--- /dev/null
+[submodule "qemu"]
+ path = qemu
+ url = ../mirror_qemu
--- /dev/null
+# also update debian/changelog
+KVMVER=2.7.1
+KVMPKGREL=4
+
+KVMPACKAGE = pve-qemu-kvm
+KVMSRC = qemu
+BUILDSRC = $(KVMSRC).tmp
+
+SRCDIR := qemu
+
+ARCH := $(shell dpkg-architecture -qDEB_BUILD_ARCH)
+GITVERSION := $(shell git rev-parse master)
+
+DEB = ${KVMPACKAGE}_${KVMVER}-${KVMPKGREL}_${ARCH}.deb
+DEB_DBG = ${KVMPACKAGE}-dbg_${KVMVER}-${KVMPKGREL}_${ARCH}.deb
+DEBS = $(DEB) $(DEB_DBG)
+
+
+all: $(DEBS)
+
+.PHONY: submodule
+submodule:
+ test -f "${SRCDIR}/debian/changelog" || git submodule update --init
+
+.PHONY: deb kvm
+deb kvm: $(DEBS)
+$(DEB_DBG): $(DEB)
+$(DEB): | submodule
+ rm -f *.deb
+ rm -rf $(BUILDSRC)
+ mkdir $(BUILDSRC)
+ cp -a $(KVMSRC)/* $(BUILDSRC)/
+ tar -C $(BUILDSRC) -xJf efi-roms-1182.tar.xz
+ cp -a debian $(BUILDSRC)/debian
+ echo "git clone git://git.proxmox.com/git/pve-qemu-kvm.git\\ngit checkout $(GITVERSION)" > $(BUILDSRC)/debian/SOURCE
+ # set package version
+ sed -i 's/^pkgversion="".*/pkgversion="${KVMPACKAGE}_${KVMVER}-${KVMPKGREL}"/' $(BUILDSRC)/configure
+ cd $(BUILDSRC); dpkg-buildpackage -b -rfakeroot -us -uc
+ lintian $(DEBS) || true
+
+.PHONY: upload
+upload: $(DEBS)
+ tar cf - $(DEBS) | ssh repoman@repo.proxmox.com upload --produce pve --dist jessie
+
+.PHONY: distclean
+distclean: clean
+
+.PHONY: clean
+clean:
+ rm -rf $(BUILDSRC) $(KVMPACKAGE)_* $(DEBS) *.buildinfo
+
+.PHONY: dinstall
+dinstall: $(DEBS)
+ dpkg -i $(DEBS)
--- /dev/null
+Efficient VM backup for qemu
+
+=Requirements=
+
+* Backup to a single archive file
+* Backup needs to contain all data to restore VM (full backup)
+* Do not depend on storage type or image format
+* Avoid use of temporary storage
+* store sparse images efficiently
+
+=Introduction=
+
+Most VM backup solutions use some kind of snapshot to get a consistent
+VM view at a specific point in time. For example, we previously used
+LVM to create a snapshot of all used VM images, which are then copied
+into a tar file.
+
+That basically means that any data written during backup involve
+considerable overhead. For LVM we get the following steps:
+
+1.) read original data (VM write)
+2.) write original data into snapshot (VM write)
+3.) write new data (VM write)
+4.) read data from snapshot (backup)
+5.) write data from snapshot into tar file (backup)
+
+Another approach to backup VM images is to create a new qcow2 image
+which use the old image as base. During backup, writes are redirected
+to the new image, so the old image represents a 'snapshot'. After
+backup, data need to be copied back from new image into the old
+one (commit). So a simple write during backup triggers the following
+steps:
+
+1.) write new data to new image (VM write)
+2.) read data from old image (backup)
+3.) write data from old image into tar file (backup)
+
+4.) read data from new image (commit)
+5.) write data to old image (commit)
+
+This is in fact the same overhead as before. Other tools like qemu
+livebackup produces similar overhead (2 reads, 3 writes).
+
+Some storage types/formats supports internal snapshots using some kind
+of reference counting (rados, sheepdog, dm-thin, qcow2). It would be possible
+to use that for backups, but for now we want to be storage-independent.
+
+=Make it more efficient=
+
+The be more efficient, we simply need to avoid unnecessary steps. The
+following steps are always required:
+
+1.) read old data before it gets overwritten
+2.) write that data into the backup archive
+3.) write new data (VM write)
+
+As you can see, this involves only one read, and two writes.
+
+To make that work, our backup archive need to be able to store image
+data 'out of order'. It is important to notice that this will not work
+with traditional archive formats like tar.
+
+During backup we simply intercept writes, then read existing data and
+store that directly into the archive. After that we can continue the
+write.
+
+==Advantages==
+
+* very good performance (1 read, 2 writes)
+* works on any storage type and image format.
+* avoid usage of temporary storage
+* we can define a new and simple archive format, which is able to
+ store sparse files efficiently.
+
+Note: Storing sparse files is a mess with existing archive
+formats. For example, tar requires information about holes at the
+beginning of the archive.
+
+==Disadvantages==
+
+* we need to define a new archive format
+
+Note: Most existing archive formats are optimized to store small files
+including file attributes. We simply do not need that for VM archives.
+
+* archive contains data 'out of order'
+
+If you want to access image data in sequential order, you need to
+re-order archive data. It would be possible to to that on the fly,
+using temporary files.
+
+Fortunately, a normal restore/extract works perfectly with 'out of
+order' data, because the target files are seekable.
+
+* slow backup storage can slow down VM during backup
+
+It is important to note that we only do sequential writes to the
+backup storage. Furthermore one can compress the backup stream. IMHO,
+it is better to slow down the VM a bit. All other solutions creates
+large amounts of temporary data during backup.
+
+=Archive format requirements=
+
+The basic requirement for such new format is that we can store image
+date 'out of order'. It is also very likely that we have less than 256
+drives/images per VM, and we want to be able to store VM configuration
+files.
+
+We have defined a very simply format with those properties, see:
+
+https://git.proxmox.com/?p=pve-qemu-kvm.git;a=blob;f=vma_spec.txt;
+
+Please let us know if you know an existing format which provides the
+same functionality.
+
+
--- /dev/null
+The OVMF images were built through the edk2 github repository.
+
+git clone https://github.com/tianocore/edk2
+
+set up the build environment
+
+copy the Logo.bmp to ./edk2/MdeModulePkg/Logo/
+
+call ./edk2/OvmfPkg/build.sh -a X64 -b RELEASE
+
+The license is under ./edk2/OvmfPkg/License.txt
--- /dev/null
+pve-qemu-kvm (2.7.1-4) unstable; urgency=medium
+
+ * fix CVE-2017-2620: display: cirrus: out-of-bounds access issue
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2017 14:19:57 +0100
+
+pve-qemu-kvm (2.7.1-3) unstable; urgency=medium
+
+ * more fixes for cirrus pattern fill operations
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 10 Feb 2017 12:11:10 +0100
+
+pve-qemu-kvm (2.7.1-2) unstable; urgency=medium
+
+ * fix #1237: cirrus: fix pattern fill regressions
+
+ * fix CVE-2017-2615: cirrus: out of bounds access on backward blits
+
+ * fix CVE-2016-10028: virtio-gpu-3d: check virgl capabilities
+
+ * fix CVE-2016-10155: memory leak on unplugging an Intel 6300ESB watchdog
+
+ * remove debug output from LAPIC patch
+
+ * added 'qemu-utils' to replaces & provides
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 02 Feb 2017 10:01:53 +0100
+
+pve-qemu-kvm (2.7.1-1) unstable; urgency=medium
+
+ * update to qemu 2.7.1
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 03 Jan 2017 07:57:17 +0100
+
+pve-qemu-kvm (2.7.0-10) unstable; urgency=medium
+
+ * fix CVE-2016-9776: net: mcf: check receive buffer size register value
+
+ * fix CVE-2016-9845: virtio-gpu: fix information leak in getting capset info dispatch
+
+ * fix CVE-2016-9846: virtio-gpu: fix memory leak in update_cursor_data_virgl
+
+ * fix CVE-2016-9907: usbredir: free vm_change_state_handler in usbredir destroy dispatch
+
+ * fix CVE-2016-9908: virtio-gpu: fix information leak in capset get dispatch
+
+ * fix CVE-2016-9911: usb: ehci: fix memory leak in ehci_init_transfer
+
+ * fix CVE-2016-9912: virtio-gpu: call cleanup mapping function in resource destroy
+
+ * fix CVE-2016-9913: 9pfs: adjust the order of resource cleanup in device unrealize
+
+ * fix CVE-2016-9914: 9pfs: add cleanup operation in FileOperations
+
+ * fix CVE-2016-9915: 9pfs: add cleanup operation for handle backend driver
+
+ * fix CVE-2016-9916: 9pfs: add cleanup operation for proxy backend driver
+
+ * fix CVE-2016-9921 and CVE-2016-9922:
+ display: cirrus: check vga bits per pixel(bpp) value
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 12 Dec 2016 14:36:58 +0100
+
+pve-qemu-kvm (2.7.0-9) unstable; urgency=medium
+
+ * gluster: fix an issue with linked clones refusing to start
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 01 Dec 2016 11:59:55 +0100
+
+pve-qemu-kvm (2.7.0-8) unstable; urgency=medium
+
+ * correctly report live snapshots as active
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 15 Nov 2016 15:28:44 +0100
+
+pve-qemu-kvm (2.7.0-7) unstable; urgency=medium
+
+ * fix #1182: update EFI roms to include PXE fixes
+
+ * fix snapshot-with-RAM stability with some file systems
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 11 Nov 2016 15:02:28 +0100
+
+pve-qemu-kvm (2.7.0-6) unstable; urgency=medium
+
+ * fix deletion of snapshots on qcow2 while running with iothreads
+
+ * fix #796: live snapshot never finishes with some guests
+
+ * fix live snapshot while running with iothreads
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 08 Nov 2016 11:45:02 +0100
+
+pve-qemu-kvm (2.7.0-5) unstable; urgency=medium
+
+ * fix a missing gluster dependency
+
+ * fix #1193: RAM state of snapshots with RAM getting truncated at creation
+
+ * fix CVE-2016-8909: audio: intel-hda: check stream entry count during transfer
+
+ * fix CVE-2016-8910: net: rtl8139: limit processing of ring descriptors
+
+ * fix CVE-2016-9101: net: eepro100: fix memory leak in device uninit
+
+ * fix CVE-2016-9102: 9pfs: fix memory leak in v9fs_xattrcreate
+
+ * fix CVE-2016-9103: 9pfs: fix information leak in xattr read
+
+ * fix CVE-2016-9104: 9pfs: fix integer overflow issue in xattr read/write
+
+ * fix CVE-2016-9105: 9pfs: fix memory leak in v9fs_link
+
+ * fix CVE-2016-9106: 9pfs: fix memory leak in v9fs_write
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 07 Nov 2016 11:14:31 +0100
+
+pve-qemu-kvm (2.7.0-4) unstable; urgency=medium
+
+ * fix #1178: glusterfs daemonization problem
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 24 Oct 2016 09:35:49 +0200
+
+pve-qemu-kvm (2.7.0-3) unstable; urgency=medium
+
+ * fix a crash when doing an offline backup via vma
+
+ * fix CVE-2016-8668: net: rocker: set limit to DMA buffer size
+
+ * fix CVE-2016-8669: char: serial: check divider value against baud base
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 21 Oct 2016 09:22:36 +0200
+
+pve-qemu-kvm (2.7.0-2) unstable; urgency=medium
+
+ * fix a crash when adding iothreads
+
+ * fix CVE-2016-8576: xhci: limit the number of link trbs we are willing to process
+
+ * fix CVE-2016-8577: 9pfs: fix potential host memory leak in v9fs_read
+
+ * fix CVE-2016-8578: 9pfs: allocate space for guest originated empty strings
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 13 Oct 2016 15:20:52 +0200
+
+pve-qemu-kvm (2.7.0-1) unstable; urgency=medium
+
+ * update to qemu 2.7.0
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 09 Sep 2016 15:55:35 +0200
+
+pve-qemu-kvm (2.6.2-2) unstable; urgency=medium
+
+ * fix CVE-2016-7466: memory leak in usb_xhci_exit
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 07 Oct 2016 11:00:13 +0200
+
+pve-qemu-kvm (2.6.2-1) unstable; urgency=medium
+
+ * update to qemu 2.6.2
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 14:12:07 +0200
+
+pve-qemu-kvm (2.6.1-7) unstable; urgency=medium
+
+ * fix CVE-2016-7161: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
+
+ * fix CVE-2016-7422: virtio: add check for descriptor's mapped address
+
+ * fix CVE-2016-7907: net: imx: limit buffer descriptor count
+
+ * fix CVE-2016-7908: net: mcf: limit buffer descriptor count
+
+ * fix CVE-2016-7909: net: pcnet: check rx/tx descriptor ring length
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:11:52 +0200
+
+pve-qemu-kvm (2.6.1-6) unstable; urgency=medium
+
+ * fix #615: Windows guests suddenly hangs after couple times of migration
+
+ * fix CVE-2016-7170: vmsvga: correct bitmap and pixmap size checks
+
+ * fix CVE-2016-7421: scsi: pvscsi: limit process IO loop to ring size
+
+ * fix CVE-2016-7423: scsi: mptsas: use g_new0 to allocate MPTSASRequest
+ object
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 20 Sep 2016 09:42:12 +0200
+
+pve-qemu-kvm (2.6.1-5) unstable; urgency=medium
+
+ * qmp_snapshot_drive : add aiocontext
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 15 Sep 2016 13:27:14 +0200
+
+pve-qemu-kvm (2.6.1-4) unstable; urgency=medium
+
+ * add new and correct ovmf images
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 08 Sep 2016 12:25:29 +0200
+
+pve-qemu-kvm (2.6.1-3) unstable; urgency=medium
+
+ * fix CVE-2016-7116: various 9pfs fixe
+
+ * fix CVE-2016-7155: scsi: check page count while initialising
+ descriptor rings
+
+ * fix CVE-2016-7156: scsi: pvscsi: avoid infinite loop while building SG list
+
+ * fix CVE-2016-7157: scsi: mptconfig: fix an assert expression
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 07 Sep 2016 12:14:02 +0200
+
+pve-qemu-kvm (2.6.1-2) unstable; urgency=medium
+
+ * virtio related live migration fixes
+
+ * vnc server surface refresh fix
+
+ * iscsi and network fixes
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 25 Aug 2016 10:35:52 +0200
+
+pve-qemu-kvm (2.6.1-1) unstable; urgency=medium
+
+ * update to qemu 2.6.1
+
+ * Fix CVE-2016-6490: virtio: check vring descriptor buffer length
+
+ * Fix CVE-2016-6833: net: vmxnet3: check for device_active before write
+
+ * Fix CVE-2016-6834: net: check fragment length during fragmentation
+
+ * Fix CVE-2016-6835: net: vmxnet: check IP header length
+
+ * Fix CVE-2016-6836: net: vmxnet: initialise local tx descriptor
+
+ * Fix CVE-2016-6888: net: vmxnet: use g_new for pkt initialisation
+
+ * enable cache=unsafe for vma extract_content and qmp_savevm_start
+
+ * rbd : disable cache_writethtrough_until_flush with cache=unsafe
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 22 Aug 2016 11:55:38 +0200
+
+pve-qemu-kvm (2.6-1) unstable; urgency=medium
+
+ * update to qemu 2.6.0
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 01 Jul 2016 10:00:31 +0200
+
+pve-qemu-kvm (2.5-19) unstable; urgency=medium
+
+ * fix CVE-2016-5105: scsi: megasas: initialise local configuration data
+ buffer
+
+ * fix CVE-2016-5106: scsi: megasas: use appropriate property buffer size
+
+ * fix fix CVE-2016-5107: scsi: megasas: check 'read_queue_head' index value
+
+ * fix fix CVE-2016-5126: block/iscsi: avoid potential overflow of
+ acb->task->cdb
+
+ * fix CVE-2016-4454: vmsvga: move fifo sanity checks to vmsvga_fifo_length
+
+ * fix CVE-2016-4453: vmsvga: don't process more than 1024 fifo commands at
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 31 May 2016 18:04:31 +0200
+
+pve-qemu-kvm (2.5-18) unstable; urgency=medium
+
+ * Fix CVE-2016-4952
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 24 May 2016 17:15:00 +0200
+
+pve-qemu-kvm (2.5-17) unstable; urgency=medium
+
+ * add fix for freezing win7 with VGA #991
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 12:51:10 +0200
+
+pve-qemu-kvm (2.5-16) unstable; urgency=medium
+
+ * update to qemu 2.5.1.1
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 10 May 2016 09:53:30 +0200
+
+pve-qemu-kvm (2.5-15) unstable; urgency=medium
+
+ * Fix #932: passing BDRV_O_PROTOCOL breaks qcow2 on gluster
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 29 Apr 2016 08:55:53 +0200
+
+pve-qemu-kvm (2.5-14) unstable; urgency=medium
+
+ * Fix CVE-2016-4037
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 26 Apr 2016 15:43:48 +0200
+
+pve-qemu-kvm (2.5-13) unstable; urgency=medium
+
+ * fix 'i386: leakage of stack memory to guest in kvmvapic.c'
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 14 Apr 2016 17:06:52 +0200
+
+pve-qemu-kvm (2.5-12) unstable; urgency=medium
+
+ * Fix #934: assume raw for /dev paths in vma extract
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 13 Apr 2016 08:47:13 +0200
+
+pve-qemu-kvm (2.5-11) unstable; urgency=medium
+
+ * update to qemu 2.5.1
+
+ * target-i386: do not read/write MSR_TSC_AUX from KVM if CPUID
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 10:09:54 +0200
+
+pve-qemu-kvm (2.5-10) unstable; urgency=medium
+
+ * add the zeroinit block driver filter
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 21 Mar 2016 09:47:53 +0100
+
+pve-qemu-kvm (2.5-9) unstable; urgency=medium
+
+ * Fix CVE-2016-2841, CVE-2016-2857, CVE-2016-2858
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 07 Mar 2016 17:08:23 +0100
+
+pve-qemu-kvm (2.5-8) unstable; urgency=medium
+
+ * Fix CVE-2016-2538
+
+ * vma: better driver guessing for bdrv_open
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 24 Feb 2016 16:28:37 +0100
+
+pve-qemu-kvm (2.5-7) unstable; urgency=medium
+
+ * add fw_cfg-unbreak-migration-compatibility-for-2.4 patch
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 09:22:16 +0100
+
+pve-qemu-kvm (2.5-6) unstable; urgency=medium
+
+ * Fix CVE-2016-2392 and CVE-2016-2391
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 18 Feb 2016 09:44:37 +0100
+
+pve-qemu-kvm (2.5-5) unstable; urgency=medium
+
+ * Fix #885: vma-writer: don't bail out on zero length files
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 11:37:52 +0100
+
+pve-qemu-kvm (2.5-4) unstable; urgency=medium
+
+ * Fix CVE-2016-2197 and CVE-2016-2198
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 01 Feb 2016 17:16:09 +0100
+
+pve-qemu-kvm (2.5-3) unstable; urgency=medium
+
+ * Fix CVE-2016-1981
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 22 Jan 2016 09:09:27 +0100
+
+pve-qemu-kvm (2.5-2) unstable; urgency=medium
+
+ * recompile for test environment
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 20 Jan 2016 08:37:49 +0100
+
+pve-qemu-kvm (2.5-1) unstable; urgency=medium
+
+ * update qemu to 2.5.0
+
+ * removed upstream CVE fixes
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:43:24 +0100
+
+pve-qemu-kvm (2.4-21) unstable; urgency=medium
+
+ * add correct fix for CVE-2015-8619
+
+ * close #849: iproute is a transitional package for iproute2
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 11 Jan 2016 15:23:23 +0100
+
+pve-qemu-kvm (2.4-20) unstable; urgency=medium
+
+ * Removing wrong CVE-2015-8619
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 08 Jan 2016 12:43:24 +0100
+
+pve-qemu-kvm (2.4-19) unstable; urgency=medium
+
+ * fix CVE-2015-8613 scsi: initialise info object with appropriate size
+
+ * fix CVE-2015-8619 hmp: avoid redundant null termination of buffer
+
+ * fix CVE-2015-8666 acpi: fix buffer overrun on migration
+
+ * fix CVE-2015-8701 net: rocker: fix an incorrect array bounds check
+
+ * fix CVE-2015-8743 net: ne2000: fix bounds check in ioport operations
+
+ * fix CVE-2015-8744 net/vmxnet3: Refine l2 header validation
+
+ * fix CVE-2015-8745 vmxnet3: Support reading IMR registers on bar0
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 11:12:13 +0100
+
+pve-qemu-kvm (2.4-18) unstable; urgency=medium
+
+ * fixes for CVEs 2015-7549, 2015-8858 and for vmxnet3
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 18 Dec 2015 09:12:43 +0100
+
+pve-qemu-kvm (2.4-17) unstable; urgency=medium
+
+ * fix CVE-2015-8504
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 09 Dec 2015 12:09:03 +0100
+
+pve-qemu-kvm (2.4-16) unstable; urgency=medium
+
+ * added fixes for CVE-2015-7504 and CVE-2015-7512
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 01 Dec 2015 09:51:44 +0100
+
+pve-qemu-kvm (2.4-15) unstable; urgency=medium
+
+ * add ovmf uefi roms
+
+ * add firewall config to qmp_backup
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 26 Nov 2015 07:56:51 +0100
+
+pve-qemu-kvm (2.4-14) unstable; urgency=medium
+
+ * savevm async : setup raw format by default fo vmstate file
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 09 Nov 2015 06:26:53 +0100
+
+pve-qemu-kvm (2.4-13) unstable; urgency=medium
+
+ * update qemu to 2.4.1
+
+ * remove patch mirror-fix-coroutine-reentrance.patch (now upstream)
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 06 Nov 2015 09:47:21 +0100
+
+pve-qemu-kvm (2.4-12) unstable; urgency=medium
+
+ * define QEMU_PKGVERSION
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 09:40:37 +0200
+
+pve-qemu-kvm (2.4-11) unstable; urgency=medium
+
+ * update ipxe binaries, re-enable efi pxe ROMs
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 22 Oct 2015 08:47:07 +0200
+
+pve-qemu-kvm (2.4-10) unstable; urgency=medium
+
+ * pve-qemu-kvm : block: mirror - fix full sync mode when target
+ does not support zeroes init
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 13 Oct 2015 17:06:22 +0200
+
+pve-qemu-kvm (2.4-9) unstable; urgency=medium
+
+ * qemu :disable smm support
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 30 Sep 2015 09:34:06 +0200
+
+pve-qemu-kvm (2.4-8) unstable; urgency=medium
+
+ * update qemu to 2.4.0.1
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 23 Sep 2015 06:40:27 +0200
+
+pve-qemu-kvm (2.4-7) unstable; urgency=medium
+
+ * savevm-async: move global_state_store to the end
+
+ -- Proxmox Support Team <support@proxmox.com> Sun, 20 Sep 2015 10:08:02 +0200
+
+pve-qemu-kvm (2.4-6) unstable; urgency=medium
+
+ * fix snapshot/rollback of running vm
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 15 Sep 2015 09:07:32 +0200
+
+pve-qemu-kvm (2.4-5) unstable; urgency=medium
+
+ * vma create: correctly create empty (config only) archives
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 09 Sep 2015 11:27:06 +0200
+
+pve-qemu-kvm (2.4-4) unstable; urgency=medium
+
+ * fix q35 pci passthrough (revert commit b8eb5512)
+
+ * add depend on libjpeg62-turbo to avoid problems when
+ updating from wheezy.
+
+ -- Proxmox Support Team <support@proxmox.com> Sat, 05 Sep 2015 10:15:08 +0200
+
+pve-qemu-kvm (2.4-3) unstable; urgency=medium
+
+ * update to v2.4.0 final
+
+ * add mirror-fix-coroutine-reentrance.patch
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 13 Aug 2015 17:00:49 +0200
+
+pve-qemu-kvm (2.4-2) unstable; urgency=medium
+
+ * update to latest upstream (v2.4.0-rc4)
+
+ -- Proxmox Support Team <support@proxmox.com> Sat, 08 Aug 2015 15:14:25 +0200
+
+pve-qemu-kvm (2.4-1) unstable; urgency=medium
+
+ * update to latest upstream (v2.4.0-rc3)
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 30 Jul 2015 09:38:14 +0200
+
+pve-qemu-kvm (2.3-8) unstable; urgency=medium
+
+ * update to latest upstream (v2.4.0-rc2 + a few more patches)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jul 2015 10:07:20 +0200
+
+pve-qemu-kvm (2.3-7) unstable; urgency=medium
+
+ * update to latest upstream (v2.4.0-rc2 + a few patches)
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 09:59:07 +0200
+
+pve-qemu-kvm (2.3-6) unstable; urgency=medium
+
+ * qemu : add drive-mirror sleep patches
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 01 Jul 2015 06:16:47 +0200
+
+pve-qemu-kvm (2.3-5) unstable; urgency=medium
+
+ * use jemalloc as default memory allocator
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jun 2015 17:08:37 +0200
+
+pve-qemu-kvm (2.3-4) unstable; urgency=medium
+
+ * remove tcmalloc
+
+ * Added patch for vvfat's file.label option
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 18 Jun 2015 14:06:28 +0200
+
+pve-qemu-kvm (2.3-3) unstable; urgency=medium
+
+ * vma extract: add BlockDevice type to prevent warning
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 17:33:22 +0200
+
+pve-qemu-kvm (2.3-2) unstable; urgency=medium
+
+ * enable tcmalloc, depend on libgoogle-perftools4
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 10 Jun 2015 10:44:24 +0200
+
+pve-qemu-kvm (2.3-1) unstable; urgency=medium
+
+ * update to v2.3.0
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 05 Jun 2015 06:05:00 +0200
+
+pve-qemu-kvm (2.2-8) unstable; urgency=medium
+
+ * fix package dependencies for Debian Jessie
+
+ * update to v2.2.1
+
+ * remove fix-mc146818rtc-wrong-subsection-name.patch (now upstream)
+
+ * fix ballooning with memory hotplug
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 11 Mar 2015 07:12:43 +0100
+
+pve-qemu-kvm (2.2-7) unstable; urgency=low
+
+ * fix mc146818rtc wrong subsection name to avoid
+ vmstate_subsection_load() fail.
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 24 Feb 2015 17:38:31 +0100
+
+pve-qemu-kvm (2.2-6) unstable; urgency=low
+
+ * qmp: fix backup-cancel
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 29 Dec 2014 07:21:24 +0100
+
+pve-qemu-kvm (2.2-5) unstable; urgency=low
+
+ * add new qmp command: get_link_status
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 11 Dec 2014 10:42:20 +0100
+
+pve-qemu-kvm (2.2-4) unstable; urgency=low
+
+ * update to qemu v2.2.0
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 10 Dec 2014 06:18:34 +0100
+
+pve-qemu-kvm (2.2-3) unstable; urgency=low
+
+ * update to qemu v2.2.0-rc5
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:27:35 +0100
+
+pve-qemu-kvm (2.2-2) unstable; urgency=low
+
+ * update to qemu v2.2.0-rc3+ (commit 4cae4d5acaea23f3def84c8dc67ef5106323e5cb)
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 11:50:25 +0100
+
+pve-qemu-kvm (2.2-1) unstable; urgency=low
+
+ * update to qemu v2.2.0-rc2
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 20 Nov 2014 07:56:27 +0100
+
+pve-qemu-kvm (2.1-10) unstable; urgency=low
+
+ * enable support for write_zeroes and discard for images on xfs filesystem
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 13 Oct 2014 10:19:44 +0200
+
+pve-qemu-kvm (2.1-9) unstable; urgency=low
+
+ * update to v2.1.2
+
+ * remove temporary patches (now upstream)
+ - virtio-net_drop_assert_on_vm_stop.patch
+ - revert_virtio_dont_call_device_on_not_vm_running.patch
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 26 Sep 2014 11:25:57 +0200
+
+pve-qemu-kvm (2.1-8) unstable; urgency=low
+
+ * apply patches/hotfix for virtio-net migration problem in 2.1.1
+ - virtio-net_drop_assert_on_vm_stop.patch
+ - revert_virtio_dont_call_device_on_not_vm_running.patch
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 16 Sep 2014 12:54:48 +0200
+
+pve-qemu-kvm (2.1-7) unstable; urgency=low
+
+ * update to v2.1.1
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 11 Sep 2014 09:27:38 +0200
+
+pve-qemu-kvm (2.1-6) unstable; urgency=low
+
+ * gluster: allow to specify a backup server
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 26 Aug 2014 12:55:23 +0200
+
+pve-qemu-kvm (2.1-5) unstable; urgency=low
+
+ * glusterfs: do not log to stdout when daemonized
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 22 Aug 2014 13:28:24 +0200
+
+pve-qemu-kvm (2.1-4) unstable; urgency=low
+
+ * depend on new libiscsi 1.12.0
+
+ * depend on new glusterfs 3.5.2
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 21 Aug 2014 08:18:43 +0200
+
+pve-qemu-kvm (2.1-3) unstable; urgency=low
+
+ * snapshot: fix reference counting bug
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 07 Aug 2014 13:31:30 +0200
+
+pve-qemu-kvm (2.1-2) unstable; urgency=low
+
+ * update to v2.1.0
+
+ -- Proxmox Support Team <support@proxmox.com> Sat, 02 Aug 2014 15:00:58 +0200
+
+pve-qemu-kvm (2.1-1) unstable; urgency=low
+
+ * update to v2.1.0-rc2
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 16 Jul 2014 11:55:13 +0200
+
+pve-qemu-kvm (2.0-2) unstable; urgency=low
+
+ * update to latest qemu (commit 2a2c4830c0068d70443f3dddc4cc668f0c601b5c)
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 10:20:10 +0200
+
+pve-qemu-kvm (2.0-1) unstable; urgency=low
+
+ * update to qemu 2.0
+
+ * remove virtio-net-fix-guest-triggerable-buffer-overrun-CVE-2014-0150.patch
+ This is now included in upstream.
+
+ * depend on libiscsi2 (>= 1.11.0)
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 05 May 2014 06:57:34 +0200
+
+pve-qemu-kvm (1.7-8) unstable; urgency=low
+
+ * fix guest-triggerable buffer overrun in virtio-net (CVE-2014-0150)
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 22 Apr 2014 06:47:02 +0200
+
+pve-qemu-kvm (1.7-7) unstable; urgency=low
+
+ * vma: allows the creation of vma files without data streams
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 14 Apr 2014 11:13:36 +0200
+
+pve-qemu-kvm (1.7-6) unstable; urgency=low
+
+ * backup: remove async queue (avoid segmentation fault)
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 27 Mar 2014 13:06:55 +0100
+
+pve-qemu-kvm (1.7-5) unstable; urgency=low
+
+ * update to 1.7.1
+
+ * backup: do not report errors to the VM when backup fails.
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 26 Mar 2014 06:37:55 +0100
+
+pve-qemu-kvm (1.7-4) unstable; urgency=low
+
+ * disable efi enabled pxe boot roms (they do not work)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 29 Jan 2014 12:58:46 +0100
+
+pve-qemu-kvm (1.7-3) unstable; urgency=low
+
+ * vma: add 'vma config' command to easily extract VM configuration
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 04 Dec 2013 10:39:36 +0100
+
+pve-qemu-kvm (1.7-2) unstable; urgency=low
+
+ * depend on latest spice server libs
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2013 13:40:56 +0100
+
+pve-qemu-kvm (1.7-1) unstable; urgency=low
+
+ * remove qemu-img-convert-skipcreate-option.patch (now upstream)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 27 Nov 2013 10:55:35 +0100
+
+pve-qemu-kvm (1.4-17) unstable; urgency=low
+
+ * enable glusterfs backend
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 13 Aug 2013 06:48:32 +0200
+
+pve-qemu-kvm (1.4-16) unstable; urgency=low
+
+ * add patch to use pce certs for spice by default
+
+ * disable spice-socket.patch
+
+ * Allow to query spice ticket
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2013 10:02:14 +0200
+
+pve-qemu-kvm (1.4-15) unstable; urgency=low
+
+ * add usbredir support to spice
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 19 Jul 2013 07:41:20 +0200
+
+pve-qemu-kvm (1.4-14) unstable; urgency=low
+
+ * add experimental code to support spice
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 25 Jun 2013 06:41:52 +0200
+
+pve-qemu-kvm (1.4-13) unstable; urgency=low
+
+ * update to qemu 1.4.2
+
+ * remove rbd-add-an-asynchronous-flush.patch (upstream now)
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 03 Jun 2013 06:28:32 +0200
+
+pve-qemu-kvm (1.4-12) unstable; urgency=low
+
+ * vma create: only store basename of config file.
+ patch: 0009-vma-only-store-the-basename-of-a-configuration-file.patch
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2013 10:07:50 +0200
+
+pve-qemu-kvm (1.4-11) unstable; urgency=low
+
+ * rbd: add an asynchronous flush
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 07 May 2013 12:14:57 +0200
+
+pve-qemu-kvm (1.4-10) unstable; urgency=low
+
+ * bump version to 1.4-10
+
+ * this is based on qemu 1.4.1
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 16 Apr 2013 10:39:58 +0200
+
+pve-qemu-kvm (1.4-9) unstable; urgency=low
+
+ * vma restore: tolerate a size difference up to 4M
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 26 Mar 2013 06:33:43 +0100
+
+pve-qemu-kvm (1.4-8) unstable; urgency=low
+
+ * vma: add 'vma verify' command to verify vma archives
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 11 Mar 2013 11:10:34 +0100
+
+pve-qemu-kvm (1.4-7) unstable; urgency=low
+
+ * update seabios to 1.7.2.1 (fix freebsd boot)
+
+ -- Proxmox Support Team <support@proxmox.com> Sat, 09 Mar 2013 09:02:48 +0100
+
+pve-qemu-kvm (1.4-6) unstable; urgency=low
+
+ * set default cpu model to kvm64 (to avoid problems with windows activation)
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 25 Feb 2013 06:55:23 +0100
+
+pve-qemu-kvm (1.4-5) unstable; urgency=low
+
+ * update backup patches to v5
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 21 Feb 2013 12:30:57 +0100
+
+pve-qemu-kvm (1.4-4) unstable; urgency=low
+
+ * update backup patches
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 20 Feb 2013 10:43:04 +0100
+
+pve-qemu-kvm (1.4-3) unstable; urgency=low
+
+ * update to qemu 1.4.0 final
+
+ -- Proxmox Support Team <support@proxmox.com> Sat, 16 Feb 2013 09:24:06 +0100
+
+pve-qemu-kvm (1.4-2) unstable; urgency=low
+
+ * update to latest 1.4.0rc2
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 15 Feb 2013 15:57:56 +0100
+
+pve-qemu-kvm (1.4-1) unstable; urgency=low
+
+ * update to latest 1.4.0 (03ec2f83087de34924489eeae0ea6fe7785cc050)
+
+ * remove ahci-add_migration-support.patch
+
+ * remove balloon stat patches
+
+ * remove always-update-expected-downtime.patch: seems latest qemu does
+ not set that value anymore?
+
+ * configure with --disable-smartcard-nss (else we need to install
+ vscclient and dynamic libraries)
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 12 Feb 2013 12:04:09 +0100
+
+pve-qemu-kvm (1.3-18) unstable; urgency=low
+
+ * update qemu to v1.3.1
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 29 Jan 2013 15:12:49 +0100
+
+pve-qemu-kvm (1.3-17) unstable; urgency=low
+
+ * update backup patches - removed threaded code - we use qemu-aio
+ instead to avoid problems in bdrv_drain_all().
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 22 Jan 2013 10:37:59 +0100
+
+pve-qemu-kvm (1.3-14) unstable; urgency=low
+
+ * update backup patches
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 18 Jan 2013 10:53:21 +0100
+
+pve-qemu-kvm (1.3-13) unstable; urgency=low
+
+ * fix DSA-2608-1 qemu -- buffer overflow (see
+ http://www.debian.org/security/2013/dsa-2608)
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jan 2013 06:58:47 +0100
+
+pve-qemu-kvm (1.3-12) unstable; urgency=low
+
+ * update vma patches
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 04 Jan 2013 07:32:17 +0100
+
+pve-qemu-kvm (1.3-10) unstable; urgency=low
+
+ * include fixes for query-balloon
+
+ * Update seabios to a810e4e72a0d42c7bc04eda57382f8e019add901
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 18 Dec 2012 12:38:36 +0100
+
+pve-qemu-kvm (1.3-9) unstable; urgency=low
+
+ * fixes for vma-reader
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 13 Dec 2012 12:08:12 +0100
+
+pve-qemu-kvm (1.3-8) unstable; urgency=low
+
+ * re-enable balloon stats
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 11 Dec 2012 12:48:26 +0100
+
+pve-qemu-kvm (1.3-7) unstable; urgency=low
+
+ * update seabios to e8a76b0f225bba5ba9d63ab227e0a37b3beb1059
+
+ * update vma patches
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 11 Dec 2012 11:06:43 +0100
+
+pve-qemu-kvm (1.3-6) unstable; urgency=low
+
+ * include vma utility
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 04 Dec 2012 10:49:54 +0100
+
+pve-qemu-kvm (1.3-5) unstable; urgency=low
+
+ * update to qemu 1.3 final
+
+ * include fix-off-by-1-error-in-RAM-migration-code.patch
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 04 Dec 2012 06:18:16 +0100
+
+pve-qemu-kvm (1.3-4) unstable; urgency=low
+
+ * update to qemu 1.3 rc2 (bios update, fix lsi bug)
+
+ * rm stream-fix-ratelimit_set_speed.patch (upstream)
+
+ * update qemu backup patches
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 03 Dec 2012 06:32:00 +0100
+
+pve-qemu-kvm (1.3-3) unstable; urgency=low
+
+ * include qemu backup patches
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2012 12:23:37 +0100
+
+pve-qemu-kvm (1.3-2) unstable; urgency=low
+
+ * update to qemu 1.3 rc1 (fix usb tablet)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 28 Nov 2012 08:48:12 +0100
+
+pve-qemu-kvm (1.3-1) unstable; urgency=low
+
+ * update to qemu 1.3 rc0
+
+ * we now use qemu sources directly
+
+ * remove update-cpus-x86_64.conf-to-rhel6.2-version.patch
+
+ * remove ahci-properly-reset-pxcmd.patch (upstream)
+
+ * remove sheepdog-fix-savevm-loadvm.patch (upstream)
+
+ * remove set-max-nics.patch (no longer needed with -device syntax)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 21 Nov 2012 12:48:56 +0100
+
+pve-qemu-kvm (1.2-7) unstable; urgency=low
+
+ * cleanup snapshot support patches
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 23 Oct 2012 09:45:48 +0200
+
+pve-qemu-kvm (1.2-6) unstable; urgency=low
+
+ * qemu-img: return success for non-existing snapshots on snapshot removal
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 14 Sep 2012 11:09:09 +0200
+
+pve-qemu-kvm (1.2-5) unstable; urgency=low
+
+ * update to 1.2.0
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 07 Sep 2012 07:40:06 +0200
+
+pve-qemu-kvm (1.2-4) unstable; urgency=low
+
+ * update to 1.2.0-rc2
+
+ * add patch for experimental snapshot support
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 04 Sep 2012 07:26:31 +0200
+
+pve-qemu-kvm (1.2-3) unstable; urgency=low
+
+ * fix ahci for win7
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 03 Sep 2012 14:22:17 +0200
+
+pve-qemu-kvm (1.2-2) unstable; urgency=low
+
+ * add ahci migration support
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 31 Aug 2012 10:52:20 +0200
+
+pve-qemu-kvm (1.2-1) unstable; urgency=low
+
+ * update to 1.2.0-rc1
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 27 Aug 2012 14:12:22 +0200
+
+pve-qemu-kvm (1.1-8) unstable; urgency=low
+
+ * fix bug 241: compile it with alsa support instead of oss
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 16 Aug 2012 09:11:19 +0200
+
+pve-qemu-kvm (1.1-7) unstable; urgency=low
+
+ * Enable VeNCrypt PLAIN authentication
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 09 Aug 2012 10:05:52 +0200
+
+pve-qemu-kvm (1.1-6) unstable; urgency=low
+
+ * enable libiscsi
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jul 2012 11:35:47 +0200
+
+pve-qemu-kvm (1.1-5) unstable; urgency=low
+
+ * update to latest stable-1.1 branch (qemu-kvm-1.1.1)
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 17 Jul 2012 08:58:31 +0200
+
+pve-qemu-kvm (1.1-4) unstable; urgency=low
+
+ * update to latest stable-1.1 branch
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 09 Jul 2012 07:11:06 +0200
+
+pve-qemu-kvm (1.1-3) unstable; urgency=low
+
+ * enable rbd support
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 05 Jun 2012 06:49:52 +0200
+
+pve-qemu-kvm (1.1-2) unstable; urgency=low
+
+ * update to qemu-kvm-1.1-rc3
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 24 May 2012 09:24:57 +0200
+
+pve-qemu-kvm (1.1-1) unstable; urgency=low
+
+ * update to qemu-kvm-1.1-rc2
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 21 May 2012 06:15:49 +0200
+
+pve-qemu-kvm (1.0-9) unstable; urgency=low
+
+ * revert patch to change prefer_msi and share_intx defaults
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 03 Apr 2012 07:29:27 +0200
+
+pve-qemu-kvm (1.0-8) unstable; urgency=low
+
+ * include latest changes from master (update to commit
+ a0bc8c313ce7da8937e190b1e0cfd051a9ba243e)
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 26 Mar 2012 07:22:10 +0200
+
+pve-qemu-kvm (1.0-7) unstable; urgency=low
+
+ * include latest changes from master
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2012 07:11:15 +0100
+
+pve-qemu-kvm (1.0-6) unstable; urgency=low
+
+ * include changes from master
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 02 Mar 2012 09:40:41 +0100
+
+pve-qemu-kvm (1.0-5) unstable; urgency=low
+
+ * fix usb tablet activation
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 29 Feb 2012 09:54:52 +0100
+
+pve-qemu-kvm (1.0-4) unstable; urgency=low
+
+ * fix Westmere cpu definition
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 23 Feb 2012 13:44:38 +0100
+
+pve-qemu-kvm (1.0-3) unstable; urgency=low
+
+ * include latest updates from master
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 15 Feb 2012 11:32:23 +0100
+
+pve-qemu-kvm (1.0-2) unstable; urgency=low
+
+ * include post 1.0 changes from master
+
+ * remove live-migration-fixes.diff: seem nobody needs that.
