allow-partial-reads.patch
-#see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all
-extra/x86-lapic-Load-LAPIC-state-at-post_load.patch
-extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
-extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch
-extra/0003-net-limit-allocation-in-nc_sendv_compat.patch
-extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
-extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
-extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
-extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
-extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
-extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
-extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
-extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
-extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
-extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
-extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
-extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
-extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
-extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
-extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
-extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
-extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
-extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
-extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
-extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
-extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
-extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
-extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
-extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
-extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
-extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
-extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
-extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
-extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
-extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
-extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
-extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
-extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
-extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
-extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
-extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
-extra/0003-cirrus-fix-blit-address-mask-handling.patch
-extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
-extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
-extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
-extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
-extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
-extra/0001-cirrus-fix-patterncopy-checks.patch
-extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
-extra/CVE-2017-2620_cirrus_add_blit_is_unsafe_call_to_cirrus_bitblt_cputovideo.patch