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 09 Feb 2012 13:15:14 +0100
+
+pve-qemu-kvm (1.0-1) unstable; urgency=low
+
+ * update to upstream 1.0
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 07 Dec 2011 09:58:07 +0100
+
+pve-qemu-kvm (0.15.0-1) unstable; urgency=low
+
+ * update to upstream 0.15.0
+
+ * depend on libaio1 (--enable-linux-aio)
+
+ * depend on libuuid1 (--enable-uuid)
+
+ * use pxe roms from upstream qemu-kvm
+
+ * do not use --disable-blobs (let qemu-kvm install files, and we remove
+ what we do not need)
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 11 Aug 2011 10:00:44 +0200
+
+pve-qemu-kvm (0.14.1-1) unstable; urgency=low
+
+ * update to upstream 0.14.1
+
+ * remove enable-ksm.diff patch (newer libc already have those
+ definitions)
+
+ * also install vgabios-qxl.bin vgabios-stdvga.bin vgabios-vmware.bin
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 21 Jun 2011 06:30:29 +0200
+
+pve-qemu-kvm (0.14.0-1) unstable; urgency=low
+
+ * update to 0.14.0
+
+ * removed kvmtrace (removed from upstream?)
+
+ * add vnc keyboard fixes for fr-ca (reported by Pierre-Yves)
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 25 Feb 2011 08:17:56 +0100
+
+pve-qemu-kvm (0.13.0-3) unstable; urgency=low
+
+ * fix vnc keyboard altgr/shift emulation
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 07 Dec 2010 12:45:16 +0100
+
+pve-qemu-kvm (0.13.0-2) unstable; urgency=low
+
+ * do not install unnecessary blobs (manually install blobs, use
+ --disable-blobs)
+
+ * update migration and vnc keymap patches for 0.13.0
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 25 Oct 2010 13:46:03 +0200
+
+pve-qemu-kvm (0.13.0-1) unstable; urgency=low
+
+ * update to qemu-kvm-0.13.0
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 21 Oct 2010 13:38:14 +0200
+
+pve-qemu-kvm (0.12.5-2) unstable; urgency=low
+
+ * enable up to 32 NICs (as suggested in the forum)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 06 Oct 2010 08:23:07 +0200
+
+pve-qemu-kvm (0.12.5-1) unstable; urgency=low
+
+ * update to qemu-kvm-0.12.5
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 05 Aug 2010 11:01:56 +0200
+
+pve-qemu-kvm (0.12.4-1) unstable; urgency=low
+
+ * update to qemu-kvm-0.12.4
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 11 May 2010 08:14:29 +0200
+
+pve-qemu-kvm (0.12.3-1) unstable; urgency=low
+
+ * update to qemu-kvm-0.12.3
+
+ * include gPXE 1.0 network boot
+
+ * remove multicore.diff patch
+
+ * do not install ppc and sparc bios files
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 14 Apr 2010 13:30:23 +0200
+
+pve-qemu-kvm (0.11.1-2) unstable; urgency=low
+
+ * Use/Include PXE boot ROMs from the Etherboot package
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2010 13:28:19 +0100
+
+pve-qemu-kvm (0.11.1-1) unstable; urgency=low
+
+ * update to qemu-kvm-0.11.1
+
+ * cleanup debian rules file
+
+ * install kvmtrace kvmtrace_format and kvm_stat
+
+ * configure with --disable-xen --with-kvm-trace
+
+ * depend on python for scripts
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 14 Dec 2009 14:44:56 +0100
+
+pve-qemu-kvm (0.11.0-2) stable; urgency=low
+
+ * fix live migration (live-migration-fxes.diff)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 30 Sep 2009 11:07:23 +0200
+
+pve-qemu-kvm (0.11.0-1) stable; urgency=low
+
+ * update to stable branch
+
+ * rename packare to pve-qemu-kvm
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 28 Sep 2009 10:35:05 +0200
+
+pve-kvm (86-4) unstable; urgency=low
+
+ * include multicore patch from amd
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 14 Sep 2009 10:40:00 +0200
+
+pve-kvm (86-3) unstable; urgency=low
+
+ * fix "i8042.c: No controller found" problem
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 15 Jun 2009 13:35:57 +0200
+
+pve-kvm (86-2) unstable; urgency=low
+
+ * add CPUID fix: http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commitdiff_plain;h=8fa3b3ce6e
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 09 Jun 2009 09:50:28 +0200
+
+pve-kvm (86-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 22 May 2009 09:16:27 +0200
+
+pve-kvm (85-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 28 Apr 2009 07:41:21 +0200
+
+pve-kvm (83-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 7 Jan 2009 12:57:02 +0100
+
+pve-kvm (75-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 11 Sep 2008 10:03:51 +0200
+
+pve-kvm (74-1) unstable; urgency=low
+
+ * New upstream release
+
+ * added fairsched options
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 28 Aug 2008 12:40:32 +0200
+
--- /dev/null
+Source: pve-qemu-kvm
+Section: admin
+Priority: extra
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Build-Depends: debhelper (>= 5), autotools-dev, libpci-dev, quilt, texinfo, texi2html, libgnutls28-dev, libsdl1.2-dev, check, libaio-dev, uuid-dev, librbd-dev (>= 0.48), libiscsi-dev (>= 1.12.0), libspice-protocol-dev (>= 0.12.5), pve-libspice-server-dev (>= 0.12.5-1), libusbredirparser-dev (>= 0.6-2), glusterfs-common (>= 3.5.2-1), libusb-1.0-0-dev (>= 1.0.17-1), xfslibs-dev, libnuma-dev, libjemalloc-dev, libjpeg-dev, libacl1-dev
+Standards-Version: 3.7.2
+
+Package: pve-qemu-kvm
+Architecture: any
+Depends: iproute2, bridge-utils, python, libsdl1.2debian, libaio1, libuuid1, ceph-common (>= 0.48), libiscsi4 (>= 1.12.0) | libiscsi7, pve-libspice-server1 (>= 0.12.5-1), ${shlibs:Depends}, ${misc:Depends}, libusbredirparser1 (>= 0.6-2), glusterfs-common (>= 3.5.2-1), libusb-1.0-0 (>= 1.0.17-1), numactl, libjemalloc1, libjpeg62-turbo
+Conflicts: qemu, qemu-kvm, qemu-utils, kvm, pve-kvm, pve-qemu-kvm-2.6.18
+Provides: qemu-utils
+Replaces: pve-kvm, pve-qemu-kvm-2.6.18, qemu-utils
+Description: Full virtualization on x86 hardware
+ Using KVM, one can run multiple virtual PCs, each running unmodified Linux or
+ Windows images. Each virtual machine has private virtualized hardware: a
+ network card, disk, graphics adapter, etc.
+
+Package: pve-qemu-kvm-dbg
+Architecture: any
+Section: debug
+Depends: pve-qemu-kvm (= ${binary:Version})
+Description: pve qemu debugging symbols
+ This package contains the debugging symbols for pve-qemu-kvm.
+
--- /dev/null
+This package was debianized by the proxmox support team <support@proxmox.com>
+
+
+It was downloaded from
+
+git://git.kernel.org/pub/scm/virt/kvm/qemu-kvm.git
+
+Upstream Author: Fabrice Bellard <fabrice.bellard@free.fr>
+
+Upstream Maintainers: Avi Kivity <avi@redhat.com>
+ Anthony Liguori <aliguori@us.ibm.com>
+
+Copyright: Copyright (C) 2006 Qumranet, Inc.
+ Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Fabrice Bellard
+
+License:
+
+ QEMU as a whole is released under the GNU General Public License version 2.
+ On Debian systems, the complete text of the GNU General Public License
+ version 2 can be found in the file /usr/share/common-licenses/GPL-2.
+
+ Parts of QEMU have specific licenses which are compatible with the
+ GNU General Public License. Hence each source file contains its own
+ licensing information.
+
+ In particular, the QEMU virtual CPU core library (libqemu.a) is
+ released under the GNU Lesser General Public License version 2 or later.
+ On Debian systems, the complete text of the GNU Lesser General Public
+ License can be found in the file /usr/share/common-licenses/LGPL.
+
+ Some hardware device emulation sources and other QEMU functionality are
+ released under the BSD license, including:
+ * aes, bsd-user, sd, slirp, sys-queue
+
+ Some hardware device emulation sources and other QEMU functionality are
+ released under the MIT/X11 (BSD-like) license, including:
+ * sdl, host-utils, vnc, keymaps, ioport, usb, hw/*, net, acl, block,
+ kqemu, monitor, curses, readline, vl, savevm, osdep, audio, tcg,
+ qemu-malloc, qemu-img
+
+ The following points clarify the QEMU license:
+ 1) QEMU as a whole is released under the GNU General Public License
+ 2) Parts of QEMU have specific licenses which are compatible with the
+ GNU General Public License. Hence each source file contains its own
+ licensing information.
+ In particular, the QEMU virtual CPU core library (libqemu.a) is
+ released under the GNU Lesser General Public License. Many hardware
+ device emulation sources are released under the BSD license.
+ 3) The Tiny Code Generator (TCG) is released under the BSD license
+ (see license headers in files).
+ 4) QEMU is a trademark of Fabrice Bellard.
+ -- Fabrice Bellard.
+
+ BIOS sources in QEMU:
+ bios.bin: Copyright (C) 2002 MandrakeSoft S.A. and others. This file
+ is licensed under the GNU LGPL, version 2, or (at your option) any later
+ version.
+ Homepage: http://sourceforge.net/projects/bochs
+
+ vgabios.bin and vgabios-cirrus.bin: (C) 2003 the LGPL VGABios
+ developers Team. These files are licensed under the GNU LGPL, version 2,
+ or (at your option) any later version.
+ Homepage: http://savannah.nongnu.org/projects/vgabios
+
+BSD license:
+
+Copyright (c) The Regents of the University of California.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+3. Neither the name of the University nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
--- /dev/null
+debian/SOURCE
--- /dev/null
+#!/bin/sh
+
+exit 0
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+
+switch=$(/sbin/ip route list | awk '/^default / { print $NF }')
+/sbin/ifconfig $1 0.0.0.0 promisc up
+/sbin/brctl addif ${switch} $1
--- /dev/null
+From 603c472d61c354c30bc898b0e9ff1914302cbca9 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 4 Jul 2016 15:02:26 +0200
+Subject: [PATCH 1/3] Revert "target-i386: disable LINT0 after reset"
+
+This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb.
+---
+ hw/intc/apic_common.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
+index 14ac43c..1ed0511 100644
+--- a/hw/intc/apic_common.c
++++ b/hw/intc/apic_common.c
+@@ -246,6 +246,15 @@ static void apic_reset_common(DeviceState *dev)
+ info->vapic_base_update(s);
+
+ apic_init_reset(dev);
++
++ if (bsp) {
++ /*
++ * LINT0 delivery mode on CPU #0 is set to ExtInt at initialization
++ * time typically by BIOS, so PIC interrupt can be delivered to the
++ * processor when local APIC is enabled.
++ */
++ s->lvt[APIC_LVT_LINT0] = 0x700;
++ }
+ }
+
+ /* This function is only used for old state version 1 and 2 */
+--
+2.1.4
+
--- /dev/null
+From 391a9e6fd8c6cf615f2ffe44bb85245df52cc2b6 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 9 Feb 2017 14:02:20 +0100
+Subject: [PATCH 1/2] cirrus: fix patterncopy checks
+
+The blit_region_is_unsafe checks don't work correctly for the
+patterncopy source. It's a fixed-sized region, which doesn't
+depend on cirrus_blt_{width,height}. So go do the check in
+cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
+it doesn't need to verify the source. Also handle the case where we
+blit from cirrus_bitbuf correctly.
+
+This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
+
+Security impact: I think for the most part error on the safe side this
+time, refusing blits which should have been allowed.
+
+Only exception is placing the blit source at the end of the video ram,
+so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
+even in that case I'm not fully sure this actually allows read access to
+host memory. To trick the commit 5858dd18 security checks one has to
+pick very small cirrus_blt_{width,height} values, which in turn implies
+only a fraction of the blit source will actually be used.
+
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 16f27e8..6bd13fc 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
+ }
+ }
+
+-static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+- const uint8_t * src)
++static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
+ {
++ uint32_t patternsize;
+ uint8_t *dst;
++ uint8_t *src;
+
+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
+
+- if (blit_is_unsafe(s, false, true)) {
++ if (videosrc) {
++ switch (s->vga.get_bpp(&s->vga)) {
++ case 8:
++ patternsize = 64;
++ break;
++ case 15:
++ case 16:
++ patternsize = 128;
++ break;
++ case 24:
++ case 32:
++ default:
++ patternsize = 256;
++ break;
++ }
++ s->cirrus_blt_srcaddr &= ~(patternsize - 1);
++ if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
++ return 0;
++ }
++ src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
++ } else {
++ src = s->cirrus_bltbuf;
++ }
++
++ if (blit_is_unsafe(s, true, true)) {
+ return 0;
+ }
+
+@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+
+ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+ {
+- return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
+- (s->cirrus_blt_srcaddr & ~7));
++ return cirrus_bitblt_common_patterncopy(s, true);
+ }
+
+ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
+
+ if (s->cirrus_srccounter > 0) {
+ if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
+- cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf);
++ cirrus_bitblt_common_patterncopy(s, false);
+ the_end:
+ s->cirrus_srccounter = 0;
+ cirrus_bitblt_reset(s);
+--
+2.1.4
+
--- /dev/null
+From b3ce5aeaacdd0cec5bab1d83ee24bae73b0dd506 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 25 Jan 2017 14:48:57 +0100
+Subject: [PATCH 1/4] cirrus: handle negative pitch in
+ cirrus_invalidate_region()
+
+cirrus_invalidate_region() calls memory_region_set_dirty()
+on a per-line basis, always ranging from off_begin to
+off_begin+bytesperline. With a negative pitch off_begin
+marks the top most used address and thus we need to do an
+initial shift backwards by a line for negative pitches of
+backward blits, otherwise the first iteration covers the
+line going from the start offset forwards instead of
+backwards.
+Additionally since the start address is inclusive, if we
+shift by a full `bytesperline` we move to the first address
+*not* included in the blit, so we only shift by one less
+than bytesperline.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
+
+[ kraxel: codestyle fixes ]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 379910d..0f05e45 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
+ int off_cur;
+ int off_cur_end;
+
++ if (off_pitch < 0) {
++ off_begin -= bytesperline - 1;
++ }
++
+ for (y = 0; y < lines; y++) {
+ off_cur = off_begin;
+ off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
++ assert(off_cur_end >= off_cur);
+ memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
+ off_begin += off_pitch;
+ }
+--
+2.1.4
+
--- /dev/null
+From f5dc8e6b503fda1ed87c0f4f53c6d2c76a584872 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Mon, 9 Jan 2017 13:35:20 -0700
+Subject: [PATCH 1/5] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index bdb092e..379910d 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ return false;
+ }
+
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
++ if (dst_only) {
++ return false;
++ }
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+
+ dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+- if (blit_is_unsafe(s))
++ if (blit_is_unsafe(s, false))
+ return 0;
+
+ (*s->cirrus_rop) (s, dst, src,
+@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+ cirrus_fill_t rop_func;
+
+- if (blit_is_unsafe(s)) {
++ if (blit_is_unsafe(s, true)) {
+ return 0;
+ }
+ rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+- if (blit_is_unsafe(s))
++ if (blit_is_unsafe(s, false))
+ return 0;
+
+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+--
+2.1.4
+
--- /dev/null
+From cba280fe94eaed53952e2997cac1ee2bed6cfdee Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 10 Feb 2017 08:34:03 +0100
+Subject: [PATCH 2/2] Revert "cirrus: allow zero source pitch in pattern fill
+ rops"
+
+This reverts commit cf9c099a7694eb47ded529e1ed40ee8789f32d31.
+
+Conflicts:
+ hw/display/cirrus_vga.c
+---
+ hw/display/cirrus_vga.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 6bd13fc..92e7951 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
+ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+ {
++ if (!pitch) {
++ return true;
++ }
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
+@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ return false;
+ }
+
+-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
+- bool zero_src_pitch_ok)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+- int32_t check_pitch;
+-
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+ assert(s->cirrus_blt_height > 0);
+@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
+ return true;
+ }
+
+- if (!s->cirrus_blt_dstpitch) {
+- return true;
+- }
+-
+ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
+ s->cirrus_blt_dstaddr)) {
+ return true;
+@@ -314,14 +310,8 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
+ if (dst_only) {
+ return false;
+ }
+-
+- check_pitch = s->cirrus_blt_srcpitch;
+- if (!zero_src_pitch_ok && !check_pitch) {
+- check_pitch = s->cirrus_blt_width;
+- }
+-
+- if (blit_region_is_unsafe(s, check_pitch,
+- s->cirrus_blt_srcaddr)) {
++ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
++ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+
+@@ -715,9 +705,8 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
+ src = s->cirrus_bltbuf;
+ }
+
+- if (blit_is_unsafe(s, true, true)) {
++ if (blit_is_unsafe(s, true))
+ return 0;
+- }
+
+ (*s->cirrus_rop) (s, dst, src,
+ s->cirrus_blt_dstpitch, 0,
+@@ -734,7 +723,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+ cirrus_fill_t rop_func;
+
+- if (blit_is_unsafe(s, true, true)) {
++ if (blit_is_unsafe(s, true)) {
+ return 0;
+ }
+ rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -834,7 +823,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+- if (blit_is_unsafe(s, false, false))
++ if (blit_is_unsafe(s, false))
+ return 0;
+
+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+--
+2.1.4
+
--- /dev/null
+From cf9c099a7694eb47ded529e1ed40ee8789f32d31 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 24 Jan 2017 16:35:38 +0100
+Subject: [PATCH 2/4] cirrus: allow zero source pitch in pattern fill rops
+
+The rops used by cirrus_bitblt_common_patterncopy only use
+the destination pitch, so the source pitch shoul allowed to
+be zero and the blit with used for the range check around the
+source address.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 0f05e45..98f089e 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
+ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+ {
+- if (!pitch) {
+- return true;
+- }
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch;
+@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ return false;
+ }
+
+-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
++ bool zero_src_pitch_ok)
+ {
++ int32_t check_pitch;
++
+ /* should be the case, see cirrus_bitblt_start */
+ assert(s->cirrus_blt_width > 0);
+ assert(s->cirrus_blt_height > 0);
+@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ return true;
+ }
+
++ if (!s->cirrus_blt_dstpitch) {
++ return true;
++ }
++
+ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
+ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ return true;
+@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ if (dst_only) {
+ return false;
+ }
+- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
++
++ check_pitch = s->cirrus_blt_srcpitch;
++ if (!zero_src_pitch_ok && !check_pitch) {
++ check_pitch = s->cirrus_blt_width;
++ }
++
++ if (blit_region_is_unsafe(s, check_pitch,
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ return true;
+ }
+@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+
+ dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+- if (blit_is_unsafe(s, false))
++ if (blit_is_unsafe(s, false, true)) {
+ return 0;
++ }
+
+ (*s->cirrus_rop) (s, dst, src,
+ s->cirrus_blt_dstpitch, 0,
+@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+ cirrus_fill_t rop_func;
+
+- if (blit_is_unsafe(s, true)) {
++ if (blit_is_unsafe(s, true, true)) {
+ return 0;
+ }
+ rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+- if (blit_is_unsafe(s, false))
++ if (blit_is_unsafe(s, false, false))
+ return 0;
+
+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+--
+2.1.4
+
--- /dev/null
+From 1313d27fc347633d0cf6fc2ff8cbe17a740dd658 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Thu, 11 Aug 2016 00:42:20 +0530
+Subject: [PATCH 2/3] net: vmxnet: initialise local tx descriptor
+
+In Vmxnet3 device emulator while processing transmit(tx) queue,
+when it reaches end of packet, it calls vmxnet3_complete_packet.
+In that local 'txcq_descr' object is not initialised, which could
+leak host memory bytes a guest.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/vmxnet3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 90f6943..92f6af9 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
+
+ VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+
++ memset(&txcq_descr, 0, sizeof(txcq_descr));
+ txcq_descr.txdIdx = tx_ridx;
+ txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
+
+--
+2.1.4
+
--- /dev/null
+From a173829e6ebd8b2d7f29028f106173ba067c8b8c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 25 Jan 2017 11:09:56 +0100
+Subject: [PATCH 3/4] cirrus: fix blit address mask handling
+
+Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
+right after assigning them, in cirrus_bitblt_start(), instead of having
+this all over the place in the cirrus code, and missing a few places.
+
+Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
+---
+ hw/display/cirrus_vga.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 98f089e..7db6409 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
+ }
+
+ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
+- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
++ s->cirrus_blt_dstaddr)) {
+ return true;
+ }
+ if (dst_only) {
+@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
+ }
+
+ if (blit_region_is_unsafe(s, check_pitch,
+- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
++ s->cirrus_blt_srcaddr)) {
+ return true;
+ }
+
+@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ {
+ uint8_t *dst;
+
+- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
++ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
+
+ if (blit_is_unsafe(s, false, true)) {
+ return 0;
+@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ return 0;
+ }
+ rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
+ s->cirrus_blt_dstpitch,
+ s->cirrus_blt_width, s->cirrus_blt_height);
+ cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+
+ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+ {
+- return cirrus_bitblt_common_patterncopy(s,
+- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
+- s->cirrus_addr_mask));
++ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
++ (s->cirrus_blt_srcaddr & ~7));
+ }
+
+ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ if (notify)
+ graphic_hw_update(s->vga.con);
+
+- (*s->cirrus_rop) (s, s->vga.vram_ptr +
+- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+- s->vga.vram_ptr +
+- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
++ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
++ s->vga.vram_ptr + s->cirrus_blt_srcaddr,
+ s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
+ s->cirrus_blt_width, s->cirrus_blt_height);
+
+@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
+ } else {
+ /* at least one scan line */
+ do {
+- (*s->cirrus_rop)(s, s->vga.vram_ptr +
+- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
+ s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+ cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
+ s->cirrus_blt_width, 1);
+@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
+ s->cirrus_blt_modeext = s->vga.gr[0x33];
+ blt_rop = s->vga.gr[0x32];
+
++ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
++ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
++
+ #ifdef DEBUG_BITBLT
+ printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
+ blt_rop,
+--
+2.1.4
+
--- /dev/null
+From 2705772316ff905f3ed08871c602fca1c636f332 Mon Sep 17 00:00:00 2001
+From: Peter Lieven <pl@kamp.de>
+Date: Thu, 30 Jun 2016 11:49:40 +0200
+Subject: [PATCH 3/3] net: limit allocation in nc_sendv_compat
+
+we only need to allocate enough memory to hold the packet. This might be
+less than NET_BUFSIZE. Additionally fail early if the packet is larger
+than NET_BUFSIZE.
+
+Signed-off-by: Peter Lieven <pl@kamp.de>
+---
+ net/net.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/net.c b/net/net.c
+index c94d93d..2ac46a6 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -690,9 +690,13 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov,
+ buffer = iov[0].iov_base;
+ offset = iov[0].iov_len;
+ } else {
+- buf = g_new(uint8_t, NET_BUFSIZE);
++ offset = iov_size(iov, iovcnt);
++ if (offset > NET_BUFSIZE) {
++ return -1;
++ }
++ buf = g_malloc(offset);
+ buffer = buf;
+- offset = iov_to_buf(iov, iovcnt, 0, buf, NET_BUFSIZE);
++ offset = iov_to_buf(iov, iovcnt, 0, buf, offset);
+ }
+
+ if (flags & QEMU_NET_PACKET_FLAG_RAW && nc->info->receive_raw) {
+--
+2.1.4
+
--- /dev/null
+From da4c6050712be98934918e348aa34a74be0e4e57 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 Jan 2017 17:54:15 +0530
+Subject: [PATCH 3/8] sd: sdhci: check transfer mode register in multi block
+ transfer
+
+In SDHCI device emulation the transfer mode register value
+is used during multi block transfer to check if block count
+register is enabled and should be updated. Transfer mode
+register could be set such that, block count register would
+not be updated, thus leading to an infinite loop. Add check
+to avoid it.
+
+Reported-by: Wjjzhang <wjjzhang@tencent.com>
+Reported-by: Jiang Xin <jiangxin1@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 01fbf22..35f953a 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -486,6 +486,12 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
+ uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
+
++ if (!(s->trnmod & SDHC_TRNS_MULTI)
++ || !(s->trnmod & SDHC_TRNS_BLK_CNT_EN)
++ || !s->blkcnt) {
++ return;
++ }
++
+ /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
+ * possible stop at page boundary if initial address is not page aligned,
+ * allow them to work properly */
+@@ -797,11 +803,6 @@ static void sdhci_data_transfer(void *opaque)
+ if (s->trnmod & SDHC_TRNS_DMA) {
+ switch (SDHC_DMA_TYPE(s->hostctl)) {
+ case SDHC_CTRL_SDMA:
+- if ((s->trnmod & SDHC_TRNS_MULTI) &&
+- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
+- break;
+- }
+-
+ if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
+ sdhci_sdma_transfer_single_block(s);
+ } else {
+@@ -1050,7 +1051,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ if (!(s->capareg & SDHC_CAN_DO_DMA)) {
+ value &= ~SDHC_TRNS_DMA;
+ }
+- MASKED_WRITE(s->trnmod, mask, value);
++ MASKED_WRITE(s->trnmod, mask, value & 0x0037);
+ MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
+
+ /* Writing to the upper byte of CMDREG triggers SD command generation */
+--
+2.1.4
+
--- /dev/null
+From e3ff618899e53791fdff5dbd3f8fa889a2ed7b1d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 1 Feb 2017 09:35:01 +0100
+Subject: [PATCH 4/4] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Message-id: 5887254f.863a240a.2c122.5500@mx.google.com
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+ address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 7db6409..16f27e8 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+ if (pitch < 0) {
+ int64_t min = addr
+- + ((int64_t)s->cirrus_blt_height-1) * pitch;
+- int32_t max = addr
+- + s->cirrus_blt_width;
+- if (min < 0 || max > s->vga.vram_size) {
++ + ((int64_t)s->cirrus_blt_height - 1) * pitch
++ - s->cirrus_blt_width;
++ if (min < -1 || addr >= s->vga.vram_size) {
+ return true;
+ }
+ } else {
+--
+2.1.4
+
--- /dev/null
+From b9bc05a3a687f9993c5c2a8890b53ab9e8dbc96c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 Jan 2017 17:54:16 +0530
+Subject: [PATCH 4/8] sd: sdhci: block count enable not relevant in single
+ block transfer
+
+In SDHCI device emulation the 'Block count enable' bit
+of the Transfer Mode register is only relevant in multi block
+transfers. We need not check it in single block transfers.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 35f953a..85cac42 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -570,7 +570,6 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ }
+
+ /* single block SDMA transfer */
+-
+ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+ {
+ int n;
+@@ -589,10 +588,7 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+ sdbus_write_data(&s->sdbus, s->fifo_buffer[n]);
+ }
+ }
+-
+- if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+- s->blkcnt--;
+- }
++ s->blkcnt--;
+
+ sdhci_end_transfer(s);
+ }
+--
+2.1.4
+
--- /dev/null
+From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 14 Dec 2016 12:31:56 +0530
+Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
+
+Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
+command, retrieves the maximum capabilities size to fill in the
+response object. It continues to fill in capabilities even if
+retrieved 'max_size' is zero(0), thus resulting in OOB access.
+Add check to avoid it.
+
+Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20161214070156.23368-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+
+Notes:
+ CVE-2016-10028
+
+ hw/display/virtio-gpu-3d.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index d98b140..cdd03a4 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
+- resp = g_malloc0(sizeof(*resp) + max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
+
++ resp = g_malloc0(sizeof(*resp) + max_size);
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+ gc.capset_version,
+--
+2.1.4
+
--- /dev/null
+From a8341ea109259c17ad18b02597e5e03e99db60ae Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 28 Nov 2016 17:49:04 -0800
+Subject: [PATCH 1/8] watchdog: 6300esb: add exit function
+
+When the Intel 6300ESB watchdog is hot unplug. The timer allocated
+in realize isn't freed thus leaking memory leak. This patch avoid
+this through adding the exit function.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+
+Notes:
+ CVE-2016-10155
+
+ hw/watchdog/wdt_i6300esb.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
+index a83d951..49b3cd1 100644
+--- a/hw/watchdog/wdt_i6300esb.c
++++ b/hw/watchdog/wdt_i6300esb.c
+@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
+ /* qemu_register_coalesced_mmio (addr, 0x10); ? */
+ }
+
++static void i6300esb_exit(PCIDevice *dev)
++{
++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
++
++ timer_del(d->timer);
++ timer_free(d->timer);
++}
++
+ static WatchdogTimerModel model = {
+ .wdt_name = "i6300esb",
+ .wdt_description = "Intel 6300ESB",
+@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
+ k->config_read = i6300esb_config_read;
+ k->config_write = i6300esb_config_write;
+ k->realize = i6300esb_realize;
++ k->exit = i6300esb_exit;
+ k->vendor_id = PCI_VENDOR_ID_INTEL;
+ k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
+ k->class_id = PCI_CLASS_SYSTEM_OTHER;
+--
+2.1.4
+
--- /dev/null
+From a8ceb006190b9072b0b9866ec5a07bd6de4eca6d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 6 Sep 2016 23:23:17 +0530
+Subject: [PATCH 5/6] scsi: pvscsi: avoid infinite loop while building SG list
+
+In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
+long time or go into an infinite loop due to two different bugs:
+
+1) the request descriptor data length is defined to be 64 bit. While
+building SG list from a request descriptor, it gets truncated to 32bit
+in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
+situation for large 'dataLen' values, when data_length is cast to uint32_t
+and chunk_size becomes always zero. Fix this by removing the incorrect
+cast.
+
+2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
+element has a zero length. Get out of the loop early when this happens,
+by introducing an upper limit on the number of SG list elements.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/scsi/vmw_pvscsi.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 22f872c..e43e0a4 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -40,6 +40,8 @@
+ #define PVSCSI_MAX_DEVS (64)
+ #define PVSCSI_MSIX_NUM_VECTORS (1)
+
++#define PVSCSI_MAX_SG_ELEM 2048
++
+ #define PVSCSI_MAX_CMD_DATA_WORDS \
+ (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
+
+@@ -629,17 +631,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
+ static void
+ pvscsi_convert_sglist(PVSCSIRequest *r)
+ {
+- int chunk_size;
++ uint32_t chunk_size, elmcnt = 0;
+ uint64_t data_length = r->req.dataLen;
+ PVSCSISGState sg = r->sg;
+- while (data_length) {
+- while (!sg.resid) {
++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
+ pvscsi_get_next_sg_elem(&sg);
+ trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
+ r->sg.resid);
+ }
+- assert(data_length > 0);
+- chunk_size = MIN((unsigned) data_length, sg.resid);
++ chunk_size = MIN(data_length, sg.resid);
+ if (chunk_size) {
+ qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
+ }
+--
+2.1.4
+
--- /dev/null
+From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001
+From: chaojianhu <chaojianhu@hotmail.com>
+Date: Tue, 9 Aug 2016 11:52:54 +0800
+Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
+
+The .receive callback of xlnx.xps-ethernetlite doesn't check the length
+of data before calling memcpy. As a result, the NetClientState object in
+heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
+will be affected.
+
+Reported-by: chaojianhu <chaojianhu@hotmail.com>
+Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/xilinx_ethlite.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
+index bc846e7..12b7419 100644
+--- a/hw/net/xilinx_ethlite.c
++++ b/hw/net/xilinx_ethlite.c
+@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
+ }
+
+ D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
++ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
++ D(qemu_log("ethlite packet is too big, size=%x\n", size));
++ return -1;
++ }
+ memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
+
+ s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
+--
+2.1.4
+
--- /dev/null
+From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 8 Sep 2016 18:15:54 +0530
+Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/vmware_vga.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ cursor.bpp = vmsvga_fifo_read(s);
+
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+- if (cursor.width > 256 ||
+- cursor.height > 256 ||
+- cursor.bpp > 32 ||
+- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++ if (cursor.width > 256
++ || cursor.height > 256
++ || cursor.bpp > 32
++ || SVGA_BITMAP_SIZE(x, y)
++ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
+ goto badcmd;
+ }
+
+--
+2.1.4
+
--- /dev/null
+From 1723b5e7962eb077353bab0772ca8114774b6c60 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 19 Sep 2016 23:55:45 +0530
+Subject: [PATCH 4/7] virtio: add check for descriptor's mapped address
+
+virtio back end uses set of buffers to facilitate I/O operations.
+If its size is too large, 'cpu_physical_memory_map' could return
+a null address. This would result in a null dereference while
+un-mapping descriptors. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 74c085c..eabe573 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
+ }
+
+ iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
++ if (!iov[num_sg].iov_base) {
++ error_report("virtio: bogus descriptor or out of resources");
++ exit(1);
++ }
++
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+
+--
+2.1.4
+
--- /dev/null
+From b53dd4495ced2432a0b652ea895e651d07336f7e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 13 Sep 2016 03:20:03 -0700
+Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
+
+If the xhci uses msix, it doesn't free the corresponding
+memory, thus leading a memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 37c1493..726435c 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3715,8 +3715,7 @@ static void usb_xhci_exit(PCIDevice *dev)
+ /* destroy msix memory region */
+ if (dev->msix_table && dev->msix_pba
+ && dev->msix_entry_used) {
+- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
+- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
++ msix_uninit(dev, &xhci->mem, &xhci->mem);
+ }
+
+ usb_bus_release(&xhci->bus);
+--
+2.1.4
+
--- /dev/null
+From 3798522afcf58abbce6de67446fcae7a34ae919d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 22 Sep 2016 16:01:38 +0530
+Subject: [PATCH 5/7] net: imx: limit buffer descriptor count
+
+i.MX Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set an upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/imx_fec.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+index 1c415ab..1d74827 100644
+--- a/hw/net/imx_fec.c
++++ b/hw/net/imx_fec.c
+@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
+ #define PHY_INT_PARFAULT (1 << 2)
+ #define PHY_INT_AUTONEG_PAGE (1 << 1)
+
++#define IMX_MAX_DESC 1024
++
+ static void imx_eth_update(IMXFECState *s);
+
+ /*
+@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
+
+ static void imx_fec_do_tx(IMXFECState *s)
+ {
+- int frame_size = 0;
++ int frame_size = 0, descnt = 0;
+ uint8_t frame[ENET_MAX_FRAME_SIZE];
+ uint8_t *ptr = frame;
+ uint32_t addr = s->tx_descriptor;
+
+- while (1) {
++ while (descnt++ < IMX_MAX_DESC) {
+ IMXFECBufDesc bd;
+ int len;
+
+--
+2.1.4
+
--- /dev/null
+From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 22 Sep 2016 16:02:37 +0530
+Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count
+
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/mcf_fec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index 0ee8ad9..d31fea1 100644
+--- a/hw/net/mcf_fec.c
++++ b/hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+
++#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+ uint32_t addr;
+ mcf_fec_bd bd;
+ int frame_size;
+- int len;
++ int len, descnt = 0;
+ uint8_t frame[FEC_MAX_FRAME_SIZE];
+ uint8_t *ptr;
+
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+ ptr = frame;
+ frame_size = 0;
+ addr = s->tx_descriptor;
+- while (1) {
++ while (descnt++ < FEC_MAX_DESC) {
+ mcf_fec_read_bd(&bd, addr);
+ DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+ addr, bd.flags, bd.length, bd.data);
+--
+2.1.4
+
--- /dev/null
+From ed825b783750cbe88aa67bbe83cf662082828efa Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 30 Sep 2016 00:27:33 +0530
+Subject: [PATCH 7/7] net: pcnet: check rx/tx descriptor ring length
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/pcnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 198a01f..3078de8 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
+ case 47: /* POLLINT */
+ case 72:
+ case 74:
++ break;
+ case 76: /* RCVRL */
+ case 78: /* XMTRL */
++ val = (val > 0) ? val : 512;
++ break;
+ case 112:
+ if (CSR_STOP(s) || CSR_SPND(s))
+ break;
+--
+2.1.4
+
--- /dev/null
+From 594fa98211f92ab07ee6d6b6a9eda93a416a1f57 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Sun, 18 Sep 2016 19:07:11 -0700
+Subject: [PATCH 1/2] virtio-gpu: fix memory leak in
+ virtio_gpu_resource_create_2d
+
+In virtio gpu resource create dispatch, if the pixman format is zero
+it doesn't free the resource object allocated previously. Thus leading
+a host memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+---
+ hw/display/virtio-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 7fe6ed8..5b6d17b 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: host couldn't handle guest format %d\n",
+ __func__, c2d.format);
++ g_free(res);
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ return;
+ }
+--
+2.1.4
+
--- /dev/null
+From 91a16e6e51a4e046d59379fc83b9dfc1e860e9c7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Sat, 8 Oct 2016 11:58:03 +0300
+Subject: [PATCH 2/2] usb: ehci: fix memory leak in ehci_process_itd
+
+While processing isochronous transfer descriptors(iTD), if the page
+select(PG) field value is out of bands it will return. In this
+situation the ehci's sg list is not freed thus leading to a memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/usb/hcd-ehci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index b093db7..f4ece9a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ if (off + len > 4096) {
+ /* transfer crosses page border */
+ if (pg == 6) {
++ qemu_sglist_destroy(&ehci->isgl);
+ return -1; /* avoid page pg + 1 */
+ }
+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
+--
+2.1.4
+
--- /dev/null
+From b5ef1754de94247de307044b19e6bc3fa0ad5ba8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 10 Oct 2016 12:46:22 +0200
+Subject: [PATCH 2/4] xhci: limit the number of link trbs we are willing to
+ process
+
+Needed to avoid we run in circles forever in case the guest builds
+an endless loop with link trbs.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
+---
+ hw/usb/hcd-xhci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 281a2a5..8a9a31a 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -54,6 +54,8 @@
+ * to the specs when it gets them */
+ #define ER_FULL_HACK
+
++#define TRB_LINK_LIMIT 4
++
+ #define LEN_CAP 0x40
+ #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
+ #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
+@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ dma_addr_t *addr)
+ {
+ PCIDevice *pci_dev = PCI_DEVICE(xhci);
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ ring->dequeue += TRB_SIZE;
+ return type;
+ } else {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return 0;
++ }
+ ring->dequeue = xhci_mask64(trb->parameter);
+ if (trb->control & TRB_LK_TC) {
+ ring->ccs = !ring->ccs;
+@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ bool ccs = ring->ccs;
+ /* hack to bundle together the two/three TDs that make a setup transfer */
+ bool control_td_set = 0;
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ type = TRB_TYPE(trb);
+
+ if (type == TR_LINK) {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return -length;
++ }
+ dequeue = xhci_mask64(trb.parameter);
+ if (trb.control & TRB_LK_TC) {
+ ccs = !ccs;
+--
+2.1.4
+
--- /dev/null
+From 8794fc68736fda80d7191f100c03c960a5ef1224 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 11 Oct 2016 09:27:45 +0200
+Subject: [PATCH 3/4] 9pfs: fix potential host memory leak in v9fs_read
+
+In 9pfs read dispatch function, it doesn't free two QEMUIOVector
+object thus causing potential memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index dfe293d..54e18a2 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque)
+ if (len < 0) {
+ /* IO error return the error */
+ err = len;
+- goto out;
++ goto out_free_iovec;
+ }
+ } while (count < max_count && len > 0);
+ err = pdu_marshal(pdu, offset, "d", count);
+ if (err < 0) {
+- goto out;
++ goto out_free_iovec;
+ }
+ err += offset + count;
++out_free_iovec:
+ qemu_iovec_destroy(&qiov);
+ qemu_iovec_destroy(&qiov_full);
+ } else if (fidp->fid_type == P9_FID_XATTR) {
+--
+2.1.4
+
--- /dev/null
+From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 11 Oct 2016 09:27:45 +0200
+Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings
+
+If a guest sends an empty string paramater to any 9P operation, the current
+code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
+
+This is unfortunate because it can cause NULL pointer dereference to happen
+at various locations in the 9pfs code. And we don't want to check str->data
+everywhere we pass it to strcmp() or any other function which expects a
+dereferenceable pointer.
+
+This patch enforces the allocation of genuine C empty strings instead, so
+callers don't have to bother.
+
+Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
+the returned string is empty. It now uses v9fs_string_size() since
+name.data cannot be NULL anymore.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+[groug, rewritten title and changelog,
+ fix empty string check in v9fs_xattrwalk()]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ fsdev/9p-iov-marshal.c | 2 +-
+ hw/9pfs/9p.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
+index 663cad5..1d16f8d 100644
+--- a/fsdev/9p-iov-marshal.c
++++ b/fsdev/9p-iov-marshal.c
+@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ str->data = g_malloc(str->size + 1);
+ copied = v9fs_unpack(str->data, out_sg, out_num, offset,
+ str->size);
+- if (copied > 0) {
++ if (copied >= 0) {
+ str->data[str->size] = 0;
+ } else {
+ v9fs_string_free(str);
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 54e18a2..75ba5f1 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque)
+ goto out;
+ }
+ v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
+- if (name.data == NULL) {
++ if (!v9fs_string_size(&name)) {
+ /*
+ * listxattr request. Get the size first
+ */
+--
+2.1.4
+
--- /dev/null
+From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 12 Oct 2016 14:40:55 +0530
+Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
+
+Rocker network switch emulator has test registers to help debug
+DMA operations. While testing host DMA access, a buffer address
+is written to register 'TEST_DMA_ADDR' and its size is written to
+register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
+test, if DMA buffer size was greater than 'INT_MAX', it leads to
+an invalid buffer access. Limit the DMA buffer size to avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/net/rocker/rocker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index 30f2ce4..e9d215a 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
+ rocker_msix_irq(r, val);
+ break;
+ case ROCKER_TEST_DMA_SIZE:
+- r->test_dma_size = val;
++ r->test_dma_size = val & 0xFFFF;
+ break;
+ case ROCKER_TEST_DMA_ADDR + 4:
+ r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
+--
+2.1.4
+
--- /dev/null
+From 7e0ebfd13e55a706396197437f375692bbf75d15 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 12 Oct 2016 11:28:08 +0530
+Subject: [PATCH 2/2] char: serial: check divider value against baud base
+
+16550A UART device uses an oscillator to generate frequencies
+(baud base), which decide communication speed. This speed could
+be changed by dividing it by a divider. If the divider is
+greater than the baud base, speed is set to zero, leading to a
+divide by zero error. Add check to avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/char/serial.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 3442f47..eec72b7 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
+ int speed, parity, data_bits, stop_bits, frame_size;
+ QEMUSerialSetParams ssp;
+
+- if (s->divider == 0)
++ if (s->divider == 0 || s->divider > s->baudbase) {
+ return;
++ }
+
+ /* Start bit. */
+ frame_size = 1;
+--
+2.1.4
+
--- /dev/null
+From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 20 Oct 2016 13:10:24 +0530
+Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
+ transfer
+
+Intel HDA emulator uses stream of buffers during DMA data
+transfers. Each entry has buffer length and buffer pointer
+position, which are used to derive bytes to 'copy'. If this
+length and buffer pointer were to be same, 'copy' could be
+set to zero(0), leading to an infinite loop. Add check to
+avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/intel-hda.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index cd95340..537face 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ }
+
+ left = len;
+- while (left > 0) {
++ s = st->bentries;
++ while (left > 0 && s-- > 0) {
+ copy = left;
+ if (copy > st->bsize - st->lpib)
+ copy = st->bsize - st->lpib;
+--
+2.1.4
+
--- /dev/null
+From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Sat, 8 Oct 2016 05:07:25 -0700
+Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit
+
+The exit dispatch of eepro100 network card device doesn't free
+the 's->vmstate' field which was allocated in device realize thus
+leading a host memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/eepro100.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index bab4dbf..4bf71f2 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
+ EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
+
+ vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
++ g_free(s->vmstate);
+ eeprom93xx_free(&pci_dev->qdev, s->eeprom);
+ qemu_del_nic(s->nic);
+ }
+--
+2.1.4
+
--- /dev/null
+From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 3becdd0..f5af4e3 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++ g_free(xattr_fidp->fs.xattr.value);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+--
+2.1.4
+
--- /dev/null
+From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read
+
+9pfs uses g_malloc() to allocate the xattr memory space, if the guest
+reads this memory before writing to it, this will leak host heap memory
+to the guest. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 75ba5f1..3becdd0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+- xattr_fidp->fs.xattr.value = g_malloc(size);
++ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+ out_nofid:
+--
+2.1.4
+
--- /dev/null
+From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 1 Nov 2016 12:00:40 +0100
+Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
+originated offset: they must ensure this offset does not go beyond
+the size of the extended attribute that was set in v9fs_xattrcreate().
+Unfortunately, the current code implement these checks with unsafe
+calculations on 32 and 64 bit values, which may allow a malicious
+guest to cause OOB access anyway.
+
+Fix this by comparing the offset and the xattr size, which are
+both uint64_t, before trying to compute the effective number of bytes
+to read or write.
+
+Suggested-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-By: Guido Günther <agx@sigxcpu.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index af07846..fc4f2cd 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ ssize_t err;
+ size_t offset = 7;
+- int read_count;
+- int64_t xattr_len;
++ uint64_t read_count;
+ V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
+ VirtQueueElement *elem = v->elems[pdu->idx];
+
+- xattr_len = fidp->fs.xattr.len;
+- read_count = xattr_len - off;
++ if (fidp->fs.xattr.len < off) {
++ read_count = 0;
++ } else {
++ read_count = fidp->fs.xattr.len - off;
++ }
+ if (read_count > max_count) {
+ read_count = max_count;
+- } else if (read_count < 0) {
+- /*
+- * read beyond XATTR value
+- */
+- read_count = 0;
+ }
+ err = pdu_marshal(pdu, offset, "d", read_count);
+ if (err < 0) {
+@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ int i, to_copy;
+ ssize_t err = 0;
+- int write_count;
+- int64_t xattr_len;
++ uint64_t write_count;
+ size_t offset = 7;
+
+
+- xattr_len = fidp->fs.xattr.len;
+- write_count = xattr_len - off;
+- if (write_count > count) {
+- write_count = count;
+- } else if (write_count < 0) {
+- /*
+- * write beyond XATTR value len specified in
+- * xattrcreate
+- */
++ if (fidp->fs.xattr.len < off) {
+ err = -ENOSPC;
+ goto out;
+ }
++ write_count = fidp->fs.xattr.len - off;
++ if (write_count > count) {
++ write_count = count;
++ }
+ err = pdu_marshal(pdu, offset, "d", write_count);
+ if (err < 0) {
+ return err;
+--
+2.1.4
+
--- /dev/null
+From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link
+
+The v9fs_link() function keeps a reference on the source fid object. This
+causes a memory leak since the reference never goes down to 0. This patch
+fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index f5af4e3..aa2b8c0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque)
+ if (!err) {
+ err = offset;
+ }
++ put_fid(pdu, oldfidp);
+ out:
+ put_fid(pdu, dfidp);
+ out_nofid:
+--
+2.1.4
+
--- /dev/null
+From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write
+
+If an error occurs when marshalling the transfer length to the guest, the
+v9fs_write() function doesn't free an IO vector, thus leading to a memory
+leak. This patch fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index aa2b8c0..af07846 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
+ offset = 7;
+ err = pdu_marshal(pdu, offset, "d", total);
+ if (err < 0) {
+- goto out;
++ goto out_qiov;
+ }
+ err += offset;
+ trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
+--
+2.1.4
+
--- /dev/null
+From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 29 Nov 2016 00:38:39 +0530
+Subject: [PATCH 01/12] net: mcf: check receive buffer size register value
+
+ColdFire Fast Ethernet Controller uses a receive buffer size
+register(EMRBR) to hold maximum size of all receive buffers.
+It is set by a user before any operation. If it was set to be
+zero, ColdFire emulator would go into an infinite loop while
+receiving data in mcf_fec_receive. Add check to avoid it.
+
+Reported-by: Wjjzhang <wjjzhang@tencent.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/mcf_fec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index d31fea1..3d4b3b3 100644
+--- a/hw/net/mcf_fec.c
++++ b/hw/net/mcf_fec.c
+@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
+ s->tx_descriptor = s->etdsr;
+ break;
+ case 0x188:
+- s->emrbr = value & 0x7f0;
++ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
+ break;
+ default:
+ hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
+--
+2.1.4
+
--- /dev/null
+From 71ee39ea06cbcbd1971213aa1f3a9036c50b6a57 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 1 Nov 2016 02:53:11 -0700
+Subject: [PATCH 02/12] virtio-gpu: fix information leak in getting capset info
+ dispatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
+been full initialized before writing to the guest. This will leak
+the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
+patch fix this issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu-3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 758d33a..23f39de 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
+
+ VIRTIO_GPU_FILL_CMD(info);
+
++ memset(&resp, 0, sizeof(resp));
+ if (info.capset_index == 0) {
+ resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+ virgl_renderer_get_cap_set(resp.capset_id,
+--
+2.1.4
+
--- /dev/null
+From 74a46afa58632277063ca4990cf0c954f342dd7d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 1 Nov 2016 04:06:58 -0700
+Subject: [PATCH 03/12] virtio-gpu: fix memory leak in update_cursor_data_virgl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In update_cursor_data_virgl function, if the 'width'/ 'height'
+is not equal to current cursor's width/height it will return
+without free the 'data' allocated previously. This will lead
+a memory leak issue. This patch fix this issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 5b6d17b..41f8096 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
+
+ if (width != s->current_cursor->width ||
+ height != s->current_cursor->height) {
++ free(data);
+ return;
+ }
+
+--
+2.1.4
+
--- /dev/null
+From 5bbb994dd062eb3950d67db3c6189dab0df7ec9b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 7 Nov 2016 21:57:46 -0800
+Subject: [PATCH 04/12] usbredir: free vm_change_state_handler in usbredir
+ destroy dispatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In usbredir destroy dispatch function, it doesn't free the vm change
+state handler once registered in usbredir_realize function. This will
+lead a memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/redirect.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 444672a..42aeaa4 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -132,6 +132,7 @@ struct USBRedirDevice {
+ struct usbredirfilter_rule *filter_rules;
+ int filter_rules_count;
+ int compatible_speedmask;
++ VMChangeStateEntry *vmstate;
+ };
+
+ #define TYPE_USB_REDIR "usb-redir"
+@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
+ qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
+ usbredir_chardev_read, usbredir_chardev_event, dev);
+
+- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
++ dev->vmstate =
++ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
+ }
+
+ static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
+@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
+ }
+
+ free(dev->filter_rules);
++ qemu_del_vm_change_state_handler(dev->vmstate);
+ }
+
+ static int usbredir_check_filter(USBRedirDevice *dev)
+--
+2.1.4
+
--- /dev/null
+From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 1 Nov 2016 05:37:57 -0700
+Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
+- resp = g_malloc(sizeof(*resp) + max_size);
++ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+--
+2.1.4
+
--- /dev/null
+From 824f78bb0135cff4cb29e26c3de1cb4c2da35b46 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 8 Nov 2016 04:11:10 -0800
+Subject: [PATCH 05/12] usb: ehci: fix memory leak in ehci_init_transfer
+
+In ehci_init_transfer function, if the 'cpage' is bigger than 4,
+it doesn't free the 'p->sgl' once allocated previously thus leading
+a memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-ehci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index f4ece9a..7622a3a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
+ while (bytes > 0) {
+ if (cpage > 4) {
+ fprintf(stderr, "cpage out of range (%d)\n", cpage);
++ qemu_sglist_destroy(&p->sgl);
+ return -1;
+ }
+
+--
+2.1.4
+
--- /dev/null
+From efc44f269fe72bab2c496f21809f6bef20d9c398 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Mon, 28 Nov 2016 21:29:25 -0500
+Subject: [PATCH 11/12] virtio-gpu: call cleanup mapping function in resource
+ destroy
+
+If the guest destroy the resource before detach banking, the 'iov'
+and 'addrs' field in resource is not freed thus leading memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+---
+ hw/display/virtio-gpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 41f8096..8903dee 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -28,6 +28,8 @@
+ static struct virtio_gpu_simple_resource*
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
++
+ #ifdef CONFIG_VIRGL
+ #include <virglrenderer.h>
+ #define VIRGL(_g, _virgl, _simple, ...) \
+@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
+ struct virtio_gpu_simple_resource *res)
+ {
+ pixman_image_unref(res->image);
++ virtio_gpu_cleanup_mapping(res);
+ QTAILQ_REMOVE(&g->reslist, res, next);
+ g_free(res);
+ }
+--
+2.1.4
+
--- /dev/null
+From 9be364d4b3bc173103bec0dc76259f40d232eb88 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 06/12] 9pfs: adjust the order of resource cleanup in device
+ unrealize
+
+Unrealize should undo things that were set during realize in
+reverse order. So should do in the error path in realize.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index fc4f2cd..ced7b4c 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3490,8 +3490,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
+ rc = 0;
+ out:
+ if (rc) {
+- g_free(s->ctx.fs_root);
+ g_free(s->tag);
++ g_free(s->ctx.fs_root);
+ v9fs_path_free(&path);
+ }
+ return rc;
+@@ -3499,8 +3499,8 @@ out:
+
+ void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
+ {
+- g_free(s->ctx.fs_root);
+ g_free(s->tag);
++ g_free(s->ctx.fs_root);
+ }
+
+ static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)
+--
+2.1.4
+
--- /dev/null
+From f2ef9ae2a512fca1df0d56c226adc24ddf002b8b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 07/12] 9pfs: add cleanup operation in FileOperations
+
+Currently, the backend of VirtFS doesn't have a cleanup
+function. This will lead resource leak issues if the backed
+driver allocates resources. This patch addresses this issue.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ fsdev/file-op-9p.h | 1 +
+ hw/9pfs/9p.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
+index 6db9fea..a56dc84 100644
+--- a/fsdev/file-op-9p.h
++++ b/fsdev/file-op-9p.h
+@@ -100,6 +100,7 @@ struct FileOperations
+ {
+ int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
+ int (*init)(struct FsContext *);
++ void (*cleanup)(struct FsContext *);
+ int (*lstat)(FsContext *, V9fsPath *, struct stat *);
+ ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
+ int (*chmod)(FsContext *, V9fsPath *, FsCred *);
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index ced7b4c..f2a90d4 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3490,6 +3490,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
+ rc = 0;
+ out:
+ if (rc) {
++ if (s->ops->cleanup && s->ctx.private) {
++ s->ops->cleanup(&s->ctx);
++ }
+ g_free(s->tag);
+ g_free(s->ctx.fs_root);
+ v9fs_path_free(&path);
+@@ -3499,6 +3502,9 @@ out:
+
+ void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
+ {
++ if (s->ops->cleanup) {
++ s->ops->cleanup(&s->ctx);
++ }
+ g_free(s->tag);
+ g_free(s->ctx.fs_root);
+ }
+--
+2.1.4
+
--- /dev/null
+From 4196726e44c437793294af15d95e53164cf9a02d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 08/12] 9pfs: add cleanup operation for handle backend driver
+
+In the init operation of handle backend dirver, it allocates a
+handle_data struct and opens a mount file. We should free these
+resources when the 9pfs device is unrealized. This is what this
+patch does.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p-handle.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
+index 3d77594..1687661 100644
+--- a/hw/9pfs/9p-handle.c
++++ b/hw/9pfs/9p-handle.c
+@@ -649,6 +649,14 @@ out:
+ return ret;
+ }
+
++static void handle_cleanup(FsContext *ctx)
++{
++ struct handle_data *data = ctx->private;
++
++ close(data->mountfd);
++ g_free(data);
++}
++
+ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
+ {
+ const char *sec_model = qemu_opt_get(opts, "security_model");
+@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
+ FileOperations handle_ops = {
+ .parse_opts = handle_parse_opts,
+ .init = handle_init,
++ .cleanup = handle_cleanup,
+ .lstat = handle_lstat,
+ .readlink = handle_readlink,
+ .close = handle_close,
+--
+2.1.4
+
--- /dev/null
+From ae9b5c9dae96dd8d3bdf9bb6b9a0f7a2d6f532f7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 09/12] 9pfs: add cleanup operation for proxy backend driver
+
+In the init operation of proxy backend dirver, it allocates a
+V9fsProxy struct and some other resources. We should free these
+resources when the 9pfs device is unrealized. This is what this
+patch does.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p-proxy.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
+index f265501..336e9fe 100644
+--- a/hw/9pfs/9p-proxy.c
++++ b/hw/9pfs/9p-proxy.c
+@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx)
+ return 0;
+ }
+
++static void proxy_cleanup(FsContext *ctx)
++{
++ V9fsProxy *proxy = ctx->private;
++
++ g_free(proxy->out_iovec.iov_base);
++ g_free(proxy->in_iovec.iov_base);
++ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
++ close(proxy->sockfd);
++ }
++ g_free(proxy);
++}
++
+ FileOperations proxy_ops = {
+ .parse_opts = proxy_parse_opts,
+ .init = proxy_init,
++ .cleanup = proxy_cleanup,
+ .lstat = proxy_lstat,
+ .readlink = proxy_readlink,
+ .close = proxy_close,
+--
+2.1.4
+
--- /dev/null
+From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 18 Oct 2016 13:15:17 +0530
+Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value
+
+In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
+'cirrus_get_bpp' returns zero(0), which could lead to a divide
+by zero error in while copying pixel data. The same could occur
+via blit pitch values. Add check to avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+
+Notes:
+ CVE-2016-9921
+ CVE-2016-9922
+
+ hw/display/cirrus_vga.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 3d712d5..bdb092e 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
+ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+ {
++ if (!pitch) {
++ return true;
++ }
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch;
+@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+ s->cirrus_addr_mask));
+ }
+
+-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
++static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ {
+ int sx = 0, sy = 0;
+ int dx = 0, dy = 0;
+@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ int width, height;
+
+ depth = s->vga.get_bpp(&s->vga) / 8;
++ if (!depth) {
++ return 0;
++ }
+ s->vga.get_resolution(&s->vga, &width, &height);
+
+ /* extra x, y */
+@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+ s->cirrus_blt_dstpitch, s->cirrus_blt_width,
+ s->cirrus_blt_height);
++
++ return 1;
+ }
+
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ if (blit_is_unsafe(s))
+ return 0;
+
+- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
++ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+ s->cirrus_blt_srcaddr - s->vga.start_addr,
+ s->cirrus_blt_width, s->cirrus_blt_height);
+-
+- return 1;
+ }
+
+ /***************************************
+--
+2.1.4
+
--- /dev/null
+From d775c497a84a5c4be3f15cca85ca8440dd5880a0 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 22 Feb 2017 13:42:31 +0100
+Subject: [PATCH qemu] cirrus: add blit_is_unsafe call to
+ cirrus_bitblt_cputovideo (CVE-2017-2620)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all. Oops. Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1487679663-3264-1-git-send-email-kraxel@redhat.com
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 1deb520..b9e7cb1 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+ int w;
+
++ if (blit_is_unsafe(s, true)) {
++ return 0;
++ }
++
+ s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+ s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+ s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ }
+ s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+ }
++
++ /* the blit_is_unsafe call above should catch this */
++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+ s->cirrus_srcptr = s->cirrus_bltbuf;
+ s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+ cirrus_update_memory_access(s);
+--
+2.1.4
+
--- /dev/null
+From 385c66564aad5fbbe303e0d2ee5e8ffd9c10bc23 Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Mon, 12 Sep 2016 18:18:35 +0100
+Subject: [PATCH 04/36] x86/lapic: Load LAPIC state at post_load
+
+Load the LAPIC state during post_load (rather than when the CPU
+starts).
+
+This allows an interrupt to be delivered from the ioapic to
+the lapic prior to cpu loading, in particular the RTC that starts
+ticking as soon as we load it's state.
+
+Fixes a case where Windows hangs after migration due to RTC interrupts
+disappearing.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/i386/kvm/apic.c | 26 ++++++++++++++++++++++++--
+ include/sysemu/kvm.h | 1 -
+ target-i386/kvm.c | 17 -----------------
+ 3 files changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
+index 2bd0de8..feb0002 100644
+--- a/hw/i386/kvm/apic.c
++++ b/hw/i386/kvm/apic.c
+@@ -28,9 +28,8 @@ static inline uint32_t kvm_apic_get_reg(struct kvm_lapic_state *kapic,
+ return *((uint32_t *)(kapic->regs + (reg_id << 4)));
+ }
+
+-void kvm_put_apic_state(DeviceState *dev, struct kvm_lapic_state *kapic)
++static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
+ {
+- APICCommonState *s = APIC_COMMON(dev);
+ int i;
+
+ memset(kapic, 0, sizeof(*kapic));
+@@ -125,6 +124,26 @@ static void kvm_apic_vapic_base_update(APICCommonState *s)
+ }
+ }
+
++static void kvm_apic_put(void *data)
++{
++ APICCommonState *s = data;
++ struct kvm_lapic_state kapic;
++ int ret;
++
++ kvm_put_apic_state(s, &kapic);
++
++ ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic);
++ if (ret < 0) {
++ fprintf(stderr, "KVM_SET_LAPIC failed: %s\n", strerror(ret));
++ abort();
++ }
++}
++
++static void kvm_apic_post_load(APICCommonState *s)
++{
++ run_on_cpu(CPU(s->cpu), kvm_apic_put, s);
++}
++
+ static void do_inject_external_nmi(void *data)
+ {
+ APICCommonState *s = data;
+@@ -178,6 +197,8 @@ static void kvm_apic_reset(APICCommonState *s)
+ {
+ /* Not used by KVM, which uses the CPU mp_state instead. */
+ s->wait_for_sipi = 0;
++
++ run_on_cpu(CPU(s->cpu), kvm_apic_put, s);
+ }
+
+ static void kvm_apic_realize(DeviceState *dev, Error **errp)
+@@ -206,6 +227,7 @@ static void kvm_apic_class_init(ObjectClass *klass, void *data)
+ k->set_base = kvm_apic_set_base;
+ k->set_tpr = kvm_apic_set_tpr;
+ k->get_tpr = kvm_apic_get_tpr;
++ k->post_load = kvm_apic_post_load;
+ k->enable_tpr_reporting = kvm_apic_enable_tpr_reporting;
+ k->vapic_base_update = kvm_apic_vapic_base_update;
+ k->external_nmi = kvm_apic_external_nmi;
+diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
+index c9c2436..ae5d81b 100644
+--- a/include/sysemu/kvm.h
++++ b/include/sysemu/kvm.h
+@@ -372,7 +372,6 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg);
+
+ void kvm_irqchip_add_irq_route(KVMState *s, int gsi, int irqchip, int pin);
+
+-void kvm_put_apic_state(DeviceState *d, struct kvm_lapic_state *kapic);
+ void kvm_get_apic_state(DeviceState *d, struct kvm_lapic_state *kapic);
+
+ struct kvm_guest_debug;
+diff --git a/target-i386/kvm.c b/target-i386/kvm.c
+index d1a25c5..f1ad805 100644
+--- a/target-i386/kvm.c
++++ b/target-i386/kvm.c
+@@ -2416,19 +2416,6 @@ static int kvm_get_apic(X86CPU *cpu)
+ return 0;
+ }
+
+-static int kvm_put_apic(X86CPU *cpu)
+-{
+- DeviceState *apic = cpu->apic_state;
+- struct kvm_lapic_state kapic;
+-
+- if (apic && kvm_irqchip_in_kernel()) {
+- kvm_put_apic_state(apic, &kapic);
+-
+- return kvm_vcpu_ioctl(CPU(cpu), KVM_SET_LAPIC, &kapic);
+- }
+- return 0;
+-}
+-
+ static int kvm_put_vcpu_events(X86CPU *cpu, int level)
+ {
+ CPUState *cs = CPU(cpu);
+@@ -2670,10 +2657,6 @@ int kvm_arch_put_registers(CPUState *cpu, int level)
+ if (ret < 0) {
+ return ret;
+ }
+- ret = kvm_put_apic(x86_cpu);
+- if (ret < 0) {
+- return ret;
+- }
+ }
+
+ ret = kvm_put_tscdeadline_msr(x86_cpu);
+--
+2.1.4
+
--- /dev/null
+From 109c1a773ac37b2dc3d9781ce203a804d3e77651 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:15:49 +0100
+Subject: [PATCH 01/47] fr-ca keymap corrections
+
+---
+ pc-bios/keymaps/fr-ca | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/pc-bios/keymaps/fr-ca b/pc-bios/keymaps/fr-ca
+index b645208..9291240 100644
+--- a/pc-bios/keymaps/fr-ca
++++ b/pc-bios/keymaps/fr-ca
+@@ -14,22 +14,31 @@ bar 0x29 shift
+ twosuperior 0x9 altgr
+ threesuperior 0xa altgr
+ onequarter 0xb altgr
++minus 0x0c
+ onehalf 0xc altgr
++equal 0xd
+ threequarters 0xd altgr
+ section 0x18 altgr
+ paragraph 0x19 altgr
+ bracketleft 0x1a altgr
+ bracketright 0x1b altgr
++semicolon 0x27
++colon 0x27 shift
+ asciitilde 0x27 altgr
+ braceleft 0x28 altgr
++numbersign 0x29
+ braceright 0x2b altgr
+ less 0x2b
+ greater 0x2b shift
+ guillemotleft 0x56
+ guillemotright 0x56 shift
+ degree 0x56 altgr
++comma 0x33
+ mu 0x32 altgr
++apostrophe 0x33 shift
++period 0x34 shift
+ eacute 0x35
++Eacute 0x35 shift
+ dead_acute 0x35 altgr
+ dead_grave 0x28
+ dead_circumflex 0x1a
+--
+2.1.4
+
--- /dev/null
+From 1dfa1a8df7b065e15639d078c0f137f2dec7c3fa Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:16:49 +0100
+Subject: [PATCH 02/47] Adjust network script path to /etc/kvm/
+
+---
+ include/net/net.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index e8d9e9e..375e81d 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -216,8 +216,9 @@ void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp);
+ int net_hub_id_for_client(NetClientState *nc, int *id);
+ NetClientState *net_hub_port_find(int hub_id);
+
+-#define DEFAULT_NETWORK_SCRIPT "/etc/qemu-ifup"
+-#define DEFAULT_NETWORK_DOWN_SCRIPT "/etc/qemu-ifdown"
++#define DEFAULT_NETWORK_SCRIPT "/etc/kvm/kvm-ifup"
++#define DEFAULT_NETWORK_DOWN_SCRIPT "/etc/kvm/kvm-ifdown"
++
+ #define DEFAULT_BRIDGE_HELPER CONFIG_QEMU_HELPERDIR "/qemu-bridge-helper"
+ #define DEFAULT_BRIDGE_INTERFACE "br0"
+
+--
+2.1.4
+
--- /dev/null
+From cf2ef62fc7d4ff7e64eed5a01e499c91b62121b9 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:17:38 +0100
+Subject: [PATCH 03/47] vnc: altgr emulation
+
+---
+ ui/vnc.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 76a3273..b9f36b5 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -1733,6 +1733,10 @@ static void kbd_leds(void *opaque, int ledstate)
+
+ static void do_key_event(VncState *vs, int down, int keycode, int sym)
+ {
++ int mods = keycode & 0xf00;
++
++ keycode &= SCANCODE_KEYMASK;
++
+ /* QEMU console switch */
+ switch(keycode) {
+ case 0x2a: /* Left Shift */
+@@ -1813,8 +1817,27 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
+ }
+
+ if (qemu_console_is_graphic(NULL)) {
++
++ /* our java vnc client never sends ALTGR, so we create
++ an artificial up/down event */
++
++ int emul_altgr = (mods & SCANCODE_ALTGR) &&
++ !vs->modifiers_state[0xb8];
++
++ if (emul_altgr) {
++ reset_keys(vs);
++ qemu_input_event_send_key_number(vs->vd->dcl.con, 0xb8, true);
++ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
++ }
++
+ qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
+ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
++
++ if (emul_altgr) {
++ qemu_input_event_send_key_number(vs->vd->dcl.con, 0xb8, false);
++ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
++ }
++
+ } else {
+ bool numlock = vs->modifiers_state[0x45];
+ bool control = (vs->modifiers_state[0x1d] ||
+@@ -1954,7 +1977,8 @@ static void key_event(VncState *vs, int down, uint32_t sym)
+ lsym = lsym - 'A' + 'a';
+ }
+
+- keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
++ keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF);
++
+ trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
+ do_key_event(vs, down, keycode, sym);
+ }
+--
+2.1.4
+
--- /dev/null
+From baf469b28e3f1bfd5b03e449ffcd8f41c80a5387 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:18:46 +0100
+Subject: [PATCH 04/47] qemu-img: return success on info without snapshots
+
+---
+ qemu-img.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/qemu-img.c b/qemu-img.c
+index f204d041..99be68f 100644
+--- a/qemu-img.c
++++ b/qemu-img.c
+@@ -2389,7 +2389,8 @@ static int img_info(int argc, char **argv)
+
+ list = collect_image_info_list(image_opts, filename, fmt, chain);
+ if (!list) {
+- return 1;
++ // return success if snapshot does not exists
++ return 0;
+ }
+
+ switch (output_format) {
+--
+2.1.4
+
--- /dev/null
+From c5405c552945f19b36ecc748a2a0e0ec14dff31e Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:27:05 +0100
+Subject: [PATCH 05/47] use kvm by default
+
+---
+ accel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/accel.c b/accel.c
+index 403eb5e..dd2ebea 100644
+--- a/accel.c
++++ b/accel.c
+@@ -88,8 +88,8 @@ void configure_accelerator(MachineState *ms)
+
+ p = qemu_opt_get(qemu_get_machine_opts(), "accel");
+ if (p == NULL) {
+- /* Use the default "accelerator", tcg */
+- p = "tcg";
++ /* Use the default "accelerator", kvm */
++ p = "kvm";
+ }
+
+ while (!accel_initialised && *p != '\0') {
+--
+2.1.4
+
--- /dev/null
+From 132444451193736847c68d91f74c09cb76a16e6a Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:27:49 +0100
+Subject: [PATCH 06/47] virtio-balloon: fix query
+
+Actually provide memory information via the query-balloon
+command.
+---
+ hmp.c | 30 +++++++++++++++++++++++++++++-
+ hw/virtio/virtio-balloon.c | 33 +++++++++++++++++++++++++++++++--
+ qapi-schema.json | 23 +++++++++++++++++++++--
+ qmp-commands.hx | 13 +++++++++++++
+ 4 files changed, 94 insertions(+), 5 deletions(-)
+
+diff --git a/hmp.c b/hmp.c
+index bb45f7f..3b0dd81 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -704,7 +704,35 @@ void hmp_info_balloon(Monitor *mon, const QDict *qdict)
+ return;
+ }
+
+- monitor_printf(mon, "balloon: actual=%" PRId64 "\n", info->actual >> 20);
++ monitor_printf(mon, "balloon: actual=%" PRId64, info->actual >> 20);
++ monitor_printf(mon, " max_mem=%" PRId64, info->max_mem >> 20);
++ if (info->has_total_mem) {
++ monitor_printf(mon, " total_mem=%" PRId64, info->total_mem >> 20);
++ }
++ if (info->has_free_mem) {
++ monitor_printf(mon, " free_mem=%" PRId64, info->free_mem >> 20);
++ }
++
++ if (info->has_mem_swapped_in) {
++ monitor_printf(mon, " mem_swapped_in=%" PRId64, info->mem_swapped_in);
++ }
++ if (info->has_mem_swapped_out) {
++ monitor_printf(mon, " mem_swapped_out=%" PRId64, info->mem_swapped_out);
++ }
++ if (info->has_major_page_faults) {
++ monitor_printf(mon, " major_page_faults=%" PRId64,
++ info->major_page_faults);
++ }
++ if (info->has_minor_page_faults) {
++ monitor_printf(mon, " minor_page_faults=%" PRId64,
++ info->minor_page_faults);
++ }
++ if (info->has_last_update) {
++ monitor_printf(mon, " last_update=%" PRId64,
++ info->last_update);
++ }
++
++ monitor_printf(mon, "\n");
+
+ qapi_free_BalloonInfo(info);
+ }
+diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
+index ad4189a..b3a17f4 100644
+--- a/hw/virtio/virtio-balloon.c
++++ b/hw/virtio/virtio-balloon.c
+@@ -376,8 +376,37 @@ static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f,
+ static void virtio_balloon_stat(void *opaque, BalloonInfo *info)
+ {
+ VirtIOBalloon *dev = opaque;
+- info->actual = get_current_ram_size() - ((uint64_t) dev->actual <<
+- VIRTIO_BALLOON_PFN_SHIFT);
++ ram_addr_t ram_size = get_current_ram_size();
++ info->actual = ram_size - ((uint64_t) dev->actual <<
++ VIRTIO_BALLOON_PFN_SHIFT);
++
++ info->max_mem = ram_size;
++
++ if (!(balloon_stats_enabled(dev) && balloon_stats_supported(dev) &&
++ dev->stats_last_update)) {
++ return;
++ }
++
++ info->last_update = dev->stats_last_update;
++ info->has_last_update = true;
++
++ info->mem_swapped_in = dev->stats[VIRTIO_BALLOON_S_SWAP_IN];
++ info->has_mem_swapped_in = info->mem_swapped_in >= 0 ? true : false;
++
++ info->mem_swapped_out = dev->stats[VIRTIO_BALLOON_S_SWAP_OUT];
++ info->has_mem_swapped_out = info->mem_swapped_out >= 0 ? true : false;
++
++ info->major_page_faults = dev->stats[VIRTIO_BALLOON_S_MAJFLT];
++ info->has_major_page_faults = info->major_page_faults >= 0 ? true : false;
++
++ info->minor_page_faults = dev->stats[VIRTIO_BALLOON_S_MINFLT];
++ info->has_minor_page_faults = info->minor_page_faults >= 0 ? true : false;
++
++ info->free_mem = dev->stats[VIRTIO_BALLOON_S_MEMFREE];
++ info->has_free_mem = info->free_mem >= 0 ? true : false;
++
++ info->total_mem = dev->stats[VIRTIO_BALLOON_S_MEMTOT];
++ info->has_total_mem = info->total_mem >= 0 ? true : false;
+ }
+
+ static void virtio_balloon_to_target(void *opaque, ram_addr_t target)
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 5658723..4bf7222 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -1278,10 +1278,29 @@
+ #
+ # @actual: the number of bytes the balloon currently contains
+ #
+-# Since: 0.14.0
++# @last_update: #optional time when stats got updated from guest
++#
++# @mem_swapped_in: #optional number of pages swapped in within the guest
++#
++# @mem_swapped_out: #optional number of pages swapped out within the guest
++#
++# @major_page_faults: #optional number of major page faults within the guest
+ #
++# @minor_page_faults: #optional number of minor page faults within the guest
++#
++# @free_mem: #optional amount of memory (in bytes) free in the guest
++#
++# @total_mem: #optional amount of memory (in bytes) visible to the guest
++#
++# @max_mem: amount of memory (in bytes) assigned to the guest
++#
++# Since: 0.14.0
+ ##
+-{ 'struct': 'BalloonInfo', 'data': {'actual': 'int' } }
++{ 'struct': 'BalloonInfo',
++ 'data': {'actual': 'int', '*last_update': 'int', '*mem_swapped_in': 'int',
++ '*mem_swapped_out': 'int', '*major_page_faults': 'int',
++ '*minor_page_faults': 'int', '*free_mem': 'int',
++ '*total_mem': 'int', 'max_mem': 'int' } }
+
+ ##
+ # @query-balloon:
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index 6866264..6de28d4 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -3854,6 +3854,13 @@ Make an asynchronous request for balloon info. When the request completes a
+ json-object will be returned containing the following data:
+
+ - "actual": current balloon value in bytes (json-int)
++- "mem_swapped_in": Amount of memory swapped in bytes (json-int, optional)
++- "mem_swapped_out": Amount of memory swapped out in bytes (json-int, optional)
++- "major_page_faults": Number of major faults (json-int, optional)
++- "minor_page_faults": Number of minor faults (json-int, optional)
++- "free_mem": Total amount of free and unused memory in
++ bytes (json-int, optional)
++- "total_mem": Total amount of available memory in bytes (json-int, optional)
+
+ Example:
+
+@@ -3861,6 +3868,12 @@ Example:
+ <- {
+ "return":{
+ "actual":1073741824,
++ "mem_swapped_in":0,
++ "mem_swapped_out":0,
++ "major_page_faults":142,
++ "minor_page_faults":239245,
++ "free_mem":1014185984,
++ "total_mem":1044668416
+ }
+ }
+
+--
+2.1.4
+
--- /dev/null
+From 118ca6343a48aaab7d1a8f252fb36008c823e551 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:30:21 +0100
+Subject: [PATCH 07/47] set the CPU model to kvm64/32 instead of qemu64/32
+
+---
+ hw/i386/pc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/i386/pc.c b/hw/i386/pc.c
+index 022dd1b..ba8a5a1 100644
+--- a/hw/i386/pc.c
++++ b/hw/i386/pc.c
+@@ -1160,9 +1160,9 @@ void pc_cpus_init(PCMachineState *pcms)
+ /* init CPUs */
+ if (machine->cpu_model == NULL) {
+ #ifdef TARGET_X86_64
+- machine->cpu_model = "qemu64";
++ machine->cpu_model = "kvm64";
+ #else
+- machine->cpu_model = "qemu32";
++ machine->cpu_model = "kvm32";
+ #endif
+ }
+
+--
+2.1.4
+
--- /dev/null
+From dc5b92fbb2d405fd86228409b1f25c0bb2d6d973 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:31:18 +0100
+Subject: [PATCH 08/47] qapi: modify query machines
+
+provide '*is-current' in MachineInfo struct
+---
+ qapi-schema.json | 4 +++-
+ vl.c | 5 +++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 4bf7222..63507f5 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -3027,6 +3027,8 @@
+ #
+ # @default: #optional whether the machine is default
+ #
++# @current: #optional whether this machine is currently used
++#
+ # @cpu-max: maximum number of CPUs supported by the machine type
+ # (since 1.5.0)
+ #
+@@ -3036,7 +3038,7 @@
+ ##
+ { 'struct': 'MachineInfo',
+ 'data': { 'name': 'str', '*alias': 'str',
+- '*is-default': 'bool', 'cpu-max': 'int',
++ '*is-default': 'bool', '*is-current': 'bool', 'cpu-max': 'int',
+ 'hotpluggable-cpus': 'bool'} }
+
+ ##
+diff --git a/vl.c b/vl.c
+index 6a218ce..b226e0b 100644
+--- a/vl.c
++++ b/vl.c
+@@ -1509,6 +1509,11 @@ MachineInfoList *qmp_query_machines(Error **errp)
+ info->cpu_max = !mc->max_cpus ? 1 : mc->max_cpus;
+ info->hotpluggable_cpus = !!mc->query_hotpluggable_cpus;
+
++ if (strcmp(mc->name, MACHINE_GET_CLASS(current_machine)->name) == 0) {
++ info->has_is_current = true;
++ info->is_current = true;
++ }
++
+ entry = g_malloc0(sizeof(*entry));
+ entry->value = info;
+ entry->next = mach_list;
+--
+2.1.4
+
--- /dev/null
+From c09467afaf37989942076b45f6ffa7bb8ebde2ca Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:32:11 +0100
+Subject: [PATCH 09/47] qapi: modify spice query
+
+Provide the last ticket in the SpiceInfo struct optionally.
+---
+ qapi-schema.json | 3 +++
+ ui/spice-core.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 63507f5..518c2ea 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -1253,11 +1253,14 @@
+ #
+ # @channels: a list of @SpiceChannel for each active spice channel
+ #
++# @ticket: #optional The last ticket set with set_password
++#
+ # Since: 0.14.0
+ ##
+ { 'struct': 'SpiceInfo',
+ 'data': {'enabled': 'bool', 'migrated': 'bool', '*host': 'str', '*port': 'int',
+ '*tls-port': 'int', '*auth': 'str', '*compiled-version': 'str',
++ '*ticket': 'str',
+ 'mouse-mode': 'SpiceQueryMouseMode', '*channels': ['SpiceChannel']} }
+
+ ##
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index da05054..acf5a73 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -543,6 +543,11 @@ SpiceInfo *qmp_query_spice(Error **errp)
+ micro = SPICE_SERVER_VERSION & 0xff;
+ info->compiled_version = g_strdup_printf("%d.%d.%d", major, minor, micro);
+
++ if (auth_passwd) {
++ info->has_ticket = true;
++ info->ticket = g_strdup(auth_passwd);
++ }
++
+ if (port) {
+ info->has_port = true;
+ info->port = port;
+--
+2.1.4
+
--- /dev/null
+From 78cc6a38bfa2c986ff75a322d750a548bf2291b9 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:33:34 +0100
+Subject: [PATCH 10/47] ui/spice: default to pve certs unless otherwise
+ specified
+
+---
+ ui/spice-core.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index acf5a73..4f1cf45 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -676,32 +676,35 @@ void qemu_spice_init(void)
+
+ if (tls_port) {
+ x509_dir = qemu_opt_get(opts, "x509-dir");
+- if (!x509_dir) {
+- x509_dir = ".";
+- }
+
+ str = qemu_opt_get(opts, "x509-key-file");
+ if (str) {
+ x509_key_file = g_strdup(str);
+- } else {
++ } else if (x509_dir) {
+ x509_key_file = g_strdup_printf("%s/%s", x509_dir,
+ X509_SERVER_KEY_FILE);
++ } else {
++ x509_key_file = g_strdup("/etc/pve/local/pve-ssl.key");
+ }
+
+ str = qemu_opt_get(opts, "x509-cert-file");
+ if (str) {
+ x509_cert_file = g_strdup(str);
+- } else {
++ } else if (x509_dir) {
+ x509_cert_file = g_strdup_printf("%s/%s", x509_dir,
+ X509_SERVER_CERT_FILE);
++ } else {
++ x509_cert_file = g_strdup("/etc/pve/local/pve-ssl.pem");
+ }
+
+ str = qemu_opt_get(opts, "x509-cacert-file");
+ if (str) {
+ x509_cacert_file = g_strdup(str);
+- } else {
++ } else if (x509_dir) {
+ x509_cacert_file = g_strdup_printf("%s/%s", x509_dir,
+ X509_CA_CERT_FILE);
++ } else {
++ x509_cacert_file = g_strdup("/etc/pve/pve-root-ca.pem");
+ }
+
+ x509_key_password = qemu_opt_get(opts, "x509-key-password");
+--
+2.1.4
+
--- /dev/null
+From 183d526538782e8c3644db303846cf0a70595009 Mon Sep 17 00:00:00 2001
+From: Dietmar Maurer <dietmar@proxmox.com>
+Date: Tue, 13 Nov 2012 11:11:38 +0100
+Subject: [PATCH 11/47] introduce new vma archive format
+
+This is a very simple archive format, see docs/specs/vma_spec.txt
+
+Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
+---
+ Makefile | 3 +-
+ Makefile.objs | 1 +
+ vma-reader.c | 797 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ vma-writer.c | 870 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ vma.c | 585 +++++++++++++++++++++++++++++++++++++++
+ vma.h | 146 ++++++++++
+ 6 files changed, 2401 insertions(+), 1 deletion(-)
+ create mode 100644 vma-reader.c
+ create mode 100644 vma-writer.c
+ create mode 100644 vma.c
+ create mode 100644 vma.h
+
+diff --git a/Makefile b/Makefile
+index 50b4b3a..d92d905 100644
+--- a/Makefile
++++ b/Makefile
+@@ -165,7 +165,7 @@ ifneq ($(wildcard config-host.mak),)
+ include $(SRC_PATH)/tests/Makefile.include
+ endif
+
+-all: $(DOCS) $(TOOLS) $(HELPERS-y) recurse-all modules
++all: $(DOCS) $(TOOLS) vma$(EXESUF) $(HELPERS-y) recurse-all modules
+
+ qemu-version.h: FORCE
+ $(call quiet-command, \
+@@ -256,6 +256,7 @@ qemu-img.o: qemu-img-cmds.h
+ qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
+ qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
+ qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
++vma$(EXESUF): vma.o vma-reader.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) libqemuutil.a libqemustub.a
+
+ qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o libqemuutil.a libqemustub.a
+
+diff --git a/Makefile.objs b/Makefile.objs
+index 6d5ddcf..845edd0 100644
+--- a/Makefile.objs
++++ b/Makefile.objs
+@@ -15,6 +15,7 @@ block-obj-$(CONFIG_POSIX) += aio-posix.o
+ block-obj-$(CONFIG_WIN32) += aio-win32.o
+ block-obj-y += block/
+ block-obj-y += qemu-io-cmds.o
++block-obj-y += vma-writer.o
+
+ block-obj-m = block/
+
+diff --git a/vma-reader.c b/vma-reader.c
+new file mode 100644
+index 0000000..51dd8fe
+--- /dev/null
++++ b/vma-reader.c
+@@ -0,0 +1,797 @@
++/*
++ * VMA: Virtual Machine Archive
++ *
++ * Copyright (C) 2012 Proxmox Server Solutions
++ *
++ * Authors:
++ * Dietmar Maurer (dietmar@proxmox.com)
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ *
++ */
++
++#include "qemu/osdep.h"
++#include <glib.h>
++#include <uuid/uuid.h>
++
++#include "qemu-common.h"
++#include "qemu/timer.h"
++#include "qemu/ratelimit.h"
++#include "vma.h"
++#include "block/block.h"
++#include "sysemu/block-backend.h"
++
++static unsigned char zero_vma_block[VMA_BLOCK_SIZE];
++
++typedef struct VmaRestoreState {
++ BlockDriverState *bs;
++ bool write_zeroes;
++ unsigned long *bitmap;
++ int bitmap_size;
++} VmaRestoreState;
++
++struct VmaReader {
++ int fd;
++ GChecksum *md5csum;
++ GHashTable *blob_hash;
++ unsigned char *head_data;
++ VmaDeviceInfo devinfo[256];
++ VmaRestoreState rstate[256];
++ GList *cdata_list;
++ guint8 vmstate_stream;
++ uint32_t vmstate_clusters;
++ /* to show restore percentage if run with -v */
++ time_t start_time;
++ int64_t cluster_count;
++ int64_t clusters_read;
++ int clusters_read_per;
++};
++
++static guint
++g_int32_hash(gconstpointer v)
++{
++ return *(const uint32_t *)v;
++}
++
++static gboolean
++g_int32_equal(gconstpointer v1, gconstpointer v2)
++{
++ return *((const uint32_t *)v1) == *((const uint32_t *)v2);
++}
++
++static int vma_reader_get_bitmap(VmaRestoreState *rstate, int64_t cluster_num)
++{
++ assert(rstate);
++ assert(rstate->bitmap);
++
++ unsigned long val, idx, bit;
++
++ idx = cluster_num / BITS_PER_LONG;
++
++ assert(rstate->bitmap_size > idx);
++
++ bit = cluster_num % BITS_PER_LONG;
++ val = rstate->bitmap[idx];
++
++ return !!(val & (1UL << bit));
++}
++
++static void vma_reader_set_bitmap(VmaRestoreState *rstate, int64_t cluster_num,
++ int dirty)
++{
++ assert(rstate);
++ assert(rstate->bitmap);
++
++ unsigned long val, idx, bit;
++
++ idx = cluster_num / BITS_PER_LONG;
++
++ assert(rstate->bitmap_size > idx);
++
++ bit = cluster_num % BITS_PER_LONG;
++ val = rstate->bitmap[idx];
++ if (dirty) {
++ if (!(val & (1UL << bit))) {
++ val |= 1UL << bit;
++ }
++ } else {
++ if (val & (1UL << bit)) {
++ val &= ~(1UL << bit);
++ }
++ }
++ rstate->bitmap[idx] = val;
++}
++
++typedef struct VmaBlob {
++ uint32_t start;
++ uint32_t len;
++ void *data;
++} VmaBlob;
++
++static const VmaBlob *get_header_blob(VmaReader *vmar, uint32_t pos)
++{
++ assert(vmar);
++ assert(vmar->blob_hash);
++
++ return g_hash_table_lookup(vmar->blob_hash, &pos);
++}
++
++static const char *get_header_str(VmaReader *vmar, uint32_t pos)
++{
++ const VmaBlob *blob = get_header_blob(vmar, pos);
++ if (!blob) {
++ return NULL;
++ }
++ const char *res = (char *)blob->data;
++ if (res[blob->len-1] != '\0') {
++ return NULL;
++ }
++ return res;
++}
++
++static ssize_t
++safe_read(int fd, unsigned char *buf, size_t count)
++{
++ ssize_t n;
++
++ do {
++ n = read(fd, buf, count);
++ } while (n < 0 && errno == EINTR);
++
++ return n;
++}
++
++static ssize_t
++full_read(int fd, unsigned char *buf, size_t len)
++{
++ ssize_t n;
++ size_t total;
++
++ total = 0;
++
++ while (len > 0) {
++ n = safe_read(fd, buf, len);
++
++ if (n == 0) {
++ return total;
++ }
++
++ if (n <= 0) {
++ break;
++ }
++
++ buf += n;
++ total += n;
++ len -= n;
++ }
++
++ if (len) {
++ return -1;
++ }
++
++ return total;
++}
++
++void vma_reader_destroy(VmaReader *vmar)
++{
++ assert(vmar);
++
++ if (vmar->fd >= 0) {
++ close(vmar->fd);
++ }
++
++ if (vmar->cdata_list) {
++ g_list_free(vmar->cdata_list);
++ }
++
++ int i;
++ for (i = 1; i < 256; i++) {
++ if (vmar->rstate[i].bitmap) {
++ g_free(vmar->rstate[i].bitmap);
++ }
++ }
++
++ if (vmar->md5csum) {
++ g_checksum_free(vmar->md5csum);
++ }
++
++ if (vmar->blob_hash) {
++ g_hash_table_destroy(vmar->blob_hash);
++ }
++
++ if (vmar->head_data) {
++ g_free(vmar->head_data);
++ }
++
++ g_free(vmar);
++
++};
++
++static int vma_reader_read_head(VmaReader *vmar, Error **errp)
++{
++ assert(vmar);
++ assert(errp);
++ assert(*errp == NULL);
++
++ unsigned char md5sum[16];
++ int i;
++ int ret = 0;
++
++ vmar->head_data = g_malloc(sizeof(VmaHeader));
++
++ if (full_read(vmar->fd, vmar->head_data, sizeof(VmaHeader)) !=
++ sizeof(VmaHeader)) {
++ error_setg(errp, "can't read vma header - %s",
++ errno ? g_strerror(errno) : "got EOF");
++ return -1;
++ }
++
++ VmaHeader *h = (VmaHeader *)vmar->head_data;
++
++ if (h->magic != VMA_MAGIC) {
++ error_setg(errp, "not a vma file - wrong magic number");
++ return -1;
++ }
++
++ uint32_t header_size = GUINT32_FROM_BE(h->header_size);
++ int need = header_size - sizeof(VmaHeader);
++ if (need <= 0) {
++ error_setg(errp, "wrong vma header size %d", header_size);
++ return -1;
++ }
++
++ vmar->head_data = g_realloc(vmar->head_data, header_size);
++ h = (VmaHeader *)vmar->head_data;
++
++ if (full_read(vmar->fd, vmar->head_data + sizeof(VmaHeader), need) !=
++ need) {
++ error_setg(errp, "can't read vma header data - %s",
++ errno ? g_strerror(errno) : "got EOF");
++ return -1;
++ }
++
++ memcpy(md5sum, h->md5sum, 16);
++ memset(h->md5sum, 0, 16);
++
++ g_checksum_reset(vmar->md5csum);
++ g_checksum_update(vmar->md5csum, vmar->head_data, header_size);
++ gsize csize = 16;
++ g_checksum_get_digest(vmar->md5csum, (guint8 *)(h->md5sum), &csize);
++
++ if (memcmp(md5sum, h->md5sum, 16) != 0) {
++ error_setg(errp, "wrong vma header chechsum");
++ return -1;
++ }
++
++ /* we can modify header data after checksum verify */
++ h->header_size = header_size;
++
++ h->version = GUINT32_FROM_BE(h->version);
++ if (h->version != 1) {
++ error_setg(errp, "wrong vma version %d", h->version);
++ return -1;
++ }
++
++ h->ctime = GUINT64_FROM_BE(h->ctime);
++ h->blob_buffer_offset = GUINT32_FROM_BE(h->blob_buffer_offset);
++ h->blob_buffer_size = GUINT32_FROM_BE(h->blob_buffer_size);
++
++ uint32_t bstart = h->blob_buffer_offset + 1;
++ uint32_t bend = h->blob_buffer_offset + h->blob_buffer_size;
++
++ if (bstart <= sizeof(VmaHeader)) {
++ error_setg(errp, "wrong vma blob buffer offset %d",
++ h->blob_buffer_offset);
++ return -1;
++ }
++
++ if (bend > header_size) {
++ error_setg(errp, "wrong vma blob buffer size %d/%d",
++ h->blob_buffer_offset, h->blob_buffer_size);
++ return -1;
++ }
++
++ while ((bstart + 2) <= bend) {
++ uint32_t size = vmar->head_data[bstart] +
++ (vmar->head_data[bstart+1] << 8);
++ if ((bstart + size + 2) <= bend) {
++ VmaBlob *blob = g_new0(VmaBlob, 1);
++ blob->start = bstart - h->blob_buffer_offset;
++ blob->len = size;
++ blob->data = vmar->head_data + bstart + 2;
++ g_hash_table_insert(vmar->blob_hash, &blob->start, blob);
++ }
++ bstart += size + 2;
++ }
++
++
++ int count = 0;
++ for (i = 1; i < 256; i++) {
++ VmaDeviceInfoHeader *dih = &h->dev_info[i];
++ uint32_t devname_ptr = GUINT32_FROM_BE(dih->devname_ptr);
++ uint64_t size = GUINT64_FROM_BE(dih->size);
++ const char *devname = get_header_str(vmar, devname_ptr);
++
++ if (size && devname) {
++ count++;
++ vmar->devinfo[i].size = size;
++ vmar->devinfo[i].devname = devname;
++
++ if (strcmp(devname, "vmstate") == 0) {
++ vmar->vmstate_stream = i;
++ }
++ }
++ }
++
++ if (!count) {
++ error_setg(errp, "vma does not contain data");
++ return -1;
++ }
++
++ for (i = 0; i < VMA_MAX_CONFIGS; i++) {
++ uint32_t name_ptr = GUINT32_FROM_BE(h->config_names[i]);
++ uint32_t data_ptr = GUINT32_FROM_BE(h->config_data[i]);
++
++ if (!(name_ptr && data_ptr)) {
++ continue;
++ }
++ const char *name = get_header_str(vmar, name_ptr);
++ const VmaBlob *blob = get_header_blob(vmar, data_ptr);
++
++ if (!(name && blob)) {
++ error_setg(errp, "vma contains invalid data pointers");
++ return -1;
++ }
++
++ VmaConfigData *cdata = g_new0(VmaConfigData, 1);
++ cdata->name = name;
++ cdata->data = blob->data;
++ cdata->len = blob->len;
++
++ vmar->cdata_list = g_list_append(vmar->cdata_list, cdata);
++ }
++
++ return ret;
++};
++
++VmaReader *vma_reader_create(const char *filename, Error **errp)
++{
++ assert(filename);
++ assert(errp);
++
++ VmaReader *vmar = g_new0(VmaReader, 1);
++
++ if (strcmp(filename, "-") == 0) {
++ vmar->fd = dup(0);
++ } else {
++ vmar->fd = open(filename, O_RDONLY);
++ }
++
++ if (vmar->fd < 0) {
++ error_setg(errp, "can't open file %s - %s\n", filename,
++ g_strerror(errno));
++ goto err;
++ }
++
++ vmar->md5csum = g_checksum_new(G_CHECKSUM_MD5);
++ if (!vmar->md5csum) {
++ error_setg(errp, "can't allocate cmsum\n");
++ goto err;
++ }
++
++ vmar->blob_hash = g_hash_table_new_full(g_int32_hash, g_int32_equal,
++ NULL, g_free);
++
++ if (vma_reader_read_head(vmar, errp) < 0) {
++ goto err;
++ }
++
++ return vmar;
++
++err:
++ if (vmar) {
++ vma_reader_destroy(vmar);
++ }
++
++ return NULL;
++}
++
++VmaHeader *vma_reader_get_header(VmaReader *vmar)
++{
++ assert(vmar);
++ assert(vmar->head_data);
++
++ return (VmaHeader *)(vmar->head_data);
++}
++
++GList *vma_reader_get_config_data(VmaReader *vmar)
++{
++ assert(vmar);
++ assert(vmar->head_data);
++
++ return vmar->cdata_list;
++}
++
++VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id)
++{
++ assert(vmar);
++ assert(dev_id);
++
++ if (vmar->devinfo[dev_id].size && vmar->devinfo[dev_id].devname) {
++ return &vmar->devinfo[dev_id];
++ }
++
++ return NULL;
++}
++
++int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockDriverState *bs,
++ bool write_zeroes, Error **errp)
++{
++ assert(vmar);
++ assert(bs != NULL);
++ assert(dev_id);
++ assert(vmar->rstate[dev_id].bs == NULL);
++
++ int64_t size = bdrv_getlength(bs);
++ int64_t size_diff = size - vmar->devinfo[dev_id].size;
++
++ /* storage types can have different size restrictions, so it
++ * is not always possible to create an image with exact size.
++ * So we tolerate a size difference up to 4MB.
++ */
++ if ((size_diff < 0) || (size_diff > 4*1024*1024)) {
++ error_setg(errp, "vma_reader_register_bs for stream %s failed - "
++ "unexpected size %zd != %zd", vmar->devinfo[dev_id].devname,
++ size, vmar->devinfo[dev_id].size);
++ return -1;
++ }
++
++ vmar->rstate[dev_id].bs = bs;
++ vmar->rstate[dev_id].write_zeroes = write_zeroes;
++
++ int64_t bitmap_size = (size/BDRV_SECTOR_SIZE) +
++ (VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE) * BITS_PER_LONG - 1;
++ bitmap_size /= (VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE) * BITS_PER_LONG;
++
++ vmar->rstate[dev_id].bitmap_size = bitmap_size;
++ vmar->rstate[dev_id].bitmap = g_new0(unsigned long, bitmap_size);
++
++ vmar->cluster_count += size/VMA_CLUSTER_SIZE;
++
++ return 0;
++}
++
++static ssize_t safe_write(int fd, void *buf, size_t count)
++{
++ ssize_t n;
++
++ do {
++ n = write(fd, buf, count);
++ } while (n < 0 && errno == EINTR);
++
++ return n;
++}
++
++static size_t full_write(int fd, void *buf, size_t len)
++{
++ ssize_t n;
++ size_t total;
++
++ total = 0;
++
++ while (len > 0) {
++ n = safe_write(fd, buf, len);
++ if (n < 0) {
++ return n;
++ }
++ buf += n;
++ total += n;
++ len -= n;
++ }
++
++ if (len) {
++ /* incomplete write ? */
++ return -1;
++ }
++
++ return total;
++}
++
++static int restore_write_data(VmaReader *vmar, guint8 dev_id,
++ BlockDriverState *bs, int vmstate_fd,
++ unsigned char *buf, int64_t sector_num,
++ int nb_sectors, Error **errp)
++{
++ assert(vmar);
++
++ if (dev_id == vmar->vmstate_stream) {
++ if (vmstate_fd >= 0) {
++ int len = nb_sectors * BDRV_SECTOR_SIZE;
++ int res = full_write(vmstate_fd, buf, len);
++ if (res < 0) {
++ error_setg(errp, "write vmstate failed %d", res);
++ return -1;
++ }
++ }
++ } else {
++ int res = bdrv_write(bs, sector_num, buf, nb_sectors);
++ if (res < 0) {
++ error_setg(errp, "bdrv_write to %s failed (%d)",
++ bdrv_get_device_name(bs), res);
++ return -1;
++ }
++ }
++ return 0;
++}
++static int restore_extent(VmaReader *vmar, unsigned char *buf,
++ int extent_size, int vmstate_fd,
++ bool verbose, Error **errp)
++{
++ assert(vmar);
++ assert(buf);
++
++ VmaExtentHeader *ehead = (VmaExtentHeader *)buf;
++ int start = VMA_EXTENT_HEADER_SIZE;
++ int i;
++
++ for (i = 0; i < VMA_BLOCKS_PER_EXTENT; i++) {
++ uint64_t block_info = GUINT64_FROM_BE(ehead->blockinfo[i]);
++ uint64_t cluster_num = block_info & 0xffffffff;
++ uint8_t dev_id = (block_info >> 32) & 0xff;
++ uint16_t mask = block_info >> (32+16);
++ int64_t max_sector;
++
++ if (!dev_id) {
++ continue;
++ }
++
++ VmaRestoreState *rstate = &vmar->rstate[dev_id];
++ BlockDriverState *bs = NULL;
++
++ if (dev_id != vmar->vmstate_stream) {
++ bs = rstate->bs;
++ if (!bs) {
++ error_setg(errp, "got wrong dev id %d", dev_id);
++ return -1;
++ }
++
++ if (vma_reader_get_bitmap(rstate, cluster_num)) {
++ error_setg(errp, "found duplicated cluster %zd for stream %s",
++ cluster_num, vmar->devinfo[dev_id].devname);
++ return -1;
++ }
++ vma_reader_set_bitmap(rstate, cluster_num, 1);
++
++ max_sector = vmar->devinfo[dev_id].size/BDRV_SECTOR_SIZE;
++ } else {
++ max_sector = G_MAXINT64;
++ if (cluster_num != vmar->vmstate_clusters) {
++ error_setg(errp, "found out of order vmstate data");
++ return -1;
++ }
++ vmar->vmstate_clusters++;
++ }
++
++ vmar->clusters_read++;
++
++ if (verbose) {
++ time_t duration = time(NULL) - vmar->start_time;
++ int percent = (vmar->clusters_read*100)/vmar->cluster_count;
++ if (percent != vmar->clusters_read_per) {
++ printf("progress %d%% (read %zd bytes, duration %zd sec)\n",
++ percent, vmar->clusters_read*VMA_CLUSTER_SIZE,
++ duration);
++ fflush(stdout);
++ vmar->clusters_read_per = percent;
++ }
++ }
++
++ /* try to write whole clusters to speedup restore */
++ if (mask == 0xffff) {
++ if ((start + VMA_CLUSTER_SIZE) > extent_size) {
++ error_setg(errp, "short vma extent - too many blocks");
++ return -1;
++ }
++ int64_t sector_num = (cluster_num * VMA_CLUSTER_SIZE) /
++ BDRV_SECTOR_SIZE;
++ int64_t end_sector = sector_num +
++ VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE;
++
++ if (end_sector > max_sector) {
++ end_sector = max_sector;
++ }
++
++ if (end_sector <= sector_num) {
++ error_setg(errp, "got wrong block address - write bejond end");
++ return -1;
++ }
++
++ int nb_sectors = end_sector - sector_num;
++ if (restore_write_data(vmar, dev_id, bs, vmstate_fd, buf + start,
++ sector_num, nb_sectors, errp) < 0) {
++ return -1;
++ }
++
++ start += VMA_CLUSTER_SIZE;
++ } else {
++ int j;
++ int bit = 1;
++
++ for (j = 0; j < 16; j++) {
++ int64_t sector_num = (cluster_num*VMA_CLUSTER_SIZE +
++ j*VMA_BLOCK_SIZE)/BDRV_SECTOR_SIZE;
++
++ int64_t end_sector = sector_num +
++ VMA_BLOCK_SIZE/BDRV_SECTOR_SIZE;
++ if (end_sector > max_sector) {
++ end_sector = max_sector;
++ }
++
++ if (mask & bit) {
++ if ((start + VMA_BLOCK_SIZE) > extent_size) {
++ error_setg(errp, "short vma extent - too many blocks");
++ return -1;
++ }
++
++ if (end_sector <= sector_num) {
++ error_setg(errp, "got wrong block address - "
++ "write bejond end");
++ return -1;
++ }
++
++ int nb_sectors = end_sector - sector_num;
++ if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ buf + start, sector_num,
++ nb_sectors, errp) < 0) {
++ return -1;
++ }
++
++ start += VMA_BLOCK_SIZE;
++
++ } else {
++
++ if (rstate->write_zeroes && (end_sector > sector_num)) {
++ /* Todo: use bdrv_co_write_zeroes (but that need to
++ * be run inside coroutine?)
++ */
++ int nb_sectors = end_sector - sector_num;
++ if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ zero_vma_block, sector_num,
++ nb_sectors, errp) < 0) {
++ return -1;
++ }
++ }
++ }
++
++ bit = bit << 1;
++ }
++ }
++ }
++
++ if (start != extent_size) {
++ error_setg(errp, "vma extent error - missing blocks");
++ return -1;
++ }
++
++ return 0;
++}
++
++int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
++ Error **errp)
++{
++ assert(vmar);
++ assert(vmar->head_data);
++
++ int ret = 0;
++ unsigned char buf[VMA_MAX_EXTENT_SIZE];
++ int buf_pos = 0;
++ unsigned char md5sum[16];
++ VmaHeader *h = (VmaHeader *)vmar->head_data;
++
++ vmar->start_time = time(NULL);
++
++ while (1) {
++ int bytes = full_read(vmar->fd, buf + buf_pos, sizeof(buf) - buf_pos);
++ if (bytes < 0) {
++ error_setg(errp, "read failed - %s", g_strerror(errno));
++ return -1;
++ }
++
++ buf_pos += bytes;
++
++ if (!buf_pos) {
++ break; /* EOF */
++ }
++
++ if (buf_pos < VMA_EXTENT_HEADER_SIZE) {
++ error_setg(errp, "read short extent (%d bytes)", buf_pos);
++ return -1;
++ }
++
++ VmaExtentHeader *ehead = (VmaExtentHeader *)buf;
++
++ /* extract md5sum */
++ memcpy(md5sum, ehead->md5sum, sizeof(ehead->md5sum));
++ memset(ehead->md5sum, 0, sizeof(ehead->md5sum));
++
++ g_checksum_reset(vmar->md5csum);
++ g_checksum_update(vmar->md5csum, buf, VMA_EXTENT_HEADER_SIZE);
++ gsize csize = 16;
++ g_checksum_get_digest(vmar->md5csum, ehead->md5sum, &csize);
++
++ if (memcmp(md5sum, ehead->md5sum, 16) != 0) {
++ error_setg(errp, "wrong vma extent header chechsum");
++ return -1;
++ }
++
++ if (memcmp(h->uuid, ehead->uuid, sizeof(ehead->uuid)) != 0) {
++ error_setg(errp, "wrong vma extent uuid");
++ return -1;
++ }
++
++ if (ehead->magic != VMA_EXTENT_MAGIC || ehead->reserved1 != 0) {
++ error_setg(errp, "wrong vma extent header magic");
++ return -1;
++ }
++
++ int block_count = GUINT16_FROM_BE(ehead->block_count);
++ int extent_size = VMA_EXTENT_HEADER_SIZE + block_count*VMA_BLOCK_SIZE;
++
++ if (buf_pos < extent_size) {
++ error_setg(errp, "short vma extent (%d < %d)", buf_pos,
++ extent_size);
++ return -1;
++ }
++
++ if (restore_extent(vmar, buf, extent_size, vmstate_fd, verbose,
++ errp) < 0) {
++ return -1;
++ }
++
++ if (buf_pos > extent_size) {
++ memmove(buf, buf + extent_size, buf_pos - extent_size);
++ buf_pos = buf_pos - extent_size;
++ } else {
++ buf_pos = 0;
++ }
++ }
++
++ bdrv_drain_all();
++
++ int i;
++ for (i = 1; i < 256; i++) {
++ VmaRestoreState *rstate = &vmar->rstate[i];
++ if (!rstate->bs) {
++ continue;
++ }
++
++ if (bdrv_flush(rstate->bs) < 0) {
++ error_setg(errp, "vma bdrv_flush %s failed",
++ vmar->devinfo[i].devname);
++ return -1;
++ }
++
++ if (vmar->devinfo[i].size &&
++ (strcmp(vmar->devinfo[i].devname, "vmstate") != 0)) {
++ assert(rstate->bitmap);
++
++ int64_t cluster_num, end;
++
++ end = (vmar->devinfo[i].size + VMA_CLUSTER_SIZE - 1) /
++ VMA_CLUSTER_SIZE;
++
++ for (cluster_num = 0; cluster_num < end; cluster_num++) {
++ if (!vma_reader_get_bitmap(rstate, cluster_num)) {
++ error_setg(errp, "detected missing cluster %zd "
++ "for stream %s", cluster_num,
++ vmar->devinfo[i].devname);
++ return -1;
++ }
++ }
++ }
++ }
++
++ return ret;
++}
++
+diff --git a/vma-writer.c b/vma-writer.c
+new file mode 100644
+index 0000000..b0cf529
+--- /dev/null
++++ b/vma-writer.c
+@@ -0,0 +1,870 @@
++/*
++ * VMA: Virtual Machine Archive
++ *
++ * Copyright (C) 2012 Proxmox Server Solutions
++ *
++ * Authors:
++ * Dietmar Maurer (dietmar@proxmox.com)
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ *
++ */
++
++#include "qemu/osdep.h"
++#include <glib.h>
++#include <uuid/uuid.h>
++
++#include "vma.h"
++#include "block/block.h"
++#include "monitor/monitor.h"
++#include "qemu/main-loop.h"
++#include "qemu/coroutine.h"
++#include "qemu/cutils.h"
++
++#define DEBUG_VMA 0
++
++#define DPRINTF(fmt, ...)\
++ do { if (DEBUG_VMA) { printf("vma: " fmt, ## __VA_ARGS__); } } while (0)
++
++#define WRITE_BUFFERS 5
++
++typedef struct VmaAIOCB VmaAIOCB;
++struct VmaAIOCB {
++ unsigned char buffer[VMA_MAX_EXTENT_SIZE];
++ VmaWriter *vmaw;
++ size_t bytes;
++ Coroutine *co;
++};
++
++struct VmaWriter {
++ int fd;
++ FILE *cmd;
++ int status;
++ char errmsg[8192];
++ uuid_t uuid;
++ bool header_written;
++ bool closed;
++
++ /* we always write extents */
++ unsigned char outbuf[VMA_MAX_EXTENT_SIZE];
++ int outbuf_pos; /* in bytes */
++ int outbuf_count; /* in VMA_BLOCKS */
++ uint64_t outbuf_block_info[VMA_BLOCKS_PER_EXTENT];
++
++ VmaAIOCB *aiocbs[WRITE_BUFFERS];
++ CoQueue wqueue;
++
++ GChecksum *md5csum;
++ CoMutex writer_lock;
++ CoMutex flush_lock;
++ Coroutine *co_writer;
++
++ /* drive informations */
++ VmaStreamInfo stream_info[256];
++ guint stream_count;
++
++ guint8 vmstate_stream;
++ uint32_t vmstate_clusters;
++
++ /* header blob table */
++ char *header_blob_table;
++ uint32_t header_blob_table_size;
++ uint32_t header_blob_table_pos;
++
++ /* store for config blobs */
++ uint32_t config_names[VMA_MAX_CONFIGS]; /* offset into blob_buffer table */
++ uint32_t config_data[VMA_MAX_CONFIGS]; /* offset into blob_buffer table */
++ uint32_t config_count;
++};
++
++void vma_writer_set_error(VmaWriter *vmaw, const char *fmt, ...)
++{
++ va_list ap;
++
++ if (vmaw->status < 0) {
++ return;
++ }
++
++ vmaw->status = -1;
++
++ va_start(ap, fmt);
++ g_vsnprintf(vmaw->errmsg, sizeof(vmaw->errmsg), fmt, ap);
++ va_end(ap);
++
++ DPRINTF("vma_writer_set_error: %s\n", vmaw->errmsg);
++}
++
++static uint32_t allocate_header_blob(VmaWriter *vmaw, const char *data,
++ size_t len)
++{
++ if (len > 65535) {
++ return 0;
++ }
++
++ if (!vmaw->header_blob_table ||
++ (vmaw->header_blob_table_size <
++ (vmaw->header_blob_table_pos + len + 2))) {
++ int newsize = vmaw->header_blob_table_size + ((len + 2 + 511)/512)*512;
++
++ vmaw->header_blob_table = g_realloc(vmaw->header_blob_table, newsize);
++ memset(vmaw->header_blob_table + vmaw->header_blob_table_size,
++ 0, newsize - vmaw->header_blob_table_size);
++ vmaw->header_blob_table_size = newsize;
++ }
++
++ uint32_t cpos = vmaw->header_blob_table_pos;
++ vmaw->header_blob_table[cpos] = len & 255;
++ vmaw->header_blob_table[cpos+1] = (len >> 8) & 255;
++ memcpy(vmaw->header_blob_table + cpos + 2, data, len);
++ vmaw->header_blob_table_pos += len + 2;
++ return cpos;
++}
++
++static uint32_t allocate_header_string(VmaWriter *vmaw, const char *str)
++{
++ assert(vmaw);
++
++ size_t len = strlen(str) + 1;
++
++ return allocate_header_blob(vmaw, str, len);
++}
++
++int vma_writer_add_config(VmaWriter *vmaw, const char *name, gpointer data,
++ gsize len)
++{
++ assert(vmaw);
++ assert(!vmaw->header_written);
++ assert(vmaw->config_count < VMA_MAX_CONFIGS);
++ assert(name);
++ assert(data);
++ assert(len);
++
++ gchar *basename = g_path_get_basename(name);
++ uint32_t name_ptr = allocate_header_string(vmaw, basename);
++ g_free(basename);
++
++ if (!name_ptr) {
++ return -1;
++ }
++
++ uint32_t data_ptr = allocate_header_blob(vmaw, data, len);
++ if (!data_ptr) {
++ return -1;
++ }
++
++ vmaw->config_names[vmaw->config_count] = name_ptr;
++ vmaw->config_data[vmaw->config_count] = data_ptr;
++
++ vmaw->config_count++;
++
++ return 0;
++}
++
++int vma_writer_register_stream(VmaWriter *vmaw, const char *devname,
++ size_t size)
++{
++ assert(vmaw);
++ assert(devname);
++ assert(!vmaw->status);
++
++ if (vmaw->header_written) {
++ vma_writer_set_error(vmaw, "vma_writer_register_stream: header "
++ "already written");
++ return -1;
++ }
++
++ guint n = vmaw->stream_count + 1;
++
++ /* we can have dev_ids form 1 to 255 (0 reserved)
++ * 255(-1) reseverd for safety
++ */
++ if (n > 254) {
++ vma_writer_set_error(vmaw, "vma_writer_register_stream: "
++ "too many drives");
++ return -1;
++ }
++
++ if (size <= 0) {
++ vma_writer_set_error(vmaw, "vma_writer_register_stream: "
++ "got strange size %zd", size);
++ return -1;
++ }
++
++ DPRINTF("vma_writer_register_stream %s %zu %d\n", devname, size, n);
++
++ vmaw->stream_info[n].devname = g_strdup(devname);
++ vmaw->stream_info[n].size = size;
++
++ vmaw->stream_info[n].cluster_count = (size + VMA_CLUSTER_SIZE - 1) /
++ VMA_CLUSTER_SIZE;
++
++ vmaw->stream_count = n;
++
++ if (strcmp(devname, "vmstate") == 0) {
++ vmaw->vmstate_stream = n;
++ }
++
++ return n;
++}
++
++static void vma_co_continue_write(void *opaque)
++{
++ VmaWriter *vmaw = opaque;
++
++ DPRINTF("vma_co_continue_write\n");
++ qemu_coroutine_enter(vmaw->co_writer);
++}
++
++static ssize_t coroutine_fn
++vma_co_write(VmaWriter *vmaw, const void *buf, size_t bytes)
++{
++ size_t done = 0;
++ ssize_t ret;
++
++ /* atomic writes (we cannot interleave writes) */
++ qemu_co_mutex_lock(&vmaw->writer_lock);
++
++ DPRINTF("vma_co_write enter %zd\n", bytes);
++
++ assert(vmaw->co_writer == NULL);
++
++ vmaw->co_writer = qemu_coroutine_self();
++
++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, vmaw);
++
++ DPRINTF("vma_co_write wait until writable\n");
++ qemu_coroutine_yield();
++ DPRINTF("vma_co_write starting %zd\n", bytes);
++
++ while (done < bytes) {
++ ret = write(vmaw->fd, buf + done, bytes - done);
++ if (ret > 0) {
++ done += ret;
++ DPRINTF("vma_co_write written %zd %zd\n", done, ret);
++ } else if (ret < 0) {
++ if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ DPRINTF("vma_co_write yield %zd\n", done);
++ qemu_coroutine_yield();
++ DPRINTF("vma_co_write restart %zd\n", done);
++ } else {
++ vma_writer_set_error(vmaw, "vma_co_write write error - %s",
++ g_strerror(errno));
++ done = -1; /* always return failure for partial writes */
++ break;
++ }
++ } else if (ret == 0) {
++ /* should not happen - simply try again */
++ }
++ }
++
++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL);
++
++ vmaw->co_writer = NULL;
++
++ qemu_co_mutex_unlock(&vmaw->writer_lock);
++
++ DPRINTF("vma_co_write leave %zd\n", done);
++ return done;
++}
++
++static void coroutine_fn vma_co_writer_task(void *opaque)
++{
++ VmaAIOCB *cb = opaque;
++
++ DPRINTF("vma_co_writer_task start\n");
++
++ int64_t done = vma_co_write(cb->vmaw, cb->buffer, cb->bytes);
++ DPRINTF("vma_co_writer_task write done %zd\n", done);
++
++ if (done != cb->bytes) {
++ DPRINTF("vma_co_writer_task failed write %zd %zd", cb->bytes, done);
++ vma_writer_set_error(cb->vmaw, "vma_co_writer_task failed write %zd",
++ done);
++ }
++
++ cb->bytes = 0;
++
++ qemu_co_queue_next(&cb->vmaw->wqueue);
++
++ DPRINTF("vma_co_writer_task end\n");
++}
++
++static void coroutine_fn vma_queue_flush(VmaWriter *vmaw)
++{
++ DPRINTF("vma_queue_flush enter\n");
++
++ assert(vmaw);
++
++ while (1) {
++ int i;
++ VmaAIOCB *cb = NULL;
++ for (i = 0; i < WRITE_BUFFERS; i++) {
++ if (vmaw->aiocbs[i]->bytes) {
++ cb = vmaw->aiocbs[i];
++ DPRINTF("FOUND USED AIO BUFFER %d %zd\n", i,
++ vmaw->aiocbs[i]->bytes);
++ break;
++ }
++ }
++ if (!cb) {
++ break;
++ }
++ qemu_co_queue_wait(&vmaw->wqueue);
++ }
++
++ DPRINTF("vma_queue_flush leave\n");
++}
++
++/**
++ * NOTE: pipe buffer size in only 4096 bytes on linux (see 'ulimit -a')
++ * So we need to create a coroutione to allow 'parallel' execution.
++ */
++static ssize_t coroutine_fn
++vma_queue_write(VmaWriter *vmaw, const void *buf, size_t bytes)
++{
++ DPRINTF("vma_queue_write enter %zd\n", bytes);
++
++ assert(vmaw);
++ assert(buf);
++ assert(bytes <= VMA_MAX_EXTENT_SIZE);
++
++ VmaAIOCB *cb = NULL;
++ while (!cb) {
++ int i;
++ for (i = 0; i < WRITE_BUFFERS; i++) {
++ if (!vmaw->aiocbs[i]->bytes) {
++ cb = vmaw->aiocbs[i];
++ break;
++ }
++ }
++ if (!cb) {
++ qemu_co_queue_wait(&vmaw->wqueue);
++ }
++ }
++
++ memcpy(cb->buffer, buf, bytes);
++ cb->bytes = bytes;
++ cb->vmaw = vmaw;
++
++ DPRINTF("vma_queue_write start %zd\n", bytes);
++ cb->co = qemu_coroutine_create(vma_co_writer_task);
++ qemu_coroutine_enter(cb->co, cb);
++
++ DPRINTF("vma_queue_write leave\n");
++
++ return bytes;
++}
++
++VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp)
++{
++ const char *p;
++
++ assert(sizeof(VmaHeader) == (4096 + 8192));
++ assert(G_STRUCT_OFFSET(VmaHeader, config_names) == 2044);
++ assert(G_STRUCT_OFFSET(VmaHeader, config_data) == 3068);
++ assert(G_STRUCT_OFFSET(VmaHeader, dev_info) == 4096);
++ assert(sizeof(VmaExtentHeader) == 512);
++
++ VmaWriter *vmaw = g_new0(VmaWriter, 1);
++ vmaw->fd = -1;
++
++ vmaw->md5csum = g_checksum_new(G_CHECKSUM_MD5);
++ if (!vmaw->md5csum) {
++ error_setg(errp, "can't allocate cmsum\n");
++ goto err;
++ }
++
++ if (strstart(filename, "exec:", &p)) {
++ vmaw->cmd = popen(p, "w");
++ if (vmaw->cmd == NULL) {
++ error_setg(errp, "can't popen command '%s' - %s\n", p,
++ g_strerror(errno));
++ goto err;
++ }
++ vmaw->fd = fileno(vmaw->cmd);
++
++ /* try to use O_NONBLOCK and O_DIRECT */
++ fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_NONBLOCK);
++ fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_DIRECT);
++
++ } else {
++ struct stat st;
++ int oflags;
++ const char *tmp_id_str;
++
++ if ((stat(filename, &st) == 0) && S_ISFIFO(st.st_mode)) {
++ oflags = O_NONBLOCK|O_DIRECT|O_WRONLY;
++ vmaw->fd = qemu_open(filename, oflags, 0644);
++ } else if (strstart(filename, "/dev/fdset/", &tmp_id_str)) {
++ oflags = O_NONBLOCK|O_DIRECT|O_WRONLY;
++ vmaw->fd = qemu_open(filename, oflags, 0644);
++ } else if (strstart(filename, "/dev/fdname/", &tmp_id_str)) {
++ vmaw->fd = monitor_get_fd(cur_mon, tmp_id_str, errp);
++ if (vmaw->fd < 0) {
++ goto err;
++ }
++ /* try to use O_NONBLOCK and O_DIRECT */
++ fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_NONBLOCK);
++ fcntl(vmaw->fd, F_SETFL, fcntl(vmaw->fd, F_GETFL)|O_DIRECT);
++ } else {
++ oflags = O_NONBLOCK|O_DIRECT|O_WRONLY|O_CREAT|O_EXCL;
++ vmaw->fd = qemu_open(filename, oflags, 0644);
++ }
++
++ if (vmaw->fd < 0) {
++ error_setg(errp, "can't open file %s - %s\n", filename,
++ g_strerror(errno));
++ goto err;
++ }
++ }
++
++ /* we use O_DIRECT, so we need to align IO buffers */
++ int i;
++ for (i = 0; i < WRITE_BUFFERS; i++) {
++ vmaw->aiocbs[i] = qemu_memalign(512, sizeof(VmaAIOCB));
++ memset(vmaw->aiocbs[i], 0, sizeof(VmaAIOCB));
++ }
++
++ vmaw->outbuf_count = 0;
++ vmaw->outbuf_pos = VMA_EXTENT_HEADER_SIZE;
++
++ vmaw->header_blob_table_pos = 1; /* start at pos 1 */
++
++ qemu_co_mutex_init(&vmaw->writer_lock);
++ qemu_co_mutex_init(&vmaw->flush_lock);
++ qemu_co_queue_init(&vmaw->wqueue);
++
++ uuid_copy(vmaw->uuid, uuid);
++
++ return vmaw;
++
++err:
++ if (vmaw) {
++ if (vmaw->cmd) {
++ pclose(vmaw->cmd);
++ } else if (vmaw->fd >= 0) {
++ close(vmaw->fd);
++ }
++
++ if (vmaw->md5csum) {
++ g_checksum_free(vmaw->md5csum);
++ }
++
++ g_free(vmaw);
++ }
++
++ return NULL;
++}
++
++static int coroutine_fn vma_write_header(VmaWriter *vmaw)
++{
++ assert(vmaw);
++ int header_clusters = 8;
++ char buf[65536*header_clusters];
++ VmaHeader *head = (VmaHeader *)buf;
++
++ int i;
++
++ DPRINTF("VMA WRITE HEADER\n");
++
++ if (vmaw->status < 0) {
++ return vmaw->status;
++ }
++
++ memset(buf, 0, sizeof(buf));
++
++ head->magic = VMA_MAGIC;
++ head->version = GUINT32_TO_BE(1); /* v1 */
++ memcpy(head->uuid, vmaw->uuid, 16);
++
++ time_t ctime = time(NULL);
++ head->ctime = GUINT64_TO_BE(ctime);
++
++ if (!vmaw->stream_count) {
++ return -1;
++ }
++
++ for (i = 0; i < VMA_MAX_CONFIGS; i++) {
++ head->config_names[i] = GUINT32_TO_BE(vmaw->config_names[i]);
++ head->config_data[i] = GUINT32_TO_BE(vmaw->config_data[i]);
++ }
++
++ /* 32 bytes per device (12 used currently) = 8192 bytes max */
++ for (i = 1; i <= 254; i++) {
++ VmaStreamInfo *si = &vmaw->stream_info[i];
++ if (si->size) {
++ assert(si->devname);
++ uint32_t devname_ptr = allocate_header_string(vmaw, si->devname);
++ if (!devname_ptr) {
++ return -1;
++ }
++ head->dev_info[i].devname_ptr = GUINT32_TO_BE(devname_ptr);
++ head->dev_info[i].size = GUINT64_TO_BE(si->size);
++ }
++ }
++
++ uint32_t header_size = sizeof(VmaHeader) + vmaw->header_blob_table_size;
++ head->header_size = GUINT32_TO_BE(header_size);
++
++ if (header_size > sizeof(buf)) {
++ return -1; /* just to be sure */
++ }
++
++ uint32_t blob_buffer_offset = sizeof(VmaHeader);
++ memcpy(buf + blob_buffer_offset, vmaw->header_blob_table,
++ vmaw->header_blob_table_size);
++ head->blob_buffer_offset = GUINT32_TO_BE(blob_buffer_offset);
++ head->blob_buffer_size = GUINT32_TO_BE(vmaw->header_blob_table_pos);
++
++ g_checksum_reset(vmaw->md5csum);
++ g_checksum_update(vmaw->md5csum, (const guchar *)buf, header_size);
++ gsize csize = 16;
++ g_checksum_get_digest(vmaw->md5csum, (guint8 *)(head->md5sum), &csize);
++
++ return vma_queue_write(vmaw, buf, header_size);
++}
++
++static int coroutine_fn vma_writer_flush(VmaWriter *vmaw)
++{
++ assert(vmaw);
++
++ int ret;
++ int i;
++
++ if (vmaw->status < 0) {
++ return vmaw->status;
++ }
++
++ if (!vmaw->header_written) {
++ vmaw->header_written = true;
++ ret = vma_write_header(vmaw);
++ if (ret < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_flush: write header failed");
++ return ret;
++ }
++ }
++
++ DPRINTF("VMA WRITE FLUSH %d %d\n", vmaw->outbuf_count, vmaw->outbuf_pos);
++
++
++ VmaExtentHeader *ehead = (VmaExtentHeader *)vmaw->outbuf;
++
++ ehead->magic = VMA_EXTENT_MAGIC;
++ ehead->reserved1 = 0;
++
++ for (i = 0; i < VMA_BLOCKS_PER_EXTENT; i++) {
++ ehead->blockinfo[i] = GUINT64_TO_BE(vmaw->outbuf_block_info[i]);
++ }
++
++ guint16 block_count = (vmaw->outbuf_pos - VMA_EXTENT_HEADER_SIZE) /
++ VMA_BLOCK_SIZE;
++
++ ehead->block_count = GUINT16_TO_BE(block_count);
++
++ memcpy(ehead->uuid, vmaw->uuid, sizeof(ehead->uuid));
++ memset(ehead->md5sum, 0, sizeof(ehead->md5sum));
++
++ g_checksum_reset(vmaw->md5csum);
++ g_checksum_update(vmaw->md5csum, vmaw->outbuf, VMA_EXTENT_HEADER_SIZE);
++ gsize csize = 16;
++ g_checksum_get_digest(vmaw->md5csum, ehead->md5sum, &csize);
++
++ int bytes = vmaw->outbuf_pos;
++ ret = vma_queue_write(vmaw, vmaw->outbuf, bytes);
++ if (ret != bytes) {
++ vma_writer_set_error(vmaw, "vma_writer_flush: failed write");
++ }
++
++ vmaw->outbuf_count = 0;
++ vmaw->outbuf_pos = VMA_EXTENT_HEADER_SIZE;
++
++ for (i = 0; i < VMA_BLOCKS_PER_EXTENT; i++) {
++ vmaw->outbuf_block_info[i] = 0;
++ }
++
++ return vmaw->status;
++}
++
++static int vma_count_open_streams(VmaWriter *vmaw)
++{
++ g_assert(vmaw != NULL);
++
++ int i;
++ int open_drives = 0;
++ for (i = 0; i <= 255; i++) {
++ if (vmaw->stream_info[i].size && !vmaw->stream_info[i].finished) {
++ open_drives++;
++ }
++ }
++
++ return open_drives;
++}
++
++/**
++ * all jobs should call this when there is no more data
++ * Returns: number of remaining stream (0 ==> finished)
++ */
++int coroutine_fn
++vma_writer_close_stream(VmaWriter *vmaw, uint8_t dev_id)
++{
++ g_assert(vmaw != NULL);
++
++ DPRINTF("vma_writer_set_status %d\n", dev_id);
++ if (!vmaw->stream_info[dev_id].size) {
++ vma_writer_set_error(vmaw, "vma_writer_close_stream: "
++ "no such stream %d", dev_id);
++ return -1;
++ }
++ if (vmaw->stream_info[dev_id].finished) {
++ vma_writer_set_error(vmaw, "vma_writer_close_stream: "
++ "stream already closed %d", dev_id);
++ return -1;
++ }
++
++ vmaw->stream_info[dev_id].finished = true;
++
++ int open_drives = vma_count_open_streams(vmaw);
++
++ if (open_drives <= 0) {
++ DPRINTF("vma_writer_set_status all drives completed\n");
++ qemu_co_mutex_lock(&vmaw->flush_lock);
++ int ret = vma_writer_flush(vmaw);
++ qemu_co_mutex_unlock(&vmaw->flush_lock);
++ if (ret < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_close_stream: flush failed");
++ }
++ }
++
++ return open_drives;
++}
++
++int vma_writer_get_status(VmaWriter *vmaw, VmaStatus *status)
++{
++ int i;
++
++ g_assert(vmaw != NULL);
++
++ if (status) {
++ status->status = vmaw->status;
++ g_strlcpy(status->errmsg, vmaw->errmsg, sizeof(status->errmsg));
++ for (i = 0; i <= 255; i++) {
++ status->stream_info[i] = vmaw->stream_info[i];
++ }
++
++ uuid_unparse_lower(vmaw->uuid, status->uuid_str);
++ }
++
++ status->closed = vmaw->closed;
++
++ return vmaw->status;
++}
++
++static int vma_writer_get_buffer(VmaWriter *vmaw)
++{
++ int ret = 0;
++
++ qemu_co_mutex_lock(&vmaw->flush_lock);
++
++ /* wait until buffer is available */
++ while (vmaw->outbuf_count >= (VMA_BLOCKS_PER_EXTENT - 1)) {
++ ret = vma_writer_flush(vmaw);
++ if (ret < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_get_buffer: flush failed");
++ break;
++ }
++ }
++
++ qemu_co_mutex_unlock(&vmaw->flush_lock);
++
++ return ret;
++}
++
++
++int64_t coroutine_fn
++vma_writer_write(VmaWriter *vmaw, uint8_t dev_id, int64_t cluster_num,
++ unsigned char *buf, size_t *zero_bytes)
++{
++ g_assert(vmaw != NULL);
++ g_assert(zero_bytes != NULL);
++
++ *zero_bytes = 0;
++
++ if (vmaw->status < 0) {
++ return vmaw->status;
++ }
++
++ if (!dev_id || !vmaw->stream_info[dev_id].size) {
++ vma_writer_set_error(vmaw, "vma_writer_write: "
++ "no such stream %d", dev_id);
++ return -1;
++ }
++
++ if (vmaw->stream_info[dev_id].finished) {
++ vma_writer_set_error(vmaw, "vma_writer_write: "
++ "stream already closed %d", dev_id);
++ return -1;
++ }
++
++
++ if (cluster_num >= (((uint64_t)1)<<32)) {
++ vma_writer_set_error(vmaw, "vma_writer_write: "
++ "cluster number out of range");
++ return -1;
++ }
++
++ if (dev_id == vmaw->vmstate_stream) {
++ if (cluster_num != vmaw->vmstate_clusters) {
++ vma_writer_set_error(vmaw, "vma_writer_write: "
++ "non sequential vmstate write");
++ }
++ vmaw->vmstate_clusters++;
++ } else if (cluster_num >= vmaw->stream_info[dev_id].cluster_count) {
++ vma_writer_set_error(vmaw, "vma_writer_write: cluster number too big");
++ return -1;
++ }
++
++ /* wait until buffer is available */
++ if (vma_writer_get_buffer(vmaw) < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_write: "
++ "vma_writer_get_buffer failed");
++ return -1;
++ }
++
++ DPRINTF("VMA WRITE %d %zd\n", dev_id, cluster_num);
++
++ uint16_t mask = 0;
++
++ if (buf) {
++ int i;
++ int bit = 1;
++ for (i = 0; i < 16; i++) {
++ unsigned char *vmablock = buf + (i*VMA_BLOCK_SIZE);
++ if (!buffer_is_zero(vmablock, VMA_BLOCK_SIZE)) {
++ mask |= bit;
++ memcpy(vmaw->outbuf + vmaw->outbuf_pos, vmablock,
++ VMA_BLOCK_SIZE);
++ vmaw->outbuf_pos += VMA_BLOCK_SIZE;
++ } else {
++ DPRINTF("VMA WRITE %zd ZERO BLOCK %d\n", cluster_num, i);
++ vmaw->stream_info[dev_id].zero_bytes += VMA_BLOCK_SIZE;
++ *zero_bytes += VMA_BLOCK_SIZE;
++ }
++
++ bit = bit << 1;
++ }
++ } else {
++ DPRINTF("VMA WRITE %zd ZERO CLUSTER\n", cluster_num);
++ vmaw->stream_info[dev_id].zero_bytes += VMA_CLUSTER_SIZE;
++ *zero_bytes += VMA_CLUSTER_SIZE;
++ }
++
++ uint64_t block_info = ((uint64_t)mask) << (32+16);
++ block_info |= ((uint64_t)dev_id) << 32;
++ block_info |= (cluster_num & 0xffffffff);
++ vmaw->outbuf_block_info[vmaw->outbuf_count] = block_info;
++
++ DPRINTF("VMA WRITE MASK %zd %zx\n", cluster_num, block_info);
++
++ vmaw->outbuf_count++;
++
++ /** NOTE: We allways write whole clusters, but we correctly set
++ * transferred bytes. So transferred == size when when everything
++ * went OK.
++ */
++ size_t transferred = VMA_CLUSTER_SIZE;
++
++ if (dev_id != vmaw->vmstate_stream) {
++ uint64_t last = (cluster_num + 1) * VMA_CLUSTER_SIZE;
++ if (last > vmaw->stream_info[dev_id].size) {
++ uint64_t diff = last - vmaw->stream_info[dev_id].size;
++ if (diff >= VMA_CLUSTER_SIZE) {
++ vma_writer_set_error(vmaw, "vma_writer_write: "
++ "read after last cluster");
++ return -1;
++ }
++ transferred -= diff;
++ }
++ }
++
++ vmaw->stream_info[dev_id].transferred += transferred;
++
++ return transferred;
++}
++
++int vma_writer_close(VmaWriter *vmaw, Error **errp)
++{
++ g_assert(vmaw != NULL);
++
++ int i;
++
++ vma_queue_flush(vmaw);
++
++ /* this should not happen - just to be sure */
++ while (!qemu_co_queue_empty(&vmaw->wqueue)) {
++ DPRINTF("vma_writer_close wait\n");
++ co_aio_sleep_ns(qemu_get_aio_context(), QEMU_CLOCK_REALTIME, 1000000);
++ }
++
++ if (vmaw->cmd) {
++ if (pclose(vmaw->cmd) < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_close: "
++ "pclose failed - %s", g_strerror(errno));
++ }
++ } else {
++ if (close(vmaw->fd) < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_close: "
++ "close failed - %s", g_strerror(errno));
++ }
++ }
++
++ for (i = 0; i <= 255; i++) {
++ VmaStreamInfo *si = &vmaw->stream_info[i];
++ if (si->size) {
++ if (!si->finished) {
++ vma_writer_set_error(vmaw, "vma_writer_close: "
++ "detected open stream '%s'", si->devname);
++ } else if ((si->transferred != si->size) &&
++ (i != vmaw->vmstate_stream)) {
++ vma_writer_set_error(vmaw, "vma_writer_close: "
++ "incomplete stream '%s' (%zd != %zd)",
++ si->devname, si->transferred, si->size);
++ }
++ }
++ }
++
++ for (i = 0; i <= 255; i++) {
++ vmaw->stream_info[i].finished = 1; /* mark as closed */
++ }
++
++ vmaw->closed = 1;
++
++ if (vmaw->status < 0 && *errp == NULL) {
++ error_setg(errp, "%s", vmaw->errmsg);
++ }
++
++ return vmaw->status;
++}
++
++void vma_writer_destroy(VmaWriter *vmaw)
++{
++ assert(vmaw);
++
++ int i;
++
++ for (i = 0; i <= 255; i++) {
++ if (vmaw->stream_info[i].devname) {
++ g_free(vmaw->stream_info[i].devname);
++ }
++ }
++
++ if (vmaw->md5csum) {
++ g_checksum_free(vmaw->md5csum);
++ }
++
++ for (i = 0; i < WRITE_BUFFERS; i++) {
++ free(vmaw->aiocbs[i]);
++ }
++
++ g_free(vmaw);
++}
+diff --git a/vma.c b/vma.c
+new file mode 100644
+index 0000000..8014090
+--- /dev/null
++++ b/vma.c
+@@ -0,0 +1,585 @@
++/*
++ * VMA: Virtual Machine Archive
++ *
++ * Copyright (C) 2012-2013 Proxmox Server Solutions
++ *
++ * Authors:
++ * Dietmar Maurer (dietmar@proxmox.com)
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ *
++ */
++
++#include "qemu/osdep.h"
++#include <glib.h>
++
++#include "vma.h"
++#include "qemu-common.h"
++#include "qemu/error-report.h"
++#include "qemu/main-loop.h"
++#include "sysemu/char.h" /* qstring_from_str */
++
++static void help(void)
++{
++ const char *help_msg =
++ "usage: vma command [command options]\n"
++ "\n"
++ "vma list <filename>\n"
++ "vma create <filename> [-c config] <archive> pathname ...\n"
++ "vma extract <filename> [-r <fifo>] <targetdir>\n"
++ ;
++
++ printf("%s", help_msg);
++ exit(1);
++}
++
++static const char *extract_devname(const char *path, char **devname, int index)
++{
++ assert(path);
++
++ const char *sep = strchr(path, '=');
++
++ if (sep) {
++ *devname = g_strndup(path, sep - path);
++ path = sep + 1;
++ } else {
++ if (index >= 0) {
++ *devname = g_strdup_printf("disk%d", index);
++ } else {
++ *devname = NULL;
++ }
++ }
++
++ return path;
++}
++
++static void print_content(VmaReader *vmar)
++{
++ assert(vmar);
++
++ VmaHeader *head = vma_reader_get_header(vmar);
++
++ GList *l = vma_reader_get_config_data(vmar);
++ while (l && l->data) {
++ VmaConfigData *cdata = (VmaConfigData *)l->data;
++ l = g_list_next(l);
++ printf("CFG: size: %d name: %s\n", cdata->len, cdata->name);
++ }
++
++ int i;
++ VmaDeviceInfo *di;
++ for (i = 1; i < 255; i++) {
++ di = vma_reader_get_device_info(vmar, i);
++ if (di) {
++ if (strcmp(di->devname, "vmstate") == 0) {
++ printf("VMSTATE: dev_id=%d memory: %zd\n", i, di->size);
++ } else {
++ printf("DEV: dev_id=%d size: %zd devname: %s\n",
++ i, di->size, di->devname);
++ }
++ }
++ }
++ /* ctime is the last entry we print */
++ printf("CTIME: %s", ctime(&head->ctime));
++ fflush(stdout);
++}
++
++static int list_content(int argc, char **argv)
++{
++ int c, ret = 0;
++ const char *filename;
++
++ for (;;) {
++ c = getopt(argc, argv, "h");
++ if (c == -1) {
++ break;
++ }
++ switch (c) {
++ case '?':
++ case 'h':
++ help();
++ break;
++ default:
++ g_assert_not_reached();
++ }
++ }
++
++ /* Get the filename */
++ if ((optind + 1) != argc) {
++ help();
++ }
++ filename = argv[optind++];
++
++ Error *errp = NULL;
++ VmaReader *vmar = vma_reader_create(filename, &errp);
++
++ if (!vmar) {
++ g_error("%s", error_get_pretty(errp));
++ }
++
++ print_content(vmar);
++
++ vma_reader_destroy(vmar);
++
++ return ret;
++}
++
++typedef struct RestoreMap {
++ char *devname;
++ char *path;
++ bool write_zero;
++} RestoreMap;
++
++static int extract_content(int argc, char **argv)
++{
++ int c, ret = 0;
++ int verbose = 0;
++ const char *filename;
++ const char *dirname;
++ const char *readmap = NULL;
++
++ for (;;) {
++ c = getopt(argc, argv, "hvr:");
++ if (c == -1) {
++ break;
++ }
++ switch (c) {
++ case '?':
++ case 'h':
++ help();
++ break;
++ case 'r':
++ readmap = optarg;
++ break;
++ case 'v':
++ verbose = 1;
++ break;
++ default:
++ help();
++ }
++ }
++
++ /* Get the filename */
++ if ((optind + 2) != argc) {
++ help();
++ }
++ filename = argv[optind++];
++ dirname = argv[optind++];
++
++ Error *errp = NULL;
++ VmaReader *vmar = vma_reader_create(filename, &errp);
++
++ if (!vmar) {
++ g_error("%s", error_get_pretty(errp));
++ }
++
++ if (mkdir(dirname, 0777) < 0) {
++ g_error("unable to create target directory %s - %s",
++ dirname, g_strerror(errno));
++ }
++
++ GList *l = vma_reader_get_config_data(vmar);
++ while (l && l->data) {
++ VmaConfigData *cdata = (VmaConfigData *)l->data;
++ l = g_list_next(l);
++ char *cfgfn = g_strdup_printf("%s/%s", dirname, cdata->name);
++ GError *err = NULL;
++ if (!g_file_set_contents(cfgfn, (gchar *)cdata->data, cdata->len,
++ &err)) {
++ g_error("unable to write file: %s", err->message);
++ }
++ }
++
++ GHashTable *devmap = g_hash_table_new(g_str_hash, g_str_equal);
++
++ if (readmap) {
++ print_content(vmar);
++
++ FILE *map = fopen(readmap, "r");
++ if (!map) {
++ g_error("unable to open fifo %s - %s", readmap, g_strerror(errno));
++ }
++
++ while (1) {
++ char inbuf[8192];
++ char *line = fgets(inbuf, sizeof(inbuf), map);
++ if (!line || line[0] == '\0' || !strcmp(line, "done\n")) {
++ break;
++ }
++ int len = strlen(line);
++ if (line[len - 1] == '\n') {
++ line[len - 1] = '\0';
++ if (len == 1) {
++ break;
++ }
++ }
++
++ const char *path;
++ bool write_zero;
++ if (line[0] == '0' && line[1] == ':') {
++ path = inbuf + 2;
++ write_zero = false;
++ } else if (line[0] == '1' && line[1] == ':') {
++ path = inbuf + 2;
++ write_zero = true;
++ } else {
++ g_error("read map failed - parse error ('%s')", inbuf);
++ }
++
++ char *devname = NULL;
++ path = extract_devname(path, &devname, -1);
++ if (!devname) {
++ g_error("read map failed - no dev name specified ('%s')",
++ inbuf);
++ }
++
++ RestoreMap *map = g_new0(RestoreMap, 1);
++ map->devname = g_strdup(devname);
++ map->path = g_strdup(path);
++ map->write_zero = write_zero;
++
++ g_hash_table_insert(devmap, map->devname, map);
++
++ };
++ }
++
++ int i;
++ int vmstate_fd = -1;
++ guint8 vmstate_stream = 0;
++
++ for (i = 1; i < 255; i++) {
++ VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i);
++ if (di && (strcmp(di->devname, "vmstate") == 0)) {
++ vmstate_stream = i;
++ char *statefn = g_strdup_printf("%s/vmstate.bin", dirname);
++ vmstate_fd = open(statefn, O_WRONLY|O_CREAT|O_EXCL, 0644);
++ if (vmstate_fd < 0) {
++ g_error("create vmstate file '%s' failed - %s", statefn,
++ g_strerror(errno));
++ }
++ g_free(statefn);
++ } else if (di) {
++ char *devfn = NULL;
++ int flags = BDRV_O_RDWR|BDRV_O_CACHE_WB;
++ bool write_zero = true;
++
++ if (readmap) {
++ RestoreMap *map;
++ map = (RestoreMap *)g_hash_table_lookup(devmap, di->devname);
++ if (map == NULL) {
++ g_error("no device name mapping for %s", di->devname);
++ }
++ devfn = map->path;
++ write_zero = map->write_zero;
++ } else {
++ devfn = g_strdup_printf("%s/tmp-disk-%s.raw",
++ dirname, di->devname);
++ printf("DEVINFO %s %zd\n", devfn, di->size);
++
++ bdrv_img_create(devfn, "raw", NULL, NULL, NULL, di->size,
++ flags, &errp, 0);
++ if (errp) {
++ g_error("can't create file %s: %s", devfn,
++ error_get_pretty(errp));
++ }
++
++ /* Note: we created an empty file above, so there is no
++ * need to write zeroes (so we generate a sparse file)
++ */
++ write_zero = false;
++ }
++
++ BlockDriverState *bs = bdrv_new();
++ if (errp || bdrv_open(&bs, devfn, NULL, NULL, flags, &errp)) {
++ g_error("can't open file %s - %s", devfn,
++ error_get_pretty(errp));
++ }
++ if (vma_reader_register_bs(vmar, i, bs, write_zero, &errp) < 0) {
++ g_error("%s", error_get_pretty(errp));
++ }
++
++ if (!readmap) {
++ g_free(devfn);
++ }
++ }
++ }
++
++ if (vma_reader_restore(vmar, vmstate_fd, verbose, &errp) < 0) {
++ g_error("restore failed - %s", error_get_pretty(errp));
++ }
++
++ if (!readmap) {
++ for (i = 1; i < 255; i++) {
++ VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i);
++ if (di && (i != vmstate_stream)) {
++ char *tmpfn = g_strdup_printf("%s/tmp-disk-%s.raw",
++ dirname, di->devname);
++ char *fn = g_strdup_printf("%s/disk-%s.raw",
++ dirname, di->devname);
++ if (rename(tmpfn, fn) != 0) {
++ g_error("rename %s to %s failed - %s",
++ tmpfn, fn, g_strerror(errno));
++ }
++ }
++ }
++ }
++
++ vma_reader_destroy(vmar);
++
++ bdrv_close_all();
++
++ return ret;
++}
++
++typedef struct BackupJob {
++ BlockDriverState *bs;
++ int64_t len;
++ VmaWriter *vmaw;
++ uint8_t dev_id;
++} BackupJob;
++
++#define BACKUP_SECTORS_PER_CLUSTER (VMA_CLUSTER_SIZE / BDRV_SECTOR_SIZE)
++
++static void coroutine_fn backup_run(void *opaque)
++{
++ BackupJob *job = (BackupJob *)opaque;
++ struct iovec iov;
++ QEMUIOVector qiov;
++
++ int64_t start, end;
++ int ret = 0;
++
++ unsigned char *buf = qemu_blockalign(job->bs, VMA_CLUSTER_SIZE);
++
++ start = 0;
++ end = DIV_ROUND_UP(job->len / BDRV_SECTOR_SIZE,
++ BACKUP_SECTORS_PER_CLUSTER);
++
++ for (; start < end; start++) {
++ iov.iov_base = buf;
++ iov.iov_len = VMA_CLUSTER_SIZE;
++ qemu_iovec_init_external(&qiov, &iov, 1);
++
++ ret = bdrv_co_readv(job->bs, start * BACKUP_SECTORS_PER_CLUSTER,
++ BACKUP_SECTORS_PER_CLUSTER, &qiov);
++ if (ret < 0) {
++ vma_writer_set_error(job->vmaw, "read error", -1);
++ goto out;
++ }
++
++ size_t zb = 0;
++ if (vma_writer_write(job->vmaw, job->dev_id, start, buf, &zb) < 0) {
++ vma_writer_set_error(job->vmaw, "backup_dump_cb vma_writer_write failed", -1);
++ goto out;
++ }
++ }
++
++
++out:
++ if (vma_writer_close_stream(job->vmaw, job->dev_id) <= 0) {
++ Error *err = NULL;
++ if (vma_writer_close(job->vmaw, &err) != 0) {
++ g_warning("vma_writer_close failed %s", error_get_pretty(err));
++ }
++ }
++}
++
++static int create_archive(int argc, char **argv)
++{
++ int i, c;
++ int verbose = 0;
++ const char *archivename;
++ GList *config_files = NULL;
++
++ for (;;) {
++ c = getopt(argc, argv, "hvc:");
++ if (c == -1) {
++ break;
++ }
++ switch (c) {
++ case '?':
++ case 'h':
++ help();
++ break;
++ case 'c':
++ config_files = g_list_append(config_files, optarg);
++ break;
++ case 'v':
++ verbose = 1;
++ break;
++ default:
++ g_assert_not_reached();
++ }
++ }
++
++
++ /* make sure we have archive name and at least one path */
++ if ((optind + 2) > argc) {
++ help();
++ }
++
++ archivename = argv[optind++];
++
++ uuid_t uuid;
++ uuid_generate(uuid);
++
++ Error *local_err = NULL;
++ VmaWriter *vmaw = vma_writer_create(archivename, uuid, &local_err);
++
++ if (vmaw == NULL) {
++ g_error("%s", error_get_pretty(local_err));
++ }
++
++ GList *l = config_files;
++ while (l && l->data) {
++ char *name = l->data;
++ char *cdata = NULL;
++ gsize clen = 0;
++ GError *err = NULL;
++ if (!g_file_get_contents(name, &cdata, &clen, &err)) {
++ unlink(archivename);
++ g_error("Unable to read file: %s", err->message);
++ }
++
++ if (vma_writer_add_config(vmaw, name, cdata, clen) != 0) {
++ unlink(archivename);
++ g_error("Unable to append config data %s (len = %zd)",
++ name, clen);
++ }
++ l = g_list_next(l);
++ }
++
++ int ind = 0;
++ while (optind < argc) {
++ const char *path = argv[optind++];
++ char *devname = NULL;
++ path = extract_devname(path, &devname, ind++);
++
++ Error *errp = NULL;
++ BlockDriverState *bs;
++
++ bs = bdrv_open(path, NULL, NULL, 0, &errp);
++ if (!bs) {
++ unlink(archivename);
++ g_error("bdrv_open '%s' failed - %s", path, error_get_pretty(errp));
++ }
++ int64_t size = bdrv_getlength(bs);
++ int dev_id = vma_writer_register_stream(vmaw, devname, size);
++ if (dev_id <= 0) {
++ unlink(archivename);
++ g_error("vma_writer_register_stream '%s' failed", devname);
++ }
++
++ BackupJob *job = g_new0(BackupJob, 1);
++ job->len = size;
++ job->bs = bs;
++ job->vmaw = vmaw;
++ job->dev_id = dev_id;
++
++ Coroutine *co = qemu_coroutine_create(backup_run, job);
++ qemu_coroutine_enter(co);
++ }
++
++ VmaStatus vmastat;
++ int percent = 0;
++ int last_percent = -1;
++
++ while (1) {
++ main_loop_wait(false);
++ vma_writer_get_status(vmaw, &vmastat);
++
++ if (verbose) {
++
++ uint64_t total = 0;
++ uint64_t transferred = 0;
++ uint64_t zero_bytes = 0;
++
++ int i;
++ for (i = 0; i < 256; i++) {
++ if (vmastat.stream_info[i].size) {
++ total += vmastat.stream_info[i].size;
++ transferred += vmastat.stream_info[i].transferred;
++ zero_bytes += vmastat.stream_info[i].zero_bytes;
++ }
++ }
++ percent = (transferred*100)/total;
++ if (percent != last_percent) {
++ fprintf(stderr, "progress %d%% %zd/%zd %zd\n", percent,
++ transferred, total, zero_bytes);
++ fflush(stderr);
++
++ last_percent = percent;
++ }
++ }
++
++ if (vmastat.closed) {
++ break;
++ }
++ } else {
++ Coroutine *co = qemu_coroutine_create(backup_run_empty, vmaw);
++ qemu_coroutine_enter(co);
++ while (1) {
++ main_loop_wait(false);
++ vma_writer_get_status(vmaw, &vmastat);
++ if (vmastat.closed) {
++ break;
++ }
++ }
++ }
++
++ bdrv_drain_all();
++
++ vma_writer_get_status(vmaw, &vmastat);
++
++ if (verbose) {
++ for (i = 0; i < 256; i++) {
++ VmaStreamInfo *si = &vmastat.stream_info[i];
++ if (si->size) {
++ fprintf(stderr, "image %s: size=%zd zeros=%zd saved=%zd\n",
++ si->devname, si->size, si->zero_bytes,
++ si->size - si->zero_bytes);
++ }
++ }
++ }
++
++ if (vmastat.status < 0) {
++ unlink(archivename);
++ g_error("creating vma archive failed");
++ }
++
++ return 0;
++}
++
++int main(int argc, char **argv)
++{
++ const char *cmdname;
++ Error *main_loop_err = NULL;
++
++ error_set_progname(argv[0]);
++
++ if (qemu_init_main_loop(&main_loop_err)) {
++ g_error("%s", error_get_pretty(main_loop_err));
++ }
++
++ bdrv_init();
++
++ if (argc < 2) {
++ help();
++ }
++
++ cmdname = argv[1];
++ argc--; argv++;
++
++
++ if (!strcmp(cmdname, "list")) {
++ return list_content(argc, argv);
++ } else if (!strcmp(cmdname, "create")) {
++ return create_archive(argc, argv);
++ } else if (!strcmp(cmdname, "extract")) {
++ return extract_content(argc, argv);
++ }
++
++ help();
++ return 0;
++}
+diff --git a/vma.h b/vma.h
+new file mode 100644
+index 0000000..6625eb9
+--- /dev/null
++++ b/vma.h
+@@ -0,0 +1,146 @@
++/*
++ * VMA: Virtual Machine Archive
++ *
++ * Copyright (C) Proxmox Server Solutions
++ *
++ * Authors:
++ * Dietmar Maurer (dietmar@proxmox.com)
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ *
++ */
++
++#ifndef BACKUP_VMA_H
++#define BACKUP_VMA_H
++
++#include <uuid/uuid.h>
++#include "qapi/error.h"
++#include "block/block.h"
++
++#define VMA_BLOCK_BITS 12
++#define VMA_BLOCK_SIZE (1<<VMA_BLOCK_BITS)
++#define VMA_CLUSTER_BITS (VMA_BLOCK_BITS+4)
++#define VMA_CLUSTER_SIZE (1<<VMA_CLUSTER_BITS)
++
++#if VMA_CLUSTER_SIZE != 65536
++#error unexpected cluster size
++#endif
++
++#define VMA_EXTENT_HEADER_SIZE 512
++#define VMA_BLOCKS_PER_EXTENT 59
++#define VMA_MAX_CONFIGS 256
++
++#define VMA_MAX_EXTENT_SIZE \
++ (VMA_EXTENT_HEADER_SIZE+VMA_CLUSTER_SIZE*VMA_BLOCKS_PER_EXTENT)
++#if VMA_MAX_EXTENT_SIZE != 3867136
++#error unexpected VMA_EXTENT_SIZE
++#endif
++
++/* File Format Definitions */
++
++#define VMA_MAGIC (GUINT32_TO_BE(('V'<<24)|('M'<<16)|('A'<<8)|0x00))
++#define VMA_EXTENT_MAGIC (GUINT32_TO_BE(('V'<<24)|('M'<<16)|('A'<<8)|'E'))
++
++typedef struct VmaDeviceInfoHeader {
++ uint32_t devname_ptr; /* offset into blob_buffer table */
++ uint32_t reserved0;
++ uint64_t size; /* device size in bytes */
++ uint64_t reserved1;
++ uint64_t reserved2;
++} VmaDeviceInfoHeader;
++
++typedef struct VmaHeader {
++ uint32_t magic;
++ uint32_t version;
++ unsigned char uuid[16];
++ int64_t ctime;
++ unsigned char md5sum[16];
++
++ uint32_t blob_buffer_offset;
++ uint32_t blob_buffer_size;
++ uint32_t header_size;
++
++ unsigned char reserved[1984];
++
++ uint32_t config_names[VMA_MAX_CONFIGS]; /* offset into blob_buffer table */
++ uint32_t config_data[VMA_MAX_CONFIGS]; /* offset into blob_buffer table */
++
++ uint32_t reserved1;
++
++ VmaDeviceInfoHeader dev_info[256];
++} VmaHeader;
++
++typedef struct VmaExtentHeader {
++ uint32_t magic;
++ uint16_t reserved1;
++ uint16_t block_count;
++ unsigned char uuid[16];
++ unsigned char md5sum[16];
++ uint64_t blockinfo[VMA_BLOCKS_PER_EXTENT];
++} VmaExtentHeader;
++
++/* functions/definitions to read/write vma files */
++
++typedef struct VmaReader VmaReader;
++
++typedef struct VmaWriter VmaWriter;
++
++typedef struct VmaConfigData {
++ const char *name;
++ const void *data;
++ uint32_t len;
++} VmaConfigData;
++
++typedef struct VmaStreamInfo {
++ uint64_t size;
++ uint64_t cluster_count;
++ uint64_t transferred;
++ uint64_t zero_bytes;
++ int finished;
++ char *devname;
++} VmaStreamInfo;
++
++typedef struct VmaStatus {
++ int status;
++ bool closed;
++ char errmsg[8192];
++ char uuid_str[37];
++ VmaStreamInfo stream_info[256];
++} VmaStatus;
++
++typedef struct VmaDeviceInfo {
++ uint64_t size; /* device size in bytes */
++ const char *devname;
++} VmaDeviceInfo;
++
++VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp);
++int vma_writer_close(VmaWriter *vmaw, Error **errp);
++void vma_writer_destroy(VmaWriter *vmaw);
++int vma_writer_add_config(VmaWriter *vmaw, const char *name, gpointer data,
++ size_t len);
++int vma_writer_register_stream(VmaWriter *vmaw, const char *devname,
++ size_t size);
++
++int64_t coroutine_fn vma_writer_write(VmaWriter *vmaw, uint8_t dev_id,
++ int64_t cluster_num, unsigned char *buf,
++ size_t *zero_bytes);
++
++int coroutine_fn vma_writer_close_stream(VmaWriter *vmaw, uint8_t dev_id);
++
++int vma_writer_get_status(VmaWriter *vmaw, VmaStatus *status);
++void vma_writer_set_error(VmaWriter *vmaw, const char *fmt, ...);
++
++
++VmaReader *vma_reader_create(const char *filename, Error **errp);
++void vma_reader_destroy(VmaReader *vmar);
++VmaHeader *vma_reader_get_header(VmaReader *vmar);
++GList *vma_reader_get_config_data(VmaReader *vmar);
++VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id);
++int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id,
++ BlockDriverState *bs, bool write_zeroes,
++ Error **errp);
++int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
++ Error **errp);
++
++#endif /* BACKUP_VMA_H */
+--
+2.1.4
+
--- /dev/null
+From 144e613eeca6a3383b981f9ca8b82c4a354b36c2 Mon Sep 17 00:00:00 2001
+From: Dietmar Maurer <dietmar@proxmox.com>
+Date: Mon, 11 Mar 2013 07:07:46 +0100
+Subject: [PATCH 12/47] vma: add verify command
+
+Users wants to verify the archive after backup.
+
+Examples:
+
+ # vma verify -v test.vma
+
+ # lzop -d -c test.vma.lzo |vma verify -
+
+Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
+---
+ vma-reader.c | 121 ++++++++++++++++++++++++++++++++++++++++++++---------------
+ vma.c | 55 +++++++++++++++++++++++++++
+ vma.h | 1 +
+ 3 files changed, 147 insertions(+), 30 deletions(-)
+
+diff --git a/vma-reader.c b/vma-reader.c
+index 51dd8fe..2aafb26 100644
+--- a/vma-reader.c
++++ b/vma-reader.c
+@@ -45,6 +45,8 @@ struct VmaReader {
+ time_t start_time;
+ int64_t cluster_count;
+ int64_t clusters_read;
++ int64_t zero_cluster_data;
++ int64_t partial_zero_cluster_data;
+ int clusters_read_per;
+ };
+
+@@ -425,6 +427,27 @@ VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id)
+ return NULL;
+ }
+
++static void allocate_rstate(VmaReader *vmar, guint8 dev_id,
++ BlockDriverState *bs, bool write_zeroes)
++{
++ assert(vmar);
++ assert(dev_id);
++
++ vmar->rstate[dev_id].bs = bs;
++ vmar->rstate[dev_id].write_zeroes = write_zeroes;
++
++ int64_t size = vmar->devinfo[dev_id].size;
++
++ int64_t bitmap_size = (size/BDRV_SECTOR_SIZE) +
++ (VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE) * BITS_PER_LONG - 1;
++ bitmap_size /= (VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE) * BITS_PER_LONG;
++
++ vmar->rstate[dev_id].bitmap_size = bitmap_size;
++ vmar->rstate[dev_id].bitmap = g_new0(unsigned long, bitmap_size);
++
++ vmar->cluster_count += size/VMA_CLUSTER_SIZE;
++}
++
+ int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockDriverState *bs,
+ bool write_zeroes, Error **errp)
+ {
+@@ -447,17 +470,7 @@ int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockDriverState *bs,
+ return -1;
+ }
+
+- vmar->rstate[dev_id].bs = bs;
+- vmar->rstate[dev_id].write_zeroes = write_zeroes;
+-
+- int64_t bitmap_size = (size/BDRV_SECTOR_SIZE) +
+- (VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE) * BITS_PER_LONG - 1;
+- bitmap_size /= (VMA_CLUSTER_SIZE/BDRV_SECTOR_SIZE) * BITS_PER_LONG;
+-
+- vmar->rstate[dev_id].bitmap_size = bitmap_size;
+- vmar->rstate[dev_id].bitmap = g_new0(unsigned long, bitmap_size);
+-
+- vmar->cluster_count += size/VMA_CLUSTER_SIZE;
++ allocate_rstate(vmar, dev_id, bs, write_zeroes);
+
+ return 0;
+ }
+@@ -524,9 +537,10 @@ static int restore_write_data(VmaReader *vmar, guint8 dev_id,
+ }
+ return 0;
+ }
++
+ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+ int extent_size, int vmstate_fd,
+- bool verbose, Error **errp)
++ bool verbose, bool verify, Error **errp)
+ {
+ assert(vmar);
+ assert(buf);
+@@ -551,7 +565,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+
+ if (dev_id != vmar->vmstate_stream) {
+ bs = rstate->bs;
+- if (!bs) {
++ if (!verify && !bs) {
+ error_setg(errp, "got wrong dev id %d", dev_id);
+ return -1;
+ }
+@@ -607,10 +621,13 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+ return -1;
+ }
+
+- int nb_sectors = end_sector - sector_num;
+- if (restore_write_data(vmar, dev_id, bs, vmstate_fd, buf + start,
+- sector_num, nb_sectors, errp) < 0) {
+- return -1;
++ if (!verify) {
++ int nb_sectors = end_sector - sector_num;
++ if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ buf + start, sector_num, nb_sectors,
++ errp) < 0) {
++ return -1;
++ }
+ }
+
+ start += VMA_CLUSTER_SIZE;
+@@ -640,26 +657,37 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+ return -1;
+ }
+
+- int nb_sectors = end_sector - sector_num;
+- if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
+- buf + start, sector_num,
+- nb_sectors, errp) < 0) {
+- return -1;
++ if (!verify) {
++ int nb_sectors = end_sector - sector_num;
++ if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ buf + start, sector_num,
++ nb_sectors, errp) < 0) {
++ return -1;
++ }
+ }
+
+ start += VMA_BLOCK_SIZE;
+
+ } else {
+
+- if (rstate->write_zeroes && (end_sector > sector_num)) {
++
++ if (end_sector > sector_num) {
+ /* Todo: use bdrv_co_write_zeroes (but that need to
+ * be run inside coroutine?)
+ */
+ int nb_sectors = end_sector - sector_num;
+- if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
+- zero_vma_block, sector_num,
+- nb_sectors, errp) < 0) {
+- return -1;
++ int zero_size = BDRV_SECTOR_SIZE*nb_sectors;
++ vmar->zero_cluster_data += zero_size;
++ if (mask != 0) {
++ vmar->partial_zero_cluster_data += zero_size;
++ }
++
++ if (rstate->write_zeroes && !verify) {
++ if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ zero_vma_block, sector_num,
++ nb_sectors, errp) < 0) {
++ return -1;
++ }
+ }
+ }
+ }
+@@ -677,8 +705,9 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+ return 0;
+ }
+
+-int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
+- Error **errp)
++static int vma_reader_restore_full(VmaReader *vmar, int vmstate_fd,
++ bool verbose, bool verify,
++ Error **errp)
+ {
+ assert(vmar);
+ assert(vmar->head_data);
+@@ -745,7 +774,7 @@ int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
+ }
+
+ if (restore_extent(vmar, buf, extent_size, vmstate_fd, verbose,
+- errp) < 0) {
++ verify, errp) < 0) {
+ return -1;
+ }
+
+@@ -792,6 +821,38 @@ int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
+ }
+ }
+
++ if (verbose) {
++ printf("total bytes read %zd, sparse bytes %zd (%.3g%%)\n",
++ vmar->clusters_read*VMA_CLUSTER_SIZE,
++ vmar->zero_cluster_data,
++ (double)(100.0*vmar->zero_cluster_data)/
++ (vmar->clusters_read*VMA_CLUSTER_SIZE));
++
++ int64_t datasize = vmar->clusters_read*VMA_CLUSTER_SIZE-vmar->zero_cluster_data;
++ if (datasize) { // this does not make sense for empty files
++ printf("space reduction due to 4K zero blocks %.3g%%\n",
++ (double)(100.0*vmar->partial_zero_cluster_data) / datasize);
++ }
++ }
+ return ret;
+ }
+
++int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
++ Error **errp)
++{
++ return vma_reader_restore_full(vmar, vmstate_fd, verbose, false, errp);
++}
++
++int vma_reader_verify(VmaReader *vmar, bool verbose, Error **errp)
++{
++ guint8 dev_id;
++
++ for (dev_id = 1; dev_id < 255; dev_id++) {
++ if (vma_reader_get_device_info(vmar, dev_id)) {
++ allocate_rstate(vmar, dev_id, NULL, false);
++ }
++ }
++
++ return vma_reader_restore_full(vmar, -1, verbose, true, errp);
++}
++
+diff --git a/vma.c b/vma.c
+index 8014090..d55874a 100644
+--- a/vma.c
++++ b/vma.c
+@@ -28,6 +28,7 @@ static void help(void)
+ "vma list <filename>\n"
+ "vma create <filename> [-c config] <archive> pathname ...\n"
+ "vma extract <filename> [-r <fifo>] <targetdir>\n"
++ "vma verify <filename> [-v]\n"
+ ;
+
+ printf("%s", help_msg);
+@@ -332,6 +333,58 @@ static int extract_content(int argc, char **argv)
+ return ret;
+ }
+
++static int verify_content(int argc, char **argv)
++{
++ int c, ret = 0;
++ int verbose = 0;
++ const char *filename;
++
++ for (;;) {
++ c = getopt(argc, argv, "hv");
++ if (c == -1) {
++ break;
++ }
++ switch (c) {
++ case '?':
++ case 'h':
++ help();
++ break;
++ case 'v':
++ verbose = 1;
++ break;
++ default:
++ help();
++ }
++ }
++
++ /* Get the filename */
++ if ((optind + 1) != argc) {
++ help();
++ }
++ filename = argv[optind++];
++
++ Error *errp = NULL;
++ VmaReader *vmar = vma_reader_create(filename, &errp);
++
++ if (!vmar) {
++ g_error("%s", error_get_pretty(errp));
++ }
++
++ if (verbose) {
++ print_content(vmar);
++ }
++
++ if (vma_reader_verify(vmar, verbose, &errp) < 0) {
++ g_error("verify failed - %s", error_get_pretty(errp));
++ }
++
++ vma_reader_destroy(vmar);
++
++ bdrv_close_all();
++
++ return ret;
++}
++
+ typedef struct BackupJob {
+ BlockDriverState *bs;
+ int64_t len;
+@@ -578,6 +631,8 @@ int main(int argc, char **argv)
+ return create_archive(argc, argv);
+ } else if (!strcmp(cmdname, "extract")) {
+ return extract_content(argc, argv);
++ } else if (!strcmp(cmdname, "verify")) {
++ return verify_content(argc, argv);
+ }
+
+ help();
+diff --git a/vma.h b/vma.h
+index 6625eb9..9bb6ea4 100644
+--- a/vma.h
++++ b/vma.h
+@@ -142,5 +142,6 @@ int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id,
+ Error **errp);
+ int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
+ Error **errp);
++int vma_reader_verify(VmaReader *vmar, bool verbose, Error **errp);
+
+ #endif /* BACKUP_VMA_H */
+--
+2.1.4
+
--- /dev/null
+From 48896281bebc5c69760f4e47625e4db81e3a9004 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 14:46:49 +0100
+Subject: [PATCH 13/47] vma: add 'config' command to dump the config
+
+---
+ vma.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 64 insertions(+)
+
+diff --git a/vma.c b/vma.c
+index d55874a..79bdd00 100644
+--- a/vma.c
++++ b/vma.c
+@@ -26,6 +26,7 @@ static void help(void)
+ "usage: vma command [command options]\n"
+ "\n"
+ "vma list <filename>\n"
++ "vma config <filename> [-c config]\n"
+ "vma create <filename> [-c config] <archive> pathname ...\n"
+ "vma extract <filename> [-r <fifo>] <targetdir>\n"
+ "vma verify <filename> [-v]\n"
+@@ -604,6 +605,67 @@ static int create_archive(int argc, char **argv)
+ return 0;
+ }
+
++static int dump_config(int argc, char **argv)
++{
++ int c, ret = 0;
++ const char *filename;
++ const char *config_name = "qemu-server.conf";
++
++ for (;;) {
++ c = getopt(argc, argv, "hc:");
++ if (c == -1) {
++ break;
++ }
++ switch (c) {
++ case '?':
++ case 'h':
++ help();
++ break;
++ case 'c':
++ config_name = optarg;
++ break;
++ default:
++ help();
++ }
++ }
++
++ /* Get the filename */
++ if ((optind + 1) != argc) {
++ help();
++ }
++ filename = argv[optind++];
++
++ Error *errp = NULL;
++ VmaReader *vmar = vma_reader_create(filename, &errp);
++
++ if (!vmar) {
++ g_error("%s", error_get_pretty(errp));
++ }
++
++ int found = 0;
++ GList *l = vma_reader_get_config_data(vmar);
++ while (l && l->data) {
++ VmaConfigData *cdata = (VmaConfigData *)l->data;
++ l = g_list_next(l);
++ if (strcmp(cdata->name, config_name) == 0) {
++ found = 1;
++ fwrite(cdata->data, cdata->len, 1, stdout);
++ break;
++ }
++ }
++
++ vma_reader_destroy(vmar);
++
++ bdrv_close_all();
++
++ if (!found) {
++ fprintf(stderr, "unable to find configuration data '%s'\n", config_name);
++ return -1;
++ }
++
++ return ret;
++}
++
+ int main(int argc, char **argv)
+ {
+ const char *cmdname;
+@@ -633,6 +695,8 @@ int main(int argc, char **argv)
+ return extract_content(argc, argv);
+ } else if (!strcmp(cmdname, "verify")) {
+ return verify_content(argc, argv);
++ } else if (!strcmp(cmdname, "config")) {
++ return dump_config(argc, argv);
+ }
+
+ help();
+--
+2.1.4
+
--- /dev/null
+From 1078c0f6acc1bfba04b7d5cdfdeb02b161b5f7c4 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:04:57 +0100
+Subject: [PATCH 14/47] backup: modify job api
+
+Introduces a BackupDump function callback and a pause_count
+for backup_start. For a dump-backup the target parameter
+can now be NULL so access to target needs to be guarded now.
+---
+ block/backup.c | 82 +++++++++++++++++++++++++++++++----------------
+ blockdev.c | 6 ++--
+ include/block/block_int.h | 5 +++
+ 3 files changed, 63 insertions(+), 30 deletions(-)
+
+diff --git a/block/backup.c b/block/backup.c
+index 2c05323..f3c0ba3 100644
+--- a/block/backup.c
++++ b/block/backup.c
+@@ -41,6 +41,7 @@ typedef struct BackupBlockJob {
+ BdrvDirtyBitmap *sync_bitmap;
+ MirrorSyncMode sync_mode;
+ RateLimit limit;
++ BackupDumpFunc *dump_cb;
+ BlockdevOnError on_source_error;
+ BlockdevOnError on_target_error;
+ CoRwlock flush_rwlock;
+@@ -149,12 +150,23 @@ static int coroutine_fn backup_do_cow(BackupBlockJob *job,
+ goto out;
+ }
+
++ int64_t start_sec = start * sectors_per_cluster;
+ if (buffer_is_zero(iov.iov_base, iov.iov_len)) {
+- ret = blk_co_pwrite_zeroes(job->target, start * job->cluster_size,
+- bounce_qiov.size, BDRV_REQ_MAY_UNMAP);
++ if (job->dump_cb) {
++ ret = job->dump_cb(job->common.opaque, job->target, start_sec, n, NULL);
++ }
++ if (job->target) {
++ ret = blk_co_pwrite_zeroes(job->target, start * job->cluster_size,
++ bounce_qiov.size, BDRV_REQ_MAY_UNMAP);
++ }
+ } else {
+- ret = blk_co_pwritev(job->target, start * job->cluster_size,
+- bounce_qiov.size, &bounce_qiov, 0);
++ if (job->dump_cb) {
++ ret = job->dump_cb(job->common.opaque, job->target, start_sec, n, bounce_buffer);
++ }
++ if (job->target) {
++ ret = blk_co_pwritev(job->target, start * job->cluster_size,
++ bounce_qiov.size, &bounce_qiov, 0);
++ }
+ }
+ if (ret < 0) {
+ trace_backup_do_cow_write_fail(job, start, ret);
+@@ -268,9 +280,11 @@ static BlockErrorAction backup_error_action(BackupBlockJob *job,
+ if (read) {
+ return block_job_error_action(&job->common, job->on_source_error,
+ true, error);
+- } else {
++ } else if (job->target) {
+ return block_job_error_action(&job->common, job->on_target_error,
+ false, error);
++ } else {
++ return BLOCK_ERROR_ACTION_REPORT;
+ }
+ }
+
+@@ -393,6 +407,7 @@ static void coroutine_fn backup_run(void *opaque)
+
+ job->done_bitmap = bitmap_new(end);
+
++
+ job->before_write.notify = backup_before_write_notify;
+ bdrv_add_before_write_notifier(bs, &job->before_write);
+
+@@ -467,7 +482,9 @@ static void coroutine_fn backup_run(void *opaque)
+ qemu_co_rwlock_unlock(&job->flush_rwlock);
+ g_free(job->done_bitmap);
+
+- bdrv_op_unblock_all(blk_bs(target), job->common.blocker);
++ if (target) {
++ bdrv_op_unblock_all(blk_bs(target), job->common.blocker);
++ }
+
+ data = g_malloc(sizeof(*data));
+ data->ret = ret;
+@@ -479,7 +496,9 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+ MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
+ BlockdevOnError on_source_error,
+ BlockdevOnError on_target_error,
++ BackupDumpFunc *dump_cb,
+ BlockCompletionFunc *cb, void *opaque,
++ int pause_count,
+ BlockJobTxn *txn, Error **errp)
+ {
+ int64_t len;
+@@ -488,7 +507,7 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+ int ret;
+
+ assert(bs);
+- assert(target);
++ assert(target || dump_cb);
+
+ if (bs == target) {
+ error_setg(errp, "Source and target cannot be the same");
+@@ -501,7 +520,7 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+ return;
+ }
+
+- if (!bdrv_is_inserted(target)) {
++ if (target && !bdrv_is_inserted(target)) {
+ error_setg(errp, "Device is not inserted: %s",
+ bdrv_get_device_name(target));
+ return;
+@@ -511,7 +530,7 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+ return;
+ }
+
+- if (bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) {
++ if (target && bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) {
+ return;
+ }
+
+@@ -547,34 +566,43 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+ goto error;
+ }
+
+- job->target = blk_new();
+- blk_insert_bs(job->target, target);
++ if (target) {
++ job->target = blk_new();
++ blk_insert_bs(job->target, target);
++ }
+
++ job->dump_cb = dump_cb;
+ job->on_source_error = on_source_error;
+ job->on_target_error = on_target_error;
+ job->sync_mode = sync_mode;
+ job->sync_bitmap = sync_mode == MIRROR_SYNC_MODE_INCREMENTAL ?
+ sync_bitmap : NULL;
+
+- /* If there is no backing file on the target, we cannot rely on COW if our
+- * backup cluster size is smaller than the target cluster size. Even for
+- * targets with a backing file, try to avoid COW if possible. */
+- ret = bdrv_get_info(target, &bdi);
+- if (ret < 0 && !target->backing) {
+- error_setg_errno(errp, -ret,
+- "Couldn't determine the cluster size of the target image, "
+- "which has no backing file");
+- error_append_hint(errp,
+- "Aborting, since this may create an unusable destination image\n");
+- goto error;
+- } else if (ret < 0 && target->backing) {
+- /* Not fatal; just trudge on ahead. */
+- job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
++ if (target) {
++ /* If there is no backing file on the target, we cannot rely on COW if our
++ * backup cluster size is smaller than the target cluster size. Even for
++ * targets with a backing file, try to avoid COW if possible. */
++ ret = bdrv_get_info(target, &bdi);
++ if (ret < 0 && !target->backing) {
++ error_setg_errno(errp, -ret,
++ "Couldn't determine the cluster size of the target image, "
++ "which has no backing file");
++ error_append_hint(errp,
++ "Aborting, since this may create an unusable destination image\n");
++ goto error;
++ } else if (ret < 0 && target->backing) {
++ /* Not fatal; just trudge on ahead. */
++ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
++ } else {
++ job->cluster_size = MAX(BACKUP_CLUSTER_SIZE_DEFAULT, bdi.cluster_size);
++ }
++
++ bdrv_op_block_all(target, job->common.blocker);
+ } else {
+- job->cluster_size = MAX(BACKUP_CLUSTER_SIZE_DEFAULT, bdi.cluster_size);
++ job->cluster_size = BACKUP_CLUSTER_SIZE_DEFAULT;
+ }
+
+- bdrv_op_block_all(target, job->common.blocker);
++ job->common.pause_count = pause_count;
+ job->common.len = len;
+ job->common.co = qemu_coroutine_create(backup_run, job);
+ block_job_txn_add_job(txn, &job->common);
+diff --git a/blockdev.c b/blockdev.c
+index 2161400..5e3707d 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3277,8 +3277,8 @@ static void do_drive_backup(const char *job_id, const char *device,
+ }
+
+ backup_start(job_id, bs, target_bs, speed, sync, bmap,
+- on_source_error, on_target_error,
+- block_job_cb, bs, txn, &local_err);
++ on_source_error, on_target_error, NULL,
++ block_job_cb, bs, 0, txn, &local_err);
+ bdrv_unref(target_bs);
+ if (local_err != NULL) {
+ error_propagate(errp, local_err);
+@@ -3371,7 +3371,7 @@ void do_blockdev_backup(const char *job_id, const char *device,
+ }
+ }
+ backup_start(job_id, bs, target_bs, speed, sync, NULL, on_source_error,
+- on_target_error, block_job_cb, bs, txn, &local_err);
++ on_target_error, NULL, block_job_cb, bs, 0, txn, &local_err);
+ if (local_err != NULL) {
+ error_propagate(errp, local_err);
+ }
+diff --git a/include/block/block_int.h b/include/block/block_int.h
+index 1e939de..db4650e 100644
+--- a/include/block/block_int.h
++++ b/include/block/block_int.h
+@@ -59,6 +59,9 @@
+
+ #define BLOCK_PROBE_BUF_SIZE 512
+
++typedef int BackupDumpFunc(void *opaque, BlockDriverState *bs,
++ int64_t sector_num, int n_sectors, unsigned char *buf);
++
+ enum BdrvTrackedRequestType {
+ BDRV_TRACKED_READ,
+ BDRV_TRACKED_WRITE,
+@@ -767,7 +770,9 @@ void backup_start(const char *job_id, BlockDriverState *bs,
+ MirrorSyncMode sync_mode, BdrvDirtyBitmap *sync_bitmap,
+ BlockdevOnError on_source_error,
+ BlockdevOnError on_target_error,
++ BackupDumpFunc *dump_cb,
+ BlockCompletionFunc *cb, void *opaque,
++ int pause_count,
+ BlockJobTxn *txn, Error **errp);
+
+ void hmp_drive_add_node(Monitor *mon, const char *optstr);
+--
+2.1.4
+
--- /dev/null
+From 798846b48b31d8231a3af5858285845d932d1d6b Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:20:56 +0100
+Subject: [PATCH 15/47] backup: add pve monitor commands
+
+---
+ blockdev.c | 439 ++++++++++++++++++++++++++++++++++++++++++++++
+ blockjob.c | 3 +-
+ hmp-commands-info.hx | 13 ++
+ hmp-commands.hx | 29 +++
+ hmp.c | 61 +++++++
+ hmp.h | 3 +
+ include/block/block_int.h | 2 +-
+ qapi-schema.json | 89 ++++++++++
+ qmp-commands.hx | 18 ++
+ 9 files changed, 655 insertions(+), 2 deletions(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index 5e3707d..5417bb0 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -52,6 +52,7 @@
+ #include "sysemu/arch_init.h"
+ #include "qemu/cutils.h"
+ #include "qemu/help_option.h"
++#include "vma.h"
+
+ static QTAILQ_HEAD(, BlockDriverState) monitor_bdrv_states =
+ QTAILQ_HEAD_INITIALIZER(monitor_bdrv_states);
+@@ -2976,6 +2977,444 @@ static void block_job_cb(void *opaque, int ret)
+ }
+ }
+
++/* PVE backup related function */
++
++static struct PVEBackupState {
++ Error *error;
++ bool cancel;
++ uuid_t uuid;
++ char uuid_str[37];
++ int64_t speed;
++ time_t start_time;
++ time_t end_time;
++ char *backup_file;
++ VmaWriter *vmaw;
++ GList *di_list;
++ size_t total;
++ size_t transferred;
++ size_t zero_bytes;
++} backup_state;
++
++typedef struct PVEBackupDevInfo {
++ BlockDriverState *bs;
++ size_t size;
++ uint8_t dev_id;
++ //bool started;
++ bool completed;
++} PVEBackupDevInfo;
++
++static void pvebackup_run_next_job(void);
++
++static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
++ int64_t sector_num, int n_sectors,
++ unsigned char *buf)
++{
++ PVEBackupDevInfo *di = opaque;
++
++ if (sector_num & 0x7f) {
++ if (!backup_state.error) {
++ error_setg(&backup_state.error,
++ "got unaligned write inside backup dump "
++ "callback (sector %ld)", sector_num);
++ }
++ return -1; // not aligned to cluster size
++ }
++
++ int64_t cluster_num = sector_num >> 7;
++ int size = n_sectors * BDRV_SECTOR_SIZE;
++
++ int ret = -1;
++
++ if (backup_state.vmaw) {
++ size_t zero_bytes = 0;
++ ret = vma_writer_write(backup_state.vmaw, di->dev_id, cluster_num,
++ buf, &zero_bytes);
++ backup_state.zero_bytes += zero_bytes;
++ } else {
++ ret = size;
++ if (!buf) {
++ backup_state.zero_bytes += size;
++ }
++ }
++
++ backup_state.transferred += size;
++
++ return ret;
++}
++
++static void pvebackup_cleanup(void)
++{
++ backup_state.end_time = time(NULL);
++
++ if (backup_state.vmaw) {
++ Error *local_err = NULL;
++ vma_writer_close(backup_state.vmaw, &local_err);
++ error_propagate(&backup_state.error, local_err);
++ backup_state.vmaw = NULL;
++ }
++
++ if (backup_state.di_list) {
++ GList *l = backup_state.di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++ g_free(di);
++ }
++ g_list_free(backup_state.di_list);
++ backup_state.di_list = NULL;
++ }
++}
++
++static void pvebackup_complete_cb(void *opaque, int ret)
++{
++ PVEBackupDevInfo *di = opaque;
++
++ assert(backup_state.vmaw);
++
++ di->completed = true;
++
++ if (ret < 0 && !backup_state.error) {
++ error_setg(&backup_state.error, "job failed with err %d - %s",
++ ret, strerror(-ret));
++ }
++
++ BlockDriverState *bs = di->bs;
++
++ di->bs = NULL;
++
++ vma_writer_close_stream(backup_state.vmaw, di->dev_id);
++
++ block_job_cb(bs, ret);
++
++ if (!backup_state.cancel) {
++ pvebackup_run_next_job();
++ }
++}
++
++static void pvebackup_cancel(void *opaque)
++{
++ backup_state.cancel = true;
++
++ if (!backup_state.error) {
++ error_setg(&backup_state.error, "backup cancelled");
++ }
++
++ /* drain all i/o (awake jobs waiting for aio) */
++ bdrv_drain_all();
++
++ GList *l = backup_state.di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++ if (!di->completed && di->bs) {
++ BlockJob *job = di->bs->job;
++ if (job) {
++ if (!di->completed) {
++ block_job_cancel_sync(job);
++ }
++ }
++ }
++ }
++
++ pvebackup_cleanup();
++}
++
++void qmp_backup_cancel(Error **errp)
++{
++ Coroutine *co = qemu_coroutine_create(pvebackup_cancel, NULL);
++ qemu_coroutine_enter(co);
++
++ while (backup_state.vmaw) {
++ /* vma writer use main aio context */
++ aio_poll(qemu_get_aio_context(), true);
++ }
++}
++
++bool block_job_should_pause(BlockJob *job);
++static void pvebackup_run_next_job(void)
++{
++ GList *l = backup_state.di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++ if (!di->completed && di->bs && di->bs->job) {
++ BlockJob *job = di->bs->job;
++ if (block_job_should_pause(job)) {
++ bool cancel = backup_state.error || backup_state.cancel;
++ if (cancel) {
++ block_job_cancel(job);
++ } else {
++ block_job_resume(job);
++ }
++ }
++ return;
++ }
++ }
++
++ pvebackup_cleanup();
++}
++
++UuidInfo *qmp_backup(const char *backup_file, bool has_format,
++ BackupFormat format,
++ bool has_config_file, const char *config_file,
++ bool has_devlist, const char *devlist,
++ bool has_speed, int64_t speed, Error **errp)
++{
++ BlockBackend *blk;
++ BlockDriverState *bs = NULL;
++ Error *local_err = NULL;
++ uuid_t uuid;
++ VmaWriter *vmaw = NULL;
++ gchar **devs = NULL;
++ GList *di_list = NULL;
++ GList *l;
++ UuidInfo *uuid_info;
++
++ if (backup_state.di_list) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "previous backup not finished");
++ return NULL;
++ }
++
++ /* Todo: try to auto-detect format based on file name */
++ format = has_format ? format : BACKUP_FORMAT_VMA;
++
++ if (format != BACKUP_FORMAT_VMA) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "unknown backup format");
++ return NULL;
++ }
++
++ if (has_devlist) {
++ devs = g_strsplit_set(devlist, ",;:", -1);
++
++ gchar **d = devs;
++ while (d && *d) {
++ blk = blk_by_name(*d);
++ if (blk) {
++ bs = blk_bs(blk);
++ if (bdrv_is_read_only(bs)) {
++ error_setg(errp, "Node '%s' is read only", *d);
++ goto err;
++ }
++ if (!bdrv_is_inserted(bs)) {
++ error_setg(errp, QERR_DEVICE_HAS_NO_MEDIUM, *d);
++ goto err;
++ }
++ PVEBackupDevInfo *di = g_new0(PVEBackupDevInfo, 1);
++ di->bs = bs;
++ di_list = g_list_append(di_list, di);
++ } else {
++ error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND,
++ "Device '%s' not found", *d);
++ goto err;
++ }
++ d++;
++ }
++
++ } else {
++ BdrvNextIterator it;
++
++ bs = NULL;
++ for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
++ if (!bdrv_is_inserted(bs) || bdrv_is_read_only(bs)) {
++ continue;
++ }
++
++ PVEBackupDevInfo *di = g_new0(PVEBackupDevInfo, 1);
++ di->bs = bs;
++ di_list = g_list_append(di_list, di);
++ }
++ }
++
++ if (!di_list) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "empty device list");
++ goto err;
++ }
++
++ size_t total = 0;
++
++ l = di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++ if (bdrv_op_is_blocked(di->bs, BLOCK_OP_TYPE_BACKUP_SOURCE, errp)) {
++ goto err;
++ }
++
++ ssize_t size = bdrv_getlength(di->bs);
++ if (size < 0) {
++ error_setg_errno(errp, -di->size, "bdrv_getlength failed");
++ goto err;
++ }
++ di->size = size;
++ total += size;
++ }
++
++ uuid_generate(uuid);
++
++ vmaw = vma_writer_create(backup_file, uuid, &local_err);
++ if (!vmaw) {
++ if (local_err) {
++ error_propagate(errp, local_err);
++ }
++ goto err;
++ }
++
++ /* register all devices for vma writer */
++ l = di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++
++ const char *devname = bdrv_get_device_name(di->bs);
++ di->dev_id = vma_writer_register_stream(vmaw, devname, di->size);
++ if (di->dev_id <= 0) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "register_stream failed");
++ goto err;
++ }
++ }
++
++ /* add configuration file to archive */
++ if (has_config_file) {
++ char *cdata = NULL;
++ gsize clen = 0;
++ GError *err = NULL;
++ if (!g_file_get_contents(config_file, &cdata, &clen, &err)) {
++ error_setg(errp, "unable to read file '%s'", config_file);
++ goto err;
++ }
++
++ const char *basename = g_path_get_basename(config_file);
++ if (vma_writer_add_config(vmaw, basename, cdata, clen) != 0) {
++ error_setg(errp, "unable to add config data to vma archive");
++ g_free(cdata);
++ goto err;
++ }
++ g_free(cdata);
++ }
++
++ /* initialize global backup_state now */
++
++ backup_state.cancel = false;
++
++ if (backup_state.error) {
++ error_free(backup_state.error);
++ backup_state.error = NULL;
++ }
++
++ backup_state.speed = (has_speed && speed > 0) ? speed : 0;
++
++ backup_state.start_time = time(NULL);
++ backup_state.end_time = 0;
++
++ if (backup_state.backup_file) {
++ g_free(backup_state.backup_file);
++ }
++ backup_state.backup_file = g_strdup(backup_file);
++
++ backup_state.vmaw = vmaw;
++
++ uuid_copy(backup_state.uuid, uuid);
++ uuid_unparse_lower(uuid, backup_state.uuid_str);
++
++ backup_state.di_list = di_list;
++
++ backup_state.total = total;
++ backup_state.transferred = 0;
++ backup_state.zero_bytes = 0;
++
++ /* start all jobs (paused state) */
++ l = di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++
++ backup_start(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL,
++ BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
++ pvebackup_dump_cb, pvebackup_complete_cb, di,
++ 1, NULL, &local_err);
++ if (local_err != NULL) {
++ error_setg(&backup_state.error, "backup_job_create failed");
++ pvebackup_cancel(NULL);
++ }
++ }
++
++ if (!backup_state.error) {
++ pvebackup_run_next_job(); // run one job
++ }
++
++ uuid_info = g_malloc0(sizeof(*uuid_info));
++ uuid_info->UUID = g_strdup(backup_state.uuid_str);
++ return uuid_info;
++
++err:
++
++ l = di_list;
++ while (l) {
++ g_free(l->data);
++ l = g_list_next(l);
++ }
++ g_list_free(di_list);
++
++ if (devs) {
++ g_strfreev(devs);
++ }
++
++ if (vmaw) {
++ Error *err = NULL;
++ vma_writer_close(vmaw, &err);
++ unlink(backup_file);
++ }
++
++ return NULL;
++}
++
++BackupStatus *qmp_query_backup(Error **errp)
++{
++ BackupStatus *info = g_malloc0(sizeof(*info));
++
++ if (!backup_state.start_time) {
++ /* not started, return {} */
++ return info;
++ }
++
++ info->has_status = true;
++ info->has_start_time = true;
++ info->start_time = backup_state.start_time;
++
++ if (backup_state.backup_file) {
++ info->has_backup_file = true;
++ info->backup_file = g_strdup(backup_state.backup_file);
++ }
++
++ info->has_uuid = true;
++ info->uuid = g_strdup(backup_state.uuid_str);
++
++ if (backup_state.end_time) {
++ if (backup_state.error) {
++ info->status = g_strdup("error");
++ info->has_errmsg = true;
++ info->errmsg = g_strdup(error_get_pretty(backup_state.error));
++ } else {
++ info->status = g_strdup("done");
++ }
++ info->has_end_time = true;
++ info->end_time = backup_state.end_time;
++ } else {
++ info->status = g_strdup("active");
++ }
++
++ info->has_total = true;
++ info->total = backup_state.total;
++ info->has_zero_bytes = true;
++ info->zero_bytes = backup_state.zero_bytes;
++ info->has_transferred = true;
++ info->transferred = backup_state.transferred;
++
++ return info;
++}
++
+ void qmp_block_stream(bool has_job_id, const char *job_id, const char *device,
+ bool has_base, const char *base,
+ bool has_backing_file, const char *backing_file,
+diff --git a/blockjob.c b/blockjob.c
+index a5ba3be..a550458 100644
+--- a/blockjob.c
++++ b/blockjob.c
+@@ -331,7 +331,8 @@ void block_job_pause(BlockJob *job)
+ job->pause_count++;
+ }
+
+-static bool block_job_should_pause(BlockJob *job)
++bool block_job_should_pause(BlockJob *job);
++bool block_job_should_pause(BlockJob *job)
+ {
+ return job->pause_count > 0;
+ }
+diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
+index 74446c6..7616fe2 100644
+--- a/hmp-commands-info.hx
++++ b/hmp-commands-info.hx
+@@ -502,6 +502,19 @@ STEXI
+ Show CPU statistics.
+ ETEXI
+
++ {
++ .name = "backup",
++ .args_type = "",
++ .params = "",
++ .help = "show backup status",
++ .mhandler.cmd = hmp_info_backup,
++ },
++
++STEXI
++@item info backup
++show backup status
++ETEXI
++
+ #if defined(CONFIG_SLIRP)
+ {
+ .name = "usernet",
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index 848efee..8f2f3e0 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -87,6 +87,35 @@ STEXI
+ Copy data from a backing file into a block device.
+ ETEXI
+
++ {
++ .name = "backup",
++ .args_type = "backupfile:s,speed:o?,devlist:s?",
++ .params = "backupfile [speed [devlist]]",
++ .help = "create a VM Backup.",
++ .mhandler.cmd = hmp_backup,
++ },
++
++STEXI
++@item backup
++@findex backup
++Create a VM backup.
++ETEXI
++
++ {
++ .name = "backup_cancel",
++ .args_type = "",
++ .params = "",
++ .help = "cancel the current VM backup",
++ .mhandler.cmd = hmp_backup_cancel,
++ },
++
++STEXI
++@item backup_cancel
++@findex backup_cancel
++Cancel the current VM backup.
++
++ETEXI
++
+ {
+ .name = "block_job_set_speed",
+ .args_type = "device:B,speed:o",
+diff --git a/hmp.c b/hmp.c
+index 3b0dd81..95da164 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -149,6 +149,44 @@ void hmp_info_mice(Monitor *mon, const QDict *qdict)
+ qapi_free_MouseInfoList(mice_list);
+ }
+
++void hmp_info_backup(Monitor *mon, const QDict *qdict)
++{
++ BackupStatus *info;
++
++ info = qmp_query_backup(NULL);
++ if (info->has_status) {
++ if (info->has_errmsg) {
++ monitor_printf(mon, "Backup status: %s - %s\n",
++ info->status, info->errmsg);
++ } else {
++ monitor_printf(mon, "Backup status: %s\n", info->status);
++ }
++ }
++
++ if (info->has_backup_file) {
++ monitor_printf(mon, "Start time: %s", ctime(&info->start_time));
++ if (info->end_time) {
++ monitor_printf(mon, "End time: %s", ctime(&info->end_time));
++ }
++
++ int per = (info->has_total && info->total &&
++ info->has_transferred && info->transferred) ?
++ (info->transferred * 100)/info->total : 0;
++ int zero_per = (info->has_total && info->total &&
++ info->has_zero_bytes && info->zero_bytes) ?
++ (info->zero_bytes * 100)/info->total : 0;
++ monitor_printf(mon, "Backup file: %s\n", info->backup_file);
++ monitor_printf(mon, "Backup uuid: %s\n", info->uuid);
++ monitor_printf(mon, "Total size: %zd\n", info->total);
++ monitor_printf(mon, "Transferred bytes: %zd (%d%%)\n",
++ info->transferred, per);
++ monitor_printf(mon, "Zero bytes: %zd (%d%%)\n",
++ info->zero_bytes, zero_per);
++ }
++
++ qapi_free_BackupStatus(info);
++}
++
+ void hmp_info_migrate(Monitor *mon, const QDict *qdict)
+ {
+ MigrationInfo *info;
+@@ -1493,6 +1531,29 @@ void hmp_block_stream(Monitor *mon, const QDict *qdict)
+ hmp_handle_error(mon, &error);
+ }
+
++void hmp_backup_cancel(Monitor *mon, const QDict *qdict)
++{
++ Error *error = NULL;
++
++ qmp_backup_cancel(&error);
++
++ hmp_handle_error(mon, &error);
++}
++
++void hmp_backup(Monitor *mon, const QDict *qdict)
++{
++ Error *error = NULL;
++
++ const char *backup_file = qdict_get_str(qdict, "backupfile");
++ const char *devlist = qdict_get_try_str(qdict, "devlist");
++ int64_t speed = qdict_get_try_int(qdict, "speed", 0);
++
++ qmp_backup(backup_file, true, BACKUP_FORMAT_VMA, false, NULL, !!devlist,
++ devlist, qdict_haskey(qdict, "speed"), speed, &error);
++
++ hmp_handle_error(mon, &error);
++}
++
+ void hmp_block_job_set_speed(Monitor *mon, const QDict *qdict)
+ {
+ Error *error = NULL;
+diff --git a/hmp.h b/hmp.h
+index 0876ec0..9a4c1f6 100644
+--- a/hmp.h
++++ b/hmp.h
+@@ -30,6 +30,7 @@ void hmp_info_migrate(Monitor *mon, const QDict *qdict);
+ void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
+ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict);
+ void hmp_info_migrate_cache_size(Monitor *mon, const QDict *qdict);
++void hmp_info_backup(Monitor *mon, const QDict *qdict);
+ void hmp_info_cpus(Monitor *mon, const QDict *qdict);
+ void hmp_info_block(Monitor *mon, const QDict *qdict);
+ void hmp_info_blockstats(Monitor *mon, const QDict *qdict);
+@@ -76,6 +77,8 @@ void hmp_eject(Monitor *mon, const QDict *qdict);
+ void hmp_change(Monitor *mon, const QDict *qdict);
+ void hmp_block_set_io_throttle(Monitor *mon, const QDict *qdict);
+ void hmp_block_stream(Monitor *mon, const QDict *qdict);
++void hmp_backup(Monitor *mon, const QDict *qdict);
++void hmp_backup_cancel(Monitor *mon, const QDict *qdict);
+ void hmp_block_job_set_speed(Monitor *mon, const QDict *qdict);
+ void hmp_block_job_cancel(Monitor *mon, const QDict *qdict);
+ void hmp_block_job_pause(Monitor *mon, const QDict *qdict);
+diff --git a/include/block/block_int.h b/include/block/block_int.h
+index db4650e..0f79b51 100644
+--- a/include/block/block_int.h
++++ b/include/block/block_int.h
+@@ -59,7 +59,7 @@
+
+ #define BLOCK_PROBE_BUF_SIZE 512
+
+-typedef int BackupDumpFunc(void *opaque, BlockDriverState *bs,
++typedef int BackupDumpFunc(void *opaque, BlockBackend *be,
+ int64_t sector_num, int n_sectors, unsigned char *buf);
+
+ enum BdrvTrackedRequestType {
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 518c2ea..89d9ea6 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -356,6 +356,95 @@
+ ##
+ { 'command': 'query-events', 'returns': ['EventInfo'] }
+
++# @BackupStatus:
++#
++# Detailed backup status.
++#
++# @status: #optional string describing the current backup status.
++# This can be 'active', 'done', 'error'. If this field is not
++# returned, no backup process has been initiated
++#
++# @errmsg: #optional error message (only returned if status is 'error')
++#
++# @total: #optional total amount of bytes involved in the backup process
++#
++# @transferred: #optional amount of bytes already backed up.
++#
++# @zero-bytes: #optional amount of 'zero' bytes detected.
++#
++# @start-time: #optional time (epoch) when backup job started.
++#
++# @end-time: #optional time (epoch) when backup job finished.
++#
++# @backupfile: #optional backup file name
++#
++# @uuid: #optional uuid for this backup job
++#
++##
++{ 'struct': 'BackupStatus',
++ 'data': {'*status': 'str', '*errmsg': 'str', '*total': 'int',
++ '*transferred': 'int', '*zero-bytes': 'int',
++ '*start-time': 'int', '*end-time': 'int',
++ '*backup-file': 'str', '*uuid': 'str' } }
++
++##
++# @BackupFormat
++#
++# An enumeration of supported backup formats.
++#
++# @vma: Proxmox vma backup format
++##
++{ 'enum': 'BackupFormat',
++ 'data': [ 'vma' ] }
++
++##
++# @backup:
++#
++# Starts a VM backup.
++#
++# @backup-file: the backup file name
++#
++# @format: format of the backup file
++#
++# @config-filename: #optional name of a configuration file to include into
++# the backup archive.
++#
++# @speed: #optional the maximum speed, in bytes per second
++#
++# @devlist: #optional list of block device names (separated by ',', ';'
++# or ':'). By default the backup includes all writable block devices.
++#
++# Returns: the uuid of the backup job
++#
++##
++{ 'command': 'backup', 'data': { 'backup-file': 'str',
++ '*format': 'BackupFormat',
++ '*config-file': 'str',
++ '*devlist': 'str', '*speed': 'int' },
++ 'returns': 'UuidInfo' }
++
++##
++# @query-backup
++#
++# Returns information about current/last backup task.
++#
++# Returns: @BackupStatus
++#
++##
++{ 'command': 'query-backup', 'returns': 'BackupStatus' }
++
++##
++# @backup-cancel
++#
++# Cancel the current executing backup process.
++#
++# Returns: nothing on success
++#
++# Notes: This command succeeds even if there is no backup process running.
++#
++##
++{ 'command': 'backup-cancel' }
++
+ ##
+ # @MigrationStats
+ #
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index 6de28d4..a8e8522 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -1314,6 +1314,24 @@ Example:
+ EQMP
+
+ {
++ .name = "backup",
++ .args_type = "backup-file:s,format:s?,config-file:F?,speed:o?,devlist:s?",
++ .mhandler.cmd_new = qmp_marshal_backup,
++ },
++
++ {
++ .name = "backup-cancel",
++ .args_type = "",
++ .mhandler.cmd_new = qmp_marshal_backup_cancel,
++ },
++
++ {
++ .name = "query-backup",
++ .args_type = "",
++ .mhandler.cmd_new = qmp_marshal_query_backup,
++ },
++
++ {
+ .name = "block-job-set-speed",
+ .args_type = "device:B,speed:o",
+ .mhandler.cmd_new = qmp_marshal_block_job_set_speed,
+--
+2.1.4
+
--- /dev/null
+From 210be0fc498989e7b029de90b9d2599fdcc343d3 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:21:54 +0100
+Subject: [PATCH 16/47] backup: vma: add dir format
+
+---
+ blockdev.c | 124 +++++++++++++++++++++++++++++++++++++++++--------------
+ hmp-commands.hx | 8 ++--
+ hmp.c | 4 +-
+ qapi-schema.json | 2 +-
+ vma.c | 2 +-
+ 5 files changed, 103 insertions(+), 37 deletions(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index 5417bb0..d8b1db8 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3001,6 +3001,8 @@ typedef struct PVEBackupDevInfo {
+ uint8_t dev_id;
+ //bool started;
+ bool completed;
++ char targetfile[PATH_MAX];
++ BlockDriverState *target;
+ } PVEBackupDevInfo;
+
+ static void pvebackup_run_next_job(void);
+@@ -3069,8 +3071,6 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+ {
+ PVEBackupDevInfo *di = opaque;
+
+- assert(backup_state.vmaw);
+-
+ di->completed = true;
+
+ if (ret < 0 && !backup_state.error) {
+@@ -3081,8 +3081,11 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+ BlockDriverState *bs = di->bs;
+
+ di->bs = NULL;
++ di->target = NULL;
+
+- vma_writer_close_stream(backup_state.vmaw, di->dev_id);
++ if (backup_state.vmaw) {
++ vma_writer_close_stream(backup_state.vmaw, di->dev_id);
++ }
+
+ block_job_cb(bs, ret);
+
+@@ -3162,6 +3165,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+ {
+ BlockBackend *blk;
+ BlockDriverState *bs = NULL;
++ const char *backup_dir = NULL;
+ Error *local_err = NULL;
+ uuid_t uuid;
+ VmaWriter *vmaw = NULL;
+@@ -3179,11 +3183,6 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+ /* Todo: try to auto-detect format based on file name */
+ format = has_format ? format : BACKUP_FORMAT_VMA;
+
+- if (format != BACKUP_FORMAT_VMA) {
+- error_set(errp, ERROR_CLASS_GENERIC_ERROR, "unknown backup format");
+- return NULL;
+- }
+-
+ if (has_devlist) {
+ devs = g_strsplit_set(devlist, ",;:", -1);
+
+@@ -3252,27 +3251,62 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+
+ uuid_generate(uuid);
+
+- vmaw = vma_writer_create(backup_file, uuid, &local_err);
+- if (!vmaw) {
+- if (local_err) {
+- error_propagate(errp, local_err);
++ if (format == BACKUP_FORMAT_VMA) {
++ vmaw = vma_writer_create(backup_file, uuid, &local_err);
++ if (!vmaw) {
++ if (local_err) {
++ error_propagate(errp, local_err);
++ }
++ goto err;
+ }
+- goto err;
+- }
+
+- /* register all devices for vma writer */
+- l = di_list;
+- while (l) {
+- PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
+- l = g_list_next(l);
++ /* register all devices for vma writer */
++ l = di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
+
+- const char *devname = bdrv_get_device_name(di->bs);
+- di->dev_id = vma_writer_register_stream(vmaw, devname, di->size);
+- if (di->dev_id <= 0) {
+- error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+- "register_stream failed");
++ const char *devname = bdrv_get_device_name(di->bs);
++ di->dev_id = vma_writer_register_stream(vmaw, devname, di->size);
++ if (di->dev_id <= 0) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "register_stream failed");
++ goto err;
++ }
++ }
++ } else if (format == BACKUP_FORMAT_DIR) {
++ if (mkdir(backup_file, 0640) != 0) {
++ error_setg_errno(errp, errno, "can't create directory '%s'\n",
++ backup_file);
+ goto err;
+ }
++ backup_dir = backup_file;
++
++ l = di_list;
++ while (l) {
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
++ l = g_list_next(l);
++
++ const char *devname = bdrv_get_device_name(di->bs);
++ snprintf(di->targetfile, PATH_MAX, "%s/%s.raw", backup_dir, devname);
++
++ int flags = BDRV_O_RDWR;
++ bdrv_img_create(di->targetfile, "raw", NULL, NULL, NULL,
++ di->size, flags, &local_err, false);
++ if (local_err) {
++ error_propagate(errp, local_err);
++ goto err;
++ }
++
++ di->target = bdrv_open(di->targetfile, NULL, NULL, flags, &local_err);
++ if (!di->target) {
++ error_propagate(errp, local_err);
++ goto err;
++ }
++ }
++ } else {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "unknown backup format");
++ goto err;
+ }
+
+ /* add configuration file to archive */
+@@ -3285,12 +3319,27 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+ goto err;
+ }
+
+- const char *basename = g_path_get_basename(config_file);
+- if (vma_writer_add_config(vmaw, basename, cdata, clen) != 0) {
+- error_setg(errp, "unable to add config data to vma archive");
+- g_free(cdata);
+- goto err;
++ char *basename = g_path_get_basename(config_file);
++
++ if (format == BACKUP_FORMAT_VMA) {
++ if (vma_writer_add_config(vmaw, basename, cdata, clen) != 0) {
++ error_setg(errp, "unable to add config data to vma archive");
++ g_free(cdata);
++ g_free(basename);
++ goto err;
++ }
++ } else if (format == BACKUP_FORMAT_DIR) {
++ char config_path[PATH_MAX];
++ snprintf(config_path, PATH_MAX, "%s/%s", backup_dir, basename);
++ if (!g_file_set_contents(config_path, cdata, clen, &err)) {
++ error_setg(errp, "unable to write config file '%s'", config_path);
++ g_free(cdata);
++ g_free(basename);
++ goto err;
++ }
+ }
++
++ g_free(basename);
+ g_free(cdata);
+ }
+
+@@ -3330,7 +3379,7 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
+ l = g_list_next(l);
+
+- backup_start(NULL, di->bs, NULL, speed, MIRROR_SYNC_MODE_FULL, NULL,
++ backup_start(NULL, di->bs, di->target, speed, MIRROR_SYNC_MODE_FULL, NULL,
+ BLOCKDEV_ON_ERROR_REPORT, BLOCKDEV_ON_ERROR_REPORT,
+ pvebackup_dump_cb, pvebackup_complete_cb, di,
+ 1, NULL, &local_err);
+@@ -3352,8 +3401,17 @@ err:
+
+ l = di_list;
+ while (l) {
+- g_free(l->data);
++ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
+ l = g_list_next(l);
++
++ if (di->target) {
++ bdrv_unref(di->target);
++ }
++
++ if (di->targetfile[0]) {
++ unlink(di->targetfile);
++ }
++ g_free(di);
+ }
+ g_list_free(di_list);
+
+@@ -3367,6 +3425,10 @@ err:
+ unlink(backup_file);
+ }
+
++ if (backup_dir) {
++ rmdir(backup_dir);
++ }
++
+ return NULL;
+ }
+
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index 8f2f3e0..0e20ef9 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -89,9 +89,11 @@ ETEXI
+
+ {
+ .name = "backup",
+- .args_type = "backupfile:s,speed:o?,devlist:s?",
+- .params = "backupfile [speed [devlist]]",
+- .help = "create a VM Backup.",
++ .args_type = "directory:-d,backupfile:s,speed:o?,devlist:s?",
++ .params = "[-d] backupfile [speed [devlist]]",
++ .help = "create a VM Backup."
++ "\n\t\t\t Use -d to dump data into a directory instead"
++ "\n\t\t\t of using VMA format.",
+ .mhandler.cmd = hmp_backup,
+ },
+
+diff --git a/hmp.c b/hmp.c
+index 95da164..c23cf2f 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -1544,11 +1544,13 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+ {
+ Error *error = NULL;
+
++ int dir = qdict_get_try_bool(qdict, "directory", 0);
+ const char *backup_file = qdict_get_str(qdict, "backupfile");
+ const char *devlist = qdict_get_try_str(qdict, "devlist");
+ int64_t speed = qdict_get_try_int(qdict, "speed", 0);
+
+- qmp_backup(backup_file, true, BACKUP_FORMAT_VMA, false, NULL, !!devlist,
++ qmp_backup(backup_file, true, dir ? BACKUP_FORMAT_DIR : BACKUP_FORMAT_VMA,
++ false, NULL, !!devlist,
+ devlist, qdict_haskey(qdict, "speed"), speed, &error);
+
+ hmp_handle_error(mon, &error);
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 89d9ea6..147137d 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -395,7 +395,7 @@
+ # @vma: Proxmox vma backup format
+ ##
+ { 'enum': 'BackupFormat',
+- 'data': [ 'vma' ] }
++ 'data': [ 'vma', 'dir' ] }
+
+ ##
+ # @backup:
+diff --git a/vma.c b/vma.c
+index 79bdd00..c88a4358 100644
+--- a/vma.c
++++ b/vma.c
+@@ -263,7 +263,7 @@ static int extract_content(int argc, char **argv)
+ g_free(statefn);
+ } else if (di) {
+ char *devfn = NULL;
+- int flags = BDRV_O_RDWR|BDRV_O_CACHE_WB;
++ int flags = BDRV_O_RDWR;
+ bool write_zero = true;
+
+ if (readmap) {
+--
+2.1.4
+
--- /dev/null
+From 8a10cce2efa3d8906617939a5c644c9cb7104ef6 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:22:19 +0100
+Subject: [PATCH 17/47] backup: do not return errors in dump callback
+
+---
+ blockdev.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index d8b1db8..fb71cdc 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3013,6 +3013,11 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+ {
+ PVEBackupDevInfo *di = opaque;
+
++ int size = n_sectors * BDRV_SECTOR_SIZE;
++ if (backup_state.cancel) {
++ return size; // return success
++ }
++
+ if (sector_num & 0x7f) {
+ if (!backup_state.error) {
+ error_setg(&backup_state.error,
+@@ -3023,7 +3028,6 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+ }
+
+ int64_t cluster_num = sector_num >> 7;
+- int size = n_sectors * BDRV_SECTOR_SIZE;
+
+ int ret = -1;
+
+@@ -3031,17 +3035,27 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+ size_t zero_bytes = 0;
+ ret = vma_writer_write(backup_state.vmaw, di->dev_id, cluster_num,
+ buf, &zero_bytes);
+- backup_state.zero_bytes += zero_bytes;
++ if (ret < 0) {
++ if (!backup_state.error) {
++ error_setg(&backup_state.error, "vma_writer_write error %d", ret);
++ }
++ if (di->bs && di->bs->job) {
++ block_job_cancel(di->bs->job);
++ }
++ } else {
++ backup_state.zero_bytes += zero_bytes;
++ backup_state.transferred += size;
++ }
+ } else {
+- ret = size;
+ if (!buf) {
+ backup_state.zero_bytes += size;
+ }
++ backup_state.transferred += size;
+ }
+
+- backup_state.transferred += size;
++ // Note: always return success, because we want that writes succeed anyways.
+
+- return ret;
++ return size;
+ }
+
+ static void pvebackup_cleanup(void)
+@@ -3113,7 +3127,7 @@ static void pvebackup_cancel(void *opaque)
+ BlockJob *job = di->bs->job;
+ if (job) {
+ if (!di->completed) {
+- block_job_cancel_sync(job);
++ block_job_cancel_sync(job);
+ }
+ }
+ }
+--
+2.1.4
+
--- /dev/null
+From c31ba8ff9485b7648ca45952b9e7ccd74c50ac40 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:39:36 +0100
+Subject: [PATCH 18/47] backup: vma: correctly propagate error
+
+---
+ blockdev.c | 2 +-
+ vma-writer.c | 7 +++++++
+ vma.h | 1 +
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index fb71cdc..2e51913 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3037,7 +3037,7 @@ static int pvebackup_dump_cb(void *opaque, BlockBackend *target,
+ buf, &zero_bytes);
+ if (ret < 0) {
+ if (!backup_state.error) {
+- error_setg(&backup_state.error, "vma_writer_write error %d", ret);
++ vma_writer_error_propagate(backup_state.vmaw, &backup_state.error);
+ }
+ if (di->bs && di->bs->job) {
+ block_job_cancel(di->bs->job);
+diff --git a/vma-writer.c b/vma-writer.c
+index b0cf529..689e988 100644
+--- a/vma-writer.c
++++ b/vma-writer.c
+@@ -792,6 +792,13 @@ vma_writer_write(VmaWriter *vmaw, uint8_t dev_id, int64_t cluster_num,
+ return transferred;
+ }
+
++void vma_writer_error_propagate(VmaWriter *vmaw, Error **errp)
++{
++ if (vmaw->status < 0 && *errp == NULL) {
++ error_setg(errp, "%s", vmaw->errmsg);
++ }
++}
++
+ int vma_writer_close(VmaWriter *vmaw, Error **errp)
+ {
+ g_assert(vmaw != NULL);
+diff --git a/vma.h b/vma.h
+index 9bb6ea4..98377e4 100644
+--- a/vma.h
++++ b/vma.h
+@@ -116,6 +116,7 @@ typedef struct VmaDeviceInfo {
+
+ VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp);
+ int vma_writer_close(VmaWriter *vmaw, Error **errp);
++void vma_writer_error_propagate(VmaWriter *vmaw, Error **errp);
+ void vma_writer_destroy(VmaWriter *vmaw);
+ int vma_writer_add_config(VmaWriter *vmaw, const char *name, gpointer data,
+ size_t len);
+--
+2.1.4
+
--- /dev/null
+From fb3d52b336cd8404055bf0b3b8d825c6f5247fef Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:40:00 +0100
+Subject: [PATCH 19/47] backup: vma: remove async queue
+
+---
+ blockdev.c | 6 ++
+ vma-writer.c | 179 +++++++++++------------------------------------------------
+ 2 files changed, 38 insertions(+), 147 deletions(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index 2e51913..1491c2d 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3116,6 +3116,11 @@ static void pvebackup_cancel(void *opaque)
+ error_setg(&backup_state.error, "backup cancelled");
+ }
+
++ if (backup_state.vmaw) {
++ /* make sure vma writer does not block anymore */
++ vma_writer_set_error(backup_state.vmaw, "backup cancelled");
++ }
++
+ /* drain all i/o (awake jobs waiting for aio) */
+ bdrv_drain_all();
+
+@@ -3128,6 +3133,7 @@ static void pvebackup_cancel(void *opaque)
+ if (job) {
+ if (!di->completed) {
+ block_job_cancel_sync(job);
++ bdrv_drain_all(); /* drain all i/o (awake jobs waiting for aio) */
+ }
+ }
+ }
+diff --git a/vma-writer.c b/vma-writer.c
+index 689e988..6d3119d 100644
+--- a/vma-writer.c
++++ b/vma-writer.c
+@@ -28,14 +28,8 @@
+ do { if (DEBUG_VMA) { printf("vma: " fmt, ## __VA_ARGS__); } } while (0)
+
+ #define WRITE_BUFFERS 5
+-
+-typedef struct VmaAIOCB VmaAIOCB;
+-struct VmaAIOCB {
+- unsigned char buffer[VMA_MAX_EXTENT_SIZE];
+- VmaWriter *vmaw;
+- size_t bytes;
+- Coroutine *co;
+-};
++#define HEADER_CLUSTERS 8
++#define HEADERBUF_SIZE (VMA_CLUSTER_SIZE*HEADER_CLUSTERS)
+
+ struct VmaWriter {
+ int fd;
+@@ -47,16 +41,14 @@ struct VmaWriter {
+ bool closed;
+
+ /* we always write extents */
+- unsigned char outbuf[VMA_MAX_EXTENT_SIZE];
++ unsigned char *outbuf;
+ int outbuf_pos; /* in bytes */
+ int outbuf_count; /* in VMA_BLOCKS */
+ uint64_t outbuf_block_info[VMA_BLOCKS_PER_EXTENT];
+
+- VmaAIOCB *aiocbs[WRITE_BUFFERS];
+- CoQueue wqueue;
++ unsigned char *headerbuf;
+
+ GChecksum *md5csum;
+- CoMutex writer_lock;
+ CoMutex flush_lock;
+ Coroutine *co_writer;
+
+@@ -217,38 +209,39 @@ static void vma_co_continue_write(void *opaque)
+ }
+
+ static ssize_t coroutine_fn
+-vma_co_write(VmaWriter *vmaw, const void *buf, size_t bytes)
++vma_queue_write(VmaWriter *vmaw, const void *buf, size_t bytes)
+ {
+- size_t done = 0;
+- ssize_t ret;
++ DPRINTF("vma_queue_write enter %zd\n", bytes);
+
+- /* atomic writes (we cannot interleave writes) */
+- qemu_co_mutex_lock(&vmaw->writer_lock);
++ assert(vmaw);
++ assert(buf);
++ assert(bytes <= VMA_MAX_EXTENT_SIZE);
+
+- DPRINTF("vma_co_write enter %zd\n", bytes);
++ size_t done = 0;
++ ssize_t ret;
+
+ assert(vmaw->co_writer == NULL);
+
+ vmaw->co_writer = qemu_coroutine_self();
+
+- aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, vmaw);
+-
+- DPRINTF("vma_co_write wait until writable\n");
+- qemu_coroutine_yield();
+- DPRINTF("vma_co_write starting %zd\n", bytes);
+-
+ while (done < bytes) {
++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, vma_co_continue_write, vmaw);
++ qemu_coroutine_yield();
++ aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL);
++ if (vmaw->status < 0) {
++ DPRINTF("vma_queue_write detected canceled backup\n");
++ done = -1;
++ break;
++ }
+ ret = write(vmaw->fd, buf + done, bytes - done);
+ if (ret > 0) {
+ done += ret;
+- DPRINTF("vma_co_write written %zd %zd\n", done, ret);
++ DPRINTF("vma_queue_write written %zd %zd\n", done, ret);
+ } else if (ret < 0) {
+ if (errno == EAGAIN || errno == EWOULDBLOCK) {
+- DPRINTF("vma_co_write yield %zd\n", done);
+- qemu_coroutine_yield();
+- DPRINTF("vma_co_write restart %zd\n", done);
+- } else {
+- vma_writer_set_error(vmaw, "vma_co_write write error - %s",
++ /* try again */
++ } else {
++ vma_writer_set_error(vmaw, "vma_queue_write: write error - %s",
+ g_strerror(errno));
+ done = -1; /* always return failure for partial writes */
+ break;
+@@ -258,102 +251,9 @@ vma_co_write(VmaWriter *vmaw, const void *buf, size_t bytes)
+ }
+ }
+
+- aio_set_fd_handler(qemu_get_aio_context(), vmaw->fd, false, NULL, NULL, NULL);
+-
+ vmaw->co_writer = NULL;
+-
+- qemu_co_mutex_unlock(&vmaw->writer_lock);
+-
+- DPRINTF("vma_co_write leave %zd\n", done);
+- return done;
+-}
+-
+-static void coroutine_fn vma_co_writer_task(void *opaque)
+-{
+- VmaAIOCB *cb = opaque;
+-
+- DPRINTF("vma_co_writer_task start\n");
+-
+- int64_t done = vma_co_write(cb->vmaw, cb->buffer, cb->bytes);
+- DPRINTF("vma_co_writer_task write done %zd\n", done);
+-
+- if (done != cb->bytes) {
+- DPRINTF("vma_co_writer_task failed write %zd %zd", cb->bytes, done);
+- vma_writer_set_error(cb->vmaw, "vma_co_writer_task failed write %zd",
+- done);
+- }
+-
+- cb->bytes = 0;
+-
+- qemu_co_queue_next(&cb->vmaw->wqueue);
+-
+- DPRINTF("vma_co_writer_task end\n");
+-}
+-
+-static void coroutine_fn vma_queue_flush(VmaWriter *vmaw)
+-{
+- DPRINTF("vma_queue_flush enter\n");
+-
+- assert(vmaw);
+-
+- while (1) {
+- int i;
+- VmaAIOCB *cb = NULL;
+- for (i = 0; i < WRITE_BUFFERS; i++) {
+- if (vmaw->aiocbs[i]->bytes) {
+- cb = vmaw->aiocbs[i];
+- DPRINTF("FOUND USED AIO BUFFER %d %zd\n", i,
+- vmaw->aiocbs[i]->bytes);
+- break;
+- }
+- }
+- if (!cb) {
+- break;
+- }
+- qemu_co_queue_wait(&vmaw->wqueue);
+- }
+-
+- DPRINTF("vma_queue_flush leave\n");
+-}
+-
+-/**
+- * NOTE: pipe buffer size in only 4096 bytes on linux (see 'ulimit -a')
+- * So we need to create a coroutione to allow 'parallel' execution.
+- */
+-static ssize_t coroutine_fn
+-vma_queue_write(VmaWriter *vmaw, const void *buf, size_t bytes)
+-{
+- DPRINTF("vma_queue_write enter %zd\n", bytes);
+-
+- assert(vmaw);
+- assert(buf);
+- assert(bytes <= VMA_MAX_EXTENT_SIZE);
+-
+- VmaAIOCB *cb = NULL;
+- while (!cb) {
+- int i;
+- for (i = 0; i < WRITE_BUFFERS; i++) {
+- if (!vmaw->aiocbs[i]->bytes) {
+- cb = vmaw->aiocbs[i];
+- break;
+- }
+- }
+- if (!cb) {
+- qemu_co_queue_wait(&vmaw->wqueue);
+- }
+- }
+-
+- memcpy(cb->buffer, buf, bytes);
+- cb->bytes = bytes;
+- cb->vmaw = vmaw;
+-
+- DPRINTF("vma_queue_write start %zd\n", bytes);
+- cb->co = qemu_coroutine_create(vma_co_writer_task);
+- qemu_coroutine_enter(cb->co, cb);
+-
+- DPRINTF("vma_queue_write leave\n");
+-
+- return bytes;
++
++ return (done == bytes) ? bytes : -1;
+ }
+
+ VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp)
+@@ -420,20 +320,16 @@ VmaWriter *vma_writer_create(const char *filename, uuid_t uuid, Error **errp)
+ }
+
+ /* we use O_DIRECT, so we need to align IO buffers */
+- int i;
+- for (i = 0; i < WRITE_BUFFERS; i++) {
+- vmaw->aiocbs[i] = qemu_memalign(512, sizeof(VmaAIOCB));
+- memset(vmaw->aiocbs[i], 0, sizeof(VmaAIOCB));
+- }
++
++ vmaw->outbuf = qemu_memalign(512, VMA_MAX_EXTENT_SIZE);
++ vmaw->headerbuf = qemu_memalign(512, HEADERBUF_SIZE);
+
+ vmaw->outbuf_count = 0;
+ vmaw->outbuf_pos = VMA_EXTENT_HEADER_SIZE;
+
+ vmaw->header_blob_table_pos = 1; /* start at pos 1 */
+
+- qemu_co_mutex_init(&vmaw->writer_lock);
+ qemu_co_mutex_init(&vmaw->flush_lock);
+- qemu_co_queue_init(&vmaw->wqueue);
+
+ uuid_copy(vmaw->uuid, uuid);
+
+@@ -460,8 +356,7 @@ err:
+ static int coroutine_fn vma_write_header(VmaWriter *vmaw)
+ {
+ assert(vmaw);
+- int header_clusters = 8;
+- char buf[65536*header_clusters];
++ unsigned char *buf = vmaw->headerbuf;
+ VmaHeader *head = (VmaHeader *)buf;
+
+ int i;
+@@ -472,7 +367,7 @@ static int coroutine_fn vma_write_header(VmaWriter *vmaw)
+ return vmaw->status;
+ }
+
+- memset(buf, 0, sizeof(buf));
++ memset(buf, 0, HEADERBUF_SIZE);
+
+ head->magic = VMA_MAGIC;
+ head->version = GUINT32_TO_BE(1); /* v1 */
+@@ -507,7 +402,7 @@ static int coroutine_fn vma_write_header(VmaWriter *vmaw)
+ uint32_t header_size = sizeof(VmaHeader) + vmaw->header_blob_table_size;
+ head->header_size = GUINT32_TO_BE(header_size);
+
+- if (header_size > sizeof(buf)) {
++ if (header_size > HEADERBUF_SIZE) {
+ return -1; /* just to be sure */
+ }
+
+@@ -805,13 +700,7 @@ int vma_writer_close(VmaWriter *vmaw, Error **errp)
+
+ int i;
+
+- vma_queue_flush(vmaw);
+-
+- /* this should not happen - just to be sure */
+- while (!qemu_co_queue_empty(&vmaw->wqueue)) {
+- DPRINTF("vma_writer_close wait\n");
+- co_aio_sleep_ns(qemu_get_aio_context(), QEMU_CLOCK_REALTIME, 1000000);
+- }
++ assert(vmaw->co_writer == NULL);
+
+ if (vmaw->cmd) {
+ if (pclose(vmaw->cmd) < 0) {
+@@ -869,9 +758,5 @@ void vma_writer_destroy(VmaWriter *vmaw)
+ g_checksum_free(vmaw->md5csum);
+ }
+
+- for (i = 0; i < WRITE_BUFFERS; i++) {
+- free(vmaw->aiocbs[i]);
+- }
+-
+ g_free(vmaw);
+ }
+--
+2.1.4
+
--- /dev/null
+From 3e0869f3ef3fc5537d90d22cde89f1384b164e70 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:40:42 +0100
+Subject: [PATCH 20/47] backup: vma: run flush inside coroutine
+
+---
+ blockdev.c | 10 +++++++++-
+ vma-writer.c | 4 ++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index 1491c2d..f3c0c58 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3081,6 +3081,13 @@ static void pvebackup_cleanup(void)
+ }
+ }
+
++static void coroutine_fn backup_close_vma_stream(void *opaque)
++{
++ PVEBackupDevInfo *di = opaque;
++
++ vma_writer_close_stream(backup_state.vmaw, di->dev_id);
++}
++
+ static void pvebackup_complete_cb(void *opaque, int ret)
+ {
+ PVEBackupDevInfo *di = opaque;
+@@ -3098,7 +3105,8 @@ static void pvebackup_complete_cb(void *opaque, int ret)
+ di->target = NULL;
+
+ if (backup_state.vmaw) {
+- vma_writer_close_stream(backup_state.vmaw, di->dev_id);
++ Coroutine *co = qemu_coroutine_create(backup_close_vma_stream, di);
++ qemu_coroutine_enter(co);
+ }
+
+ block_job_cb(bs, ret);
+diff --git a/vma-writer.c b/vma-writer.c
+index 6d3119d..79b7fd4 100644
+--- a/vma-writer.c
++++ b/vma-writer.c
+@@ -700,6 +700,10 @@ int vma_writer_close(VmaWriter *vmaw, Error **errp)
+
+ int i;
+
++ while (vmaw->co_writer) {
++ aio_poll(qemu_get_aio_context(), true);
++ }
++
+ assert(vmaw->co_writer == NULL);
+
+ if (vmaw->cmd) {
+--
+2.1.4
+
--- /dev/null
+From e7cf613192638f5ac24629961c4010a3b3575ad6 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 15:41:13 +0100
+Subject: [PATCH 21/47] backup: do not use bdrv_drain_all
+
+---
+ blockdev.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index f3c0c58..2371cf3 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3129,9 +3129,6 @@ static void pvebackup_cancel(void *opaque)
+ vma_writer_set_error(backup_state.vmaw, "backup cancelled");
+ }
+
+- /* drain all i/o (awake jobs waiting for aio) */
+- bdrv_drain_all();
+-
+ GList *l = backup_state.di_list;
+ while (l) {
+ PVEBackupDevInfo *di = (PVEBackupDevInfo *)l->data;
+@@ -3140,8 +3137,7 @@ static void pvebackup_cancel(void *opaque)
+ BlockJob *job = di->bs->job;
+ if (job) {
+ if (!di->completed) {
+- block_job_cancel_sync(job);
+- bdrv_drain_all(); /* drain all i/o (awake jobs waiting for aio) */
++ block_job_cancel_sync(job);
+ }
+ }
+ }
+--
+2.1.4
+
--- /dev/null
+From ddfc29076293a794f0d9cc74c0c822c144e7ecbc Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 16:04:32 +0100
+Subject: [PATCH 22/47] internal snapshot async
+
+---
+ Makefile.objs | 1 +
+ block.c | 2 +-
+ hmp-commands-info.hx | 13 ++
+ hmp-commands.hx | 32 +++
+ hmp.c | 57 ++++++
+ hmp.h | 5 +
+ include/block/block.h | 1 +
+ include/sysemu/sysemu.h | 5 +-
+ migration/savevm.c | 12 +-
+ qapi-schema.json | 46 +++++
+ qemu-options.hx | 13 ++
+ qmp-commands.hx | 30 +++
+ savevm-async.c | 526 ++++++++++++++++++++++++++++++++++++++++++++++++
+ vl.c | 8 +
+ 14 files changed, 743 insertions(+), 8 deletions(-)
+ create mode 100644 savevm-async.c
+
+diff --git a/Makefile.objs b/Makefile.objs
+index 845edd0..7d9d2d7 100644
+--- a/Makefile.objs
++++ b/Makefile.objs
+@@ -53,6 +53,7 @@ common-obj-$(CONFIG_LINUX) += fsdev/
+ common-obj-y += migration/
+ common-obj-y += qemu-char.o #aio.o
+ common-obj-y += page_cache.o
++common-obj-y += savevm-async.o
+
+ common-obj-$(CONFIG_SPICE) += spice-qemu-char.o
+
+diff --git a/block.c b/block.c
+index 30d64e6..95c1d32 100644
+--- a/block.c
++++ b/block.c
+@@ -2288,7 +2288,7 @@ void bdrv_replace_in_backing_chain(BlockDriverState *old, BlockDriverState *new)
+ bdrv_unref(old);
+ }
+
+-static void bdrv_delete(BlockDriverState *bs)
++void bdrv_delete(BlockDriverState *bs)
+ {
+ assert(!bs->job);
+ assert(bdrv_op_blocker_is_empty(bs));
+diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
+index 7616fe2..3046f9d 100644
+--- a/hmp-commands-info.hx
++++ b/hmp-commands-info.hx
+@@ -588,6 +588,19 @@ Show current migration xbzrle cache size.
+ ETEXI
+
+ {
++ .name = "savevm",
++ .args_type = "",
++ .params = "",
++ .help = "show savevm status",
++ .mhandler.cmd = hmp_info_savevm,
++ },
++
++STEXI
++@item info savevm
++show savevm status
++ETEXI
++
++ {
+ .name = "balloon",
+ .args_type = "",
+ .params = "",
+diff --git a/hmp-commands.hx b/hmp-commands.hx
+index 0e20ef9..4d735cb 100644
+--- a/hmp-commands.hx
++++ b/hmp-commands.hx
+@@ -1791,3 +1791,35 @@ ETEXI
+ STEXI
+ @end table
+ ETEXI
++
++ {
++ .name = "savevm-start",
++ .args_type = "statefile:s?",
++ .params = "[statefile]",
++ .help = "Prepare for snapshot and halt VM. Save VM state to statefile.",
++ .mhandler.cmd = hmp_savevm_start,
++ },
++
++ {
++ .name = "snapshot-drive",
++ .args_type = "device:s,name:s",
++ .params = "device name",
++ .help = "Create internal snapshot.",
++ .mhandler.cmd = hmp_snapshot_drive,
++ },
++
++ {
++ .name = "delete-drive-snapshot",
++ .args_type = "device:s,name:s",
++ .params = "device name",
++ .help = "Delete internal snapshot.",
++ .mhandler.cmd = hmp_delete_drive_snapshot,
++ },
++
++ {
++ .name = "savevm-end",
++ .args_type = "",
++ .params = "",
++ .help = "Resume VM after snaphot.",
++ .mhandler.cmd = hmp_savevm_end,
++ },
+diff --git a/hmp.c b/hmp.c
+index c23cf2f..030fd97 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -2117,6 +2117,63 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
+ qapi_free_MemoryDeviceInfoList(info_list);
+ }
+
++void hmp_savevm_start(Monitor *mon, const QDict *qdict)
++{
++ Error *errp = NULL;
++ const char *statefile = qdict_get_try_str(qdict, "statefile");
++
++ qmp_savevm_start(statefile != NULL, statefile, &errp);
++ hmp_handle_error(mon, &errp);
++}
++
++void hmp_snapshot_drive(Monitor *mon, const QDict *qdict)
++{
++ Error *errp = NULL;
++ const char *name = qdict_get_str(qdict, "name");
++ const char *device = qdict_get_str(qdict, "device");
++
++ qmp_snapshot_drive(device, name, &errp);
++ hmp_handle_error(mon, &errp);
++}
++
++void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict)
++{
++ Error *errp = NULL;
++ const char *name = qdict_get_str(qdict, "name");
++ const char *device = qdict_get_str(qdict, "device");
++
++ qmp_delete_drive_snapshot(device, name, &errp);
++ hmp_handle_error(mon, &errp);
++}
++
++void hmp_savevm_end(Monitor *mon, const QDict *qdict)
++{
++ Error *errp = NULL;
++
++ qmp_savevm_end(&errp);
++ hmp_handle_error(mon, &errp);
++}
++
++void hmp_info_savevm(Monitor *mon, const QDict *qdict)
++{
++ SaveVMInfo *info;
++ info = qmp_query_savevm(NULL);
++
++ if (info->has_status) {
++ monitor_printf(mon, "savevm status: %s\n", info->status);
++ monitor_printf(mon, "total time: %" PRIu64 " milliseconds\n",
++ info->total_time);
++ } else {
++ monitor_printf(mon, "savevm status: not running\n");
++ }
++ if (info->has_bytes) {
++ monitor_printf(mon, "Bytes saved: %"PRIu64"\n", info->bytes);
++ }
++ if (info->has_error) {
++ monitor_printf(mon, "Error: %s\n", info->error);
++ }
++}
++
+ void hmp_info_iothreads(Monitor *mon, const QDict *qdict)
+ {
+ IOThreadInfoList *info_list = qmp_query_iothreads(NULL);
+diff --git a/hmp.h b/hmp.h
+index 9a4c1f6..b74ddbf 100644
+--- a/hmp.h
++++ b/hmp.h
+@@ -26,6 +26,7 @@ void hmp_info_status(Monitor *mon, const QDict *qdict);
+ void hmp_info_uuid(Monitor *mon, const QDict *qdict);
+ void hmp_info_chardev(Monitor *mon, const QDict *qdict);
+ void hmp_info_mice(Monitor *mon, const QDict *qdict);
++void hmp_info_savevm(Monitor *mon, const QDict *qdict);
+ void hmp_info_migrate(Monitor *mon, const QDict *qdict);
+ void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict);
+ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict);
+@@ -92,6 +93,10 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict);
+ void hmp_netdev_del(Monitor *mon, const QDict *qdict);
+ void hmp_getfd(Monitor *mon, const QDict *qdict);
+ void hmp_closefd(Monitor *mon, const QDict *qdict);
++void hmp_savevm_start(Monitor *mon, const QDict *qdict);
++void hmp_snapshot_drive(Monitor *mon, const QDict *qdict);
++void hmp_delete_drive_snapshot(Monitor *mon, const QDict *qdict);
++void hmp_savevm_end(Monitor *mon, const QDict *qdict);
+ void hmp_sendkey(Monitor *mon, const QDict *qdict);
+ void hmp_screendump(Monitor *mon, const QDict *qdict);
+ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict);
+diff --git a/include/block/block.h b/include/block/block.h
+index acddf3b..0f70a9d 100644
+--- a/include/block/block.h
++++ b/include/block/block.h
+@@ -256,6 +256,7 @@ BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
+ int bdrv_get_backing_file_depth(BlockDriverState *bs);
+ void bdrv_refresh_filename(BlockDriverState *bs);
+ int bdrv_truncate(BlockDriverState *bs, int64_t offset);
++void bdrv_delete(BlockDriverState *bs);
+ int64_t bdrv_nb_sectors(BlockDriverState *bs);
+ int64_t bdrv_getlength(BlockDriverState *bs);
+ int64_t bdrv_get_allocated_file_size(BlockDriverState *bs);
+diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
+index ee7c760..4875441 100644
+--- a/include/sysemu/sysemu.h
++++ b/include/sysemu/sysemu.h
+@@ -79,6 +79,7 @@ void qemu_remove_machine_init_done_notifier(Notifier *notify);
+
+ void hmp_savevm(Monitor *mon, const QDict *qdict);
+ int load_vmstate(const char *name);
++int load_state_from_blockdev(const char *filename);
+ void hmp_delvm(Monitor *mon, const QDict *qdict);
+ void hmp_info_snapshots(Monitor *mon, const QDict *qdict);
+
+@@ -106,13 +107,13 @@ enum qemu_vm_cmd {
+ #define MAX_VM_CMD_PACKAGED_SIZE (1ul << 24)
+
+ bool qemu_savevm_state_blocked(Error **errp);
+-void qemu_savevm_state_begin(QEMUFile *f,
++int qemu_savevm_state_begin(QEMUFile *f,
+ const MigrationParams *params);
+ void qemu_savevm_state_header(QEMUFile *f);
+ int qemu_savevm_state_iterate(QEMUFile *f, bool postcopy);
+ void qemu_savevm_state_cleanup(void);
+ void qemu_savevm_state_complete_postcopy(QEMUFile *f);
+-void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only);
++int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only);
+ void qemu_savevm_state_pending(QEMUFile *f, uint64_t max_size,
+ uint64_t *res_non_postcopiable,
+ uint64_t *res_postcopiable);
+diff --git a/migration/savevm.c b/migration/savevm.c
+index 33a2911..b1bdfb6 100644
+--- a/migration/savevm.c
++++ b/migration/savevm.c
+@@ -879,11 +879,11 @@ void qemu_savevm_state_header(QEMUFile *f)
+
+ }
+
+-void qemu_savevm_state_begin(QEMUFile *f,
++int qemu_savevm_state_begin(QEMUFile *f,
+ const MigrationParams *params)
+ {
+ SaveStateEntry *se;
+- int ret;
++ int ret = 0;
+
+ trace_savevm_state_begin();
+ QTAILQ_FOREACH(se, &savevm_state.handlers, entry) {
+@@ -911,6 +911,7 @@ void qemu_savevm_state_begin(QEMUFile *f,
+ break;
+ }
+ }
++ return ret;
+ }
+
+ /*
+@@ -1014,7 +1015,7 @@ void qemu_savevm_state_complete_postcopy(QEMUFile *f)
+ qemu_fflush(f);
+ }
+
+-void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
++int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+ {
+ QJSON *vmdesc;
+ int vmdesc_len;
+@@ -1048,12 +1049,12 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+ save_section_footer(f, se);
+ if (ret < 0) {
+ qemu_file_set_error(f, ret);
+- return;
++ return ret;
+ }
+ }
+
+ if (iterable_only) {
+- return;
++ return ret;
+ }
+
+ vmdesc = qjson_new();
+@@ -1100,6 +1101,7 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+ qjson_destroy(vmdesc);
+
+ qemu_fflush(f);
++ return qemu_file_get_error(f);
+ }
+
+ /* Give an estimate of the amount left to be transferred,
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 147137d..0c0faf7 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -594,6 +594,42 @@
+ '*cpu-throttle-percentage': 'int',
+ '*error-desc': 'str'} }
+
++
++# @SaveVMInfo
++#
++# Information about current migration process.
++#
++# @status: #optional string describing the current savevm status.
++# This can be 'active', 'completed', 'failed'.
++# If this field is not returned, no savevm process
++# has been initiated
++#
++# @error: #optional string containing error message is status is failed.
++#
++# @total-time: #optional total amount of milliseconds since savevm started.
++# If savevm has ended, it returns the total save time
++#
++# @bytes: #optional total amount of data transfered
++#
++# Since: 1.3
++##
++{ 'struct': 'SaveVMInfo',
++ 'data': {'*status': 'str', '*error': 'str',
++ '*total-time': 'int', '*bytes': 'int'} }
++
++##
++# @query-savevm
++#
++# Returns information about current savevm process.
++#
++# Returns: @SaveVMInfo
++#
++# Since: 1.3
++##
++{ 'command': 'query-savevm', 'returns': 'SaveVMInfo' }
++
++##
++
+ ##
+ # @query-migrate
+ #
+@@ -3286,8 +3322,18 @@
+ #
+ # Since: 1.2.0
+ ##
++
+ { 'command': 'query-target', 'returns': 'TargetInfo' }
+
++{ 'command': 'savevm-start', 'data': { '*statefile': 'str' } }
++
++{ 'command': 'snapshot-drive', 'data': { 'device': 'str', 'name': 'str' } }
++
++{ 'command': 'delete-drive-snapshot', 'data': { 'device': 'str', 'name': 'str' } }
++
++{ 'command': 'savevm-end' }
++
++
+ ##
+ # @QKeyCode:
+ #
+diff --git a/qemu-options.hx b/qemu-options.hx
+index a71aaf8..37fad3b 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -3302,6 +3302,19 @@ STEXI
+ Start right away with a saved state (@code{loadvm} in monitor)
+ ETEXI
+
++DEF("loadstate", HAS_ARG, QEMU_OPTION_loadstate, \
++ "-loadstate file\n" \
++ " start right away with a saved state\n",
++ QEMU_ARCH_ALL)
++STEXI
++@item -loadstate @var{file}
++@findex -loadstate
++Start right away with a saved state. This option does not rollback
++disk state like @code{loadvm}, so user must make sure that disk
++have correct state. @var{file} can be any valid device URL. See the section
++for "Device URL Syntax" for more information.
++ETEXI
++
+ #ifndef _WIN32
+ DEF("daemonize", 0, QEMU_OPTION_daemonize, \
+ "-daemonize daemonize QEMU after initializing\n", QEMU_ARCH_ALL)
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index a8e8522..6342cd2 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -4904,6 +4904,36 @@ Example:
+ EQMP
+
+ {
++ .name = "savevm-start",
++ .args_type = "statefile:s?",
++ .mhandler.cmd_new = qmp_marshal_savevm_start,
++ },
++
++ {
++ .name = "snapshot-drive",
++ .args_type = "device:s,name:s",
++ .mhandler.cmd_new = qmp_marshal_snapshot_drive,
++ },
++
++ {
++ .name = "delete-drive-snapshot",
++ .args_type = "device:s,name:s",
++ .mhandler.cmd_new = qmp_marshal_delete_drive_snapshot,
++ },
++
++ {
++ .name = "savevm-end",
++ .args_type = "",
++ .mhandler.cmd_new = qmp_marshal_savevm_end,
++ },
++
++ {
++ .name = "query-savevm",
++ .args_type = "",
++ .mhandler.cmd_new = qmp_marshal_query_savevm,
++ },
++
++ {
+ .name = "query-rocker",
+ .args_type = "name:s",
+ .mhandler.cmd_new = qmp_marshal_query_rocker,
+diff --git a/savevm-async.c b/savevm-async.c
+new file mode 100644
+index 0000000..ae7ea84
+--- /dev/null
++++ b/savevm-async.c
+@@ -0,0 +1,526 @@
++#include "qemu/osdep.h"
++#include "qemu-common.h"
++#include "qapi/qmp/qerror.h"
++#include "qemu/error-report.h"
++#include "sysemu/sysemu.h"
++#include "qmp-commands.h"
++#include "qemu-options.h"
++#include "migration/qemu-file.h"
++#include "qom/qom-qobject.h"
++#include "migration/migration.h"
++#include "block/snapshot.h"
++#include "block/qapi.h"
++#include "block/block.h"
++#include "qemu/timer.h"
++#include "sysemu/block-backend.h"
++#include "qapi/qmp/qstring.h"
++#include "qemu/rcu.h"
++#include "qemu/thread.h"
++#include "qemu/cutils.h"
++
++/* #define DEBUG_SAVEVM_STATE */
++
++#ifdef DEBUG_SAVEVM_STATE
++#define DPRINTF(fmt, ...) \
++ do { printf("savevm-async: " fmt, ## __VA_ARGS__); } while (0)
++#else
++#define DPRINTF(fmt, ...) \
++ do { } while (0)
++#endif
++
++enum {
++ SAVE_STATE_DONE,
++ SAVE_STATE_ERROR,
++ SAVE_STATE_ACTIVE,
++ SAVE_STATE_COMPLETED,
++ SAVE_STATE_CANCELLED
++};
++
++
++static struct SnapshotState {
++ BlockDriverState *bs;
++ size_t bs_pos;
++ int state;
++ Error *error;
++ Error *blocker;
++ int saved_vm_running;
++ QEMUFile *file;
++ int64_t total_time;
++} snap_state;
++
++SaveVMInfo *qmp_query_savevm(Error **errp)
++{
++ SaveVMInfo *info = g_malloc0(sizeof(*info));
++ struct SnapshotState *s = &snap_state;
++
++ if (s->state != SAVE_STATE_DONE) {
++ info->has_bytes = true;
++ info->bytes = s->bs_pos;
++ switch (s->state) {
++ case SAVE_STATE_ERROR:
++ info->has_status = true;
++ info->status = g_strdup("failed");
++ info->has_total_time = true;
++ info->total_time = s->total_time;
++ if (s->error) {
++ info->has_error = true;
++ info->error = g_strdup(error_get_pretty(s->error));
++ }
++ break;
++ case SAVE_STATE_ACTIVE:
++ info->has_status = true;
++ info->status = g_strdup("active");
++ info->has_total_time = true;
++ info->total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME)
++ - s->total_time;
++ break;
++ case SAVE_STATE_COMPLETED:
++ info->has_status = true;
++ info->status = g_strdup("completed");
++ info->has_total_time = true;
++ info->total_time = s->total_time;
++ break;
++ }
++ }
++
++ return info;
++}
++
++static int save_snapshot_cleanup(void)
++{
++ int ret = 0;
++
++ DPRINTF("save_snapshot_cleanup\n");
++
++ snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME) -
++ snap_state.total_time;
++
++ if (snap_state.file) {
++ ret = qemu_fclose(snap_state.file);
++ }
++
++ if (snap_state.bs) {
++ /* try to truncate, but ignore errors (will fail on block devices).
++ * note: bdrv_read() need whole blocks, so we round up
++ */
++ size_t size = (snap_state.bs_pos + BDRV_SECTOR_SIZE) & BDRV_SECTOR_MASK;
++ bdrv_truncate(snap_state.bs, size);
++ bdrv_op_unblock_all(snap_state.bs, snap_state.blocker);
++ error_free(snap_state.blocker);
++ snap_state.blocker = NULL;
++ bdrv_unref(snap_state.bs);
++ snap_state.bs = NULL;
++ }
++
++ return ret;
++}
++
++static void save_snapshot_error(const char *fmt, ...)
++{
++ va_list ap;
++ char *msg;
++
++ va_start(ap, fmt);
++ msg = g_strdup_vprintf(fmt, ap);
++ va_end(ap);
++
++ DPRINTF("save_snapshot_error: %s\n", msg);
++
++ if (!snap_state.error) {
++ error_set(&snap_state.error, ERROR_CLASS_GENERIC_ERROR, "%s", msg);
++ }
++
++ g_free (msg);
++
++ snap_state.state = SAVE_STATE_ERROR;
++
++ save_snapshot_cleanup();
++}
++
++static void save_snapshot_completed(void)
++{
++ DPRINTF("save_snapshot_completed\n");
++
++ if (save_snapshot_cleanup() < 0) {
++ snap_state.state = SAVE_STATE_ERROR;
++ } else {
++ snap_state.state = SAVE_STATE_COMPLETED;
++ }
++}
++
++static int block_state_close(void *opaque)
++{
++ snap_state.file = NULL;
++ return bdrv_flush(snap_state.bs);
++}
++
++static int block_state_put_buffer(void *opaque, const uint8_t *buf,
++ int64_t pos, int size)
++{
++ int ret;
++
++ assert(pos == snap_state.bs_pos);
++
++ if ((ret = bdrv_pwrite(snap_state.bs, snap_state.bs_pos, buf, size)) > 0) {
++ snap_state.bs_pos += ret;
++ }
++
++ return ret;
++}
++
++static int store_and_stop(void) {
++ if (global_state_store()) {
++ save_snapshot_error("Error saving global state");
++ return 1;
++ }
++ if (runstate_is_running()) {
++ vm_stop(RUN_STATE_SAVE_VM);
++ }
++ return 0;
++}
++
++static void process_savevm_co(void *opaque)
++{
++ int ret;
++ int64_t maxlen;
++ MigrationParams params = {
++ .blk = 0,
++ .shared = 0
++ };
++
++ snap_state.state = SAVE_STATE_ACTIVE;
++
++ qemu_mutex_unlock_iothread();
++ qemu_savevm_state_header(snap_state.file);
++ ret = qemu_savevm_state_begin(snap_state.file, ¶ms);
++ qemu_mutex_lock_iothread();
++
++ if (ret < 0) {
++ save_snapshot_error("qemu_savevm_state_begin failed");
++ return;
++ }
++
++ while (snap_state.state == SAVE_STATE_ACTIVE) {
++ uint64_t pending_size;
++
++ pending_size = qemu_savevm_state_pending(snap_state.file, 0);
++
++ if (pending_size) {
++ ret = qemu_savevm_state_iterate(snap_state.file);
++ if (ret < 0) {
++ save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
++ break;
++ }
++ DPRINTF("savevm inerate pending size %lu ret %d\n", pending_size, ret);
++ } else {
++ DPRINTF("done iterating\n");
++ if (store_and_stop())
++ break;
++ DPRINTF("savevm inerate finished\n");
++ qemu_savevm_state_complete_precopy(snap_state.file);
++ DPRINTF("save complete\n");
++ save_snapshot_completed();
++ break;
++ }
++
++ /* stop the VM if we get to the end of available space,
++ * or if pending_size is just a few MB
++ */
++ maxlen = bdrv_getlength(snap_state.bs) - 30*1024*1024;
++ if ((pending_size < 100000) ||
++ ((snap_state.bs_pos + pending_size) >= maxlen)) {
++ if (store_and_stop())
++ break;
++ }
++ }
++
++ if(snap_state.state == SAVE_STATE_CANCELLED) {
++ save_snapshot_completed();
++ Error *errp = NULL;
++ qmp_savevm_end(&errp);
++ }
++
++}
++
++static const QEMUFileOps block_file_ops = {
++ .put_buffer = block_state_put_buffer,
++ .close = block_state_close,
++};
++
++
++void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
++{
++ BlockDriver *drv = NULL;
++ Error *local_err = NULL;
++
++ int bdrv_oflags = BDRV_O_RDWR;
++ int ret;
++
++ if (snap_state.state != SAVE_STATE_DONE) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "VM snapshot already started\n");
++ return;
++ }
++
++ /* initialize snapshot info */
++ snap_state.saved_vm_running = runstate_is_running();
++ snap_state.bs_pos = 0;
++ snap_state.total_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
++ snap_state.blocker = NULL;
++
++ if (snap_state.error) {
++ error_free(snap_state.error);
++ snap_state.error = NULL;
++ }
++
++ if (!has_statefile) {
++ vm_stop(RUN_STATE_SAVE_VM);
++ snap_state.state = SAVE_STATE_COMPLETED;
++ return;
++ }
++
++ if (qemu_savevm_state_blocked(errp)) {
++ return;
++ }
++
++ /* Open the image */
++ snap_state.bs = bdrv_new();
++
++ QDict *options = NULL;
++ options = qdict_new();
++ qdict_put(options, "driver", qstring_from_str("raw"));
++ ret = bdrv_open(&snap_state.bs, statefile, NULL, options, bdrv_oflags, drv, &local_err);
++ if (ret < 0) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
++ goto restart;
++ }
++
++ snap_state.file = qemu_fopen_ops(&snap_state, &block_file_ops);
++
++ if (!snap_state.file) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
++ goto restart;
++ }
++
++
++ error_setg(&snap_state.blocker, "block device is in use by savevm");
++ bdrv_op_block_all(snap_state.bs, snap_state.blocker);
++
++ Coroutine *co = qemu_coroutine_create(process_savevm_co);
++ qemu_coroutine_enter(co);
++
++ return;
++
++restart:
++
++ save_snapshot_error("setup failed");
++
++ if (snap_state.saved_vm_running) {
++ vm_start();
++ }
++}
++
++void qmp_savevm_end(Error **errp)
++{
++ if (snap_state.state == SAVE_STATE_DONE) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "VM snapshot not started\n");
++ return;
++ }
++
++ if (snap_state.state == SAVE_STATE_ACTIVE) {
++ snap_state.state = SAVE_STATE_CANCELLED;
++ return;
++ }
++
++ if (snap_state.saved_vm_running) {
++ vm_start();
++ }
++
++ snap_state.state = SAVE_STATE_DONE;
++}
++
++void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
++{
++ BlockBackend *blk;
++ BlockDriverState *bs;
++ QEMUSnapshotInfo sn1, *sn = &sn1;
++ int ret;
++#ifdef _WIN32
++ struct _timeb tb;
++#else
++ struct timeval tv;
++#endif
++
++ if (snap_state.state != SAVE_STATE_COMPLETED) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "VM snapshot not ready/started\n");
++ return;
++ }
++
++ blk = blk_by_name(device);
++ if (!blk) {
++ error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND,
++ "Device '%s' not found", device);
++ return;
++ }
++
++ bs = blk_bs(blk);
++ if (!bdrv_is_inserted(bs)) {
++ error_setg(errp, QERR_DEVICE_HAS_NO_MEDIUM, device);
++ return;
++ }
++
++ if (bdrv_is_read_only(bs)) {
++ error_setg(errp, "Node '%s' is read only", device);
++ return;
++ }
++
++ if (!bdrv_can_snapshot(bs)) {
++ error_setg(errp, QERR_UNSUPPORTED);
++ return;
++ }
++
++ if (bdrv_snapshot_find(bs, sn, name) >= 0) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "snapshot '%s' already exists", name);
++ return;
++ }
++
++ sn = &sn1;
++ memset(sn, 0, sizeof(*sn));
++
++#ifdef _WIN32
++ _ftime(&tb);
++ sn->date_sec = tb.time;
++ sn->date_nsec = tb.millitm * 1000000;
++#else
++ gettimeofday(&tv, NULL);
++ sn->date_sec = tv.tv_sec;
++ sn->date_nsec = tv.tv_usec * 1000;
++#endif
++ sn->vm_clock_nsec = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
++
++ pstrcpy(sn->name, sizeof(sn->name), name);
++
++ sn->vm_state_size = 0; /* do not save state */
++
++ ret = bdrv_snapshot_create(bs, sn);
++ if (ret < 0) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "Error while creating snapshot on '%s'\n", device);
++ return;
++ }
++}
++
++void qmp_delete_drive_snapshot(const char *device, const char *name,
++ Error **errp)
++{
++ BlockBackend *blk;
++ BlockDriverState *bs;
++ QEMUSnapshotInfo sn1, *sn = &sn1;
++ Error *local_err = NULL;
++
++ int ret;
++
++ blk = blk_by_name(device);
++ if (!blk) {
++ error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND,
++ "Device '%s' not found", device);
++ return;
++ }
++
++ bs = blk_bs(blk);
++ if (bdrv_is_read_only(bs)) {
++ error_setg(errp, "Node '%s' is read only", device);
++ return;
++ }
++
++ if (!bdrv_can_snapshot(bs)) {
++ error_setg(errp, QERR_UNSUPPORTED);
++ return;
++ }
++
++ if (bdrv_snapshot_find(bs, sn, name) < 0) {
++ /* return success if snapshot does not exists */
++ return;
++ }
++
++ ret = bdrv_snapshot_delete(bs, NULL, name, &local_err);
++ if (ret < 0) {
++ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
++ "Error while deleting snapshot on '%s'\n", device);
++ return;
++ }
++}
++
++static int loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
++ int size)
++{
++ BlockDriverState *bs = (BlockDriverState *)opaque;
++ int64_t maxlen = bdrv_getlength(bs);
++ if (pos > maxlen) {
++ return -EIO;
++ }
++ if ((pos + size) > maxlen) {
++ size = maxlen - pos - 1;
++ }
++ if (size == 0) {
++ return 0;
++ }
++ return bdrv_pread(bs, pos, buf, size);
++}
++
++static const QEMUFileOps loadstate_file_ops = {
++ .get_buffer = loadstate_get_buffer,
++};
++
++int load_state_from_blockdev(const char *filename)
++{
++ BlockDriverState *bs = NULL;
++ BlockDriver *drv = NULL;
++ Error *local_err = NULL;
++ Error *blocker = NULL;
++
++ QEMUFile *f;
++ int ret;
++
++ bs = bdrv_new();
++ ret = bdrv_open(&bs, filename, NULL, NULL, 0, drv, &local_err);
++ error_setg(&blocker, "block device is in use by load state");
++ bdrv_op_block_all(bs, blocker);
++
++ if (ret < 0) {
++ error_report("Could not open VM state file");
++ goto the_end;
++ }
++
++ /* restore the VM state */
++ f = qemu_fopen_ops(bs, &loadstate_file_ops);
++ if (!f) {
++ error_report("Could not open VM state file");
++ ret = -EINVAL;
++ goto the_end;
++ }
++
++ qemu_system_reset(VMRESET_SILENT);
++ migration_incoming_state_new(f);
++ ret = qemu_loadvm_state(f);
++
++ qemu_fclose(f);
++ migration_incoming_state_destroy();
++ if (ret < 0) {
++ error_report("Error %d while loading VM state", ret);
++ goto the_end;
++ }
++
++ ret = 0;
++
++ the_end:
++ if (bs) {
++ bdrv_op_unblock_all(bs, blocker);
++ error_free(blocker);
++ bdrv_unref(bs);
++ }
++ return ret;
++}
+diff --git a/vl.c b/vl.c
+index b226e0b..c01b1b5 100644
+--- a/vl.c
++++ b/vl.c
+@@ -2962,6 +2962,7 @@ int main(int argc, char **argv, char **envp)
+ int optind;
+ const char *optarg;
+ const char *loadvm = NULL;
++ const char *loadstate = NULL;
+ MachineClass *machine_class;
+ const char *cpu_model;
+ const char *vga_model = NULL;
+@@ -3603,6 +3604,9 @@ int main(int argc, char **argv, char **envp)
+ case QEMU_OPTION_loadvm:
+ loadvm = optarg;
+ break;
++ case QEMU_OPTION_loadstate:
++ loadstate = optarg;
++ break;
+ case QEMU_OPTION_full_screen:
+ full_screen = 1;
+ break;
+@@ -4597,6 +4601,10 @@ int main(int argc, char **argv, char **envp)
+ if (load_vmstate(loadvm) < 0) {
+ autostart = 0;
+ }
++ } else if (loadstate) {
++ if (load_state_from_blockdev(loadstate) < 0) {
++ autostart = 0;
++ }
+ }
+
+ qdev_prop_check_globals();
+--
+2.1.4
+
--- /dev/null
+From e9b9fd9156a6631998ec4b4254fe2e91859b340a Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 16:31:51 +0100
+Subject: [PATCH 23/47] backup: vma: allow empty backups
+
+---
+ vma-reader.c | 29 ++++++++++++-------------
+ vma-writer.c | 30 ++++++++++++++++----------
+ vma.c | 70 ++++++++++++++++++++++++++++++++++++------------------------
+ vma.h | 1 +
+ 4 files changed, 76 insertions(+), 54 deletions(-)
+
+diff --git a/vma-reader.c b/vma-reader.c
+index 2aafb26..78f1de9 100644
+--- a/vma-reader.c
++++ b/vma-reader.c
+@@ -326,11 +326,6 @@ static int vma_reader_read_head(VmaReader *vmar, Error **errp)
+ }
+ }
+
+- if (!count) {
+- error_setg(errp, "vma does not contain data");
+- return -1;
+- }
+-
+ for (i = 0; i < VMA_MAX_CONFIGS; i++) {
+ uint32_t name_ptr = GUINT32_FROM_BE(h->config_names[i]);
+ uint32_t data_ptr = GUINT32_FROM_BE(h->config_data[i]);
+@@ -822,16 +817,20 @@ static int vma_reader_restore_full(VmaReader *vmar, int vmstate_fd,
+ }
+
+ if (verbose) {
+- printf("total bytes read %zd, sparse bytes %zd (%.3g%%)\n",
+- vmar->clusters_read*VMA_CLUSTER_SIZE,
+- vmar->zero_cluster_data,
+- (double)(100.0*vmar->zero_cluster_data)/
+- (vmar->clusters_read*VMA_CLUSTER_SIZE));
+-
+- int64_t datasize = vmar->clusters_read*VMA_CLUSTER_SIZE-vmar->zero_cluster_data;
+- if (datasize) { // this does not make sense for empty files
+- printf("space reduction due to 4K zero blocks %.3g%%\n",
+- (double)(100.0*vmar->partial_zero_cluster_data) / datasize);
++ if (vmar->clusters_read) {
++ printf("total bytes read %zd, sparse bytes %zd (%.3g%%)\n",
++ vmar->clusters_read*VMA_CLUSTER_SIZE,
++ vmar->zero_cluster_data,
++ (double)(100.0*vmar->zero_cluster_data)/
++ (vmar->clusters_read*VMA_CLUSTER_SIZE));
++
++ int64_t datasize = vmar->clusters_read*VMA_CLUSTER_SIZE-vmar->zero_cluster_data;
++ if (datasize) { // this does not make sense for empty files
++ printf("space reduction due to 4K zero blocks %.3g%%\n",
++ (double)(100.0*vmar->partial_zero_cluster_data) / datasize);
++ }
++ } else {
++ printf("vma archive contains no image data\n");
+ }
+ }
+ return ret;
+diff --git a/vma-writer.c b/vma-writer.c
+index 79b7fd4..0d26fc6 100644
+--- a/vma-writer.c
++++ b/vma-writer.c
+@@ -252,7 +252,7 @@ vma_queue_write(VmaWriter *vmaw, const void *buf, size_t bytes)
+ }
+
+ vmaw->co_writer = NULL;
+-
++
+ return (done == bytes) ? bytes : -1;
+ }
+
+@@ -376,10 +376,6 @@ static int coroutine_fn vma_write_header(VmaWriter *vmaw)
+ time_t ctime = time(NULL);
+ head->ctime = GUINT64_TO_BE(ctime);
+
+- if (!vmaw->stream_count) {
+- return -1;
+- }
+-
+ for (i = 0; i < VMA_MAX_CONFIGS; i++) {
+ head->config_names[i] = GUINT32_TO_BE(vmaw->config_names[i]);
+ head->config_data[i] = GUINT32_TO_BE(vmaw->config_data[i]);
+@@ -496,6 +492,23 @@ static int vma_count_open_streams(VmaWriter *vmaw)
+ return open_drives;
+ }
+
++
++/**
++ * You need to call this if the vma archive does not contain
++ * any data stream.
++ */
++int coroutine_fn
++vma_writer_flush_output(VmaWriter *vmaw)
++{
++ qemu_co_mutex_lock(&vmaw->flush_lock);
++ int ret = vma_writer_flush(vmaw);
++ qemu_co_mutex_unlock(&vmaw->flush_lock);
++ if (ret < 0) {
++ vma_writer_set_error(vmaw, "vma_writer_flush_header failed");
++ }
++ return ret;
++}
++
+ /**
+ * all jobs should call this when there is no more data
+ * Returns: number of remaining stream (0 ==> finished)
+@@ -523,12 +536,7 @@ vma_writer_close_stream(VmaWriter *vmaw, uint8_t dev_id)
+
+ if (open_drives <= 0) {
+ DPRINTF("vma_writer_set_status all drives completed\n");
+- qemu_co_mutex_lock(&vmaw->flush_lock);
+- int ret = vma_writer_flush(vmaw);
+- qemu_co_mutex_unlock(&vmaw->flush_lock);
+- if (ret < 0) {
+- vma_writer_set_error(vmaw, "vma_writer_close_stream: flush failed");
+- }
++ vma_writer_flush_output(vmaw);
+ }
+
+ return open_drives;
+diff --git a/vma.c b/vma.c
+index c88a4358..08e4725 100644
+--- a/vma.c
++++ b/vma.c
+@@ -27,7 +27,7 @@ static void help(void)
+ "\n"
+ "vma list <filename>\n"
+ "vma config <filename> [-c config]\n"
+- "vma create <filename> [-c config] <archive> pathname ...\n"
++ "vma create <filename> [-c config] pathname ...\n"
+ "vma extract <filename> [-r <fifo>] <targetdir>\n"
+ "vma verify <filename> [-v]\n"
+ ;
+@@ -395,6 +395,18 @@ typedef struct BackupJob {
+
+ #define BACKUP_SECTORS_PER_CLUSTER (VMA_CLUSTER_SIZE / BDRV_SECTOR_SIZE)
+
++static void coroutine_fn backup_run_empty(void *opaque)
++{
++ VmaWriter *vmaw = (VmaWriter *)opaque;
++
++ vma_writer_flush_output(vmaw);
++
++ Error *err = NULL;
++ if (vma_writer_close(vmaw, &err) != 0) {
++ g_warning("vma_writer_close failed %s", error_get_pretty(err));
++ }
++}
++
+ static void coroutine_fn backup_run(void *opaque)
+ {
+ BackupJob *job = (BackupJob *)opaque;
+@@ -468,8 +480,8 @@ static int create_archive(int argc, char **argv)
+ }
+
+
+- /* make sure we have archive name and at least one path */
+- if ((optind + 2) > argc) {
++ /* make sure we an archive name */
++ if ((optind + 1) > argc) {
+ help();
+ }
+
+@@ -504,11 +516,11 @@ static int create_archive(int argc, char **argv)
+ l = g_list_next(l);
+ }
+
+- int ind = 0;
++ int devcount = 0;
+ while (optind < argc) {
+ const char *path = argv[optind++];
+ char *devname = NULL;
+- path = extract_devname(path, &devname, ind++);
++ path = extract_devname(path, &devname, devcount++);
+
+ Error *errp = NULL;
+ BlockDriverState *bs;
+@@ -539,37 +551,39 @@ static int create_archive(int argc, char **argv)
+ int percent = 0;
+ int last_percent = -1;
+
+- while (1) {
+- main_loop_wait(false);
+- vma_writer_get_status(vmaw, &vmastat);
++ if (devcount) {
++ while (1) {
++ main_loop_wait(false);
++ vma_writer_get_status(vmaw, &vmastat);
++
++ if (verbose) {
+
+- if (verbose) {
++ uint64_t total = 0;
++ uint64_t transferred = 0;
++ uint64_t zero_bytes = 0;
+
+- uint64_t total = 0;
+- uint64_t transferred = 0;
+- uint64_t zero_bytes = 0;
++ int i;
++ for (i = 0; i < 256; i++) {
++ if (vmastat.stream_info[i].size) {
++ total += vmastat.stream_info[i].size;
++ transferred += vmastat.stream_info[i].transferred;
++ zero_bytes += vmastat.stream_info[i].zero_bytes;
++ }
++ }
++ percent = (transferred*100)/total;
++ if (percent != last_percent) {
++ fprintf(stderr, "progress %d%% %zd/%zd %zd\n", percent,
++ transferred, total, zero_bytes);
++ fflush(stderr);
+
+- int i;
+- for (i = 0; i < 256; i++) {
+- if (vmastat.stream_info[i].size) {
+- total += vmastat.stream_info[i].size;
+- transferred += vmastat.stream_info[i].transferred;
+- zero_bytes += vmastat.stream_info[i].zero_bytes;
++ last_percent = percent;
+ }
+ }
+- percent = (transferred*100)/total;
+- if (percent != last_percent) {
+- fprintf(stderr, "progress %d%% %zd/%zd %zd\n", percent,
+- transferred, total, zero_bytes);
+- fflush(stderr);
+
+- last_percent = percent;
++ if (vmastat.closed) {
++ break;
+ }
+ }
+-
+- if (vmastat.closed) {
+- break;
+- }
+ } else {
+ Coroutine *co = qemu_coroutine_create(backup_run_empty, vmaw);
+ qemu_coroutine_enter(co);
+diff --git a/vma.h b/vma.h
+index 98377e4..365ceb2 100644
+--- a/vma.h
++++ b/vma.h
+@@ -128,6 +128,7 @@ int64_t coroutine_fn vma_writer_write(VmaWriter *vmaw, uint8_t dev_id,
+ size_t *zero_bytes);
+
+ int coroutine_fn vma_writer_close_stream(VmaWriter *vmaw, uint8_t dev_id);
++int coroutine_fn vma_writer_flush_output(VmaWriter *vmaw);
+
+ int vma_writer_get_status(VmaWriter *vmaw, VmaStatus *status);
+ void vma_writer_set_error(VmaWriter *vmaw, const char *fmt, ...);
+--
+2.1.4
+
--- /dev/null
+From e933992419bd8da2689a527ae95000891e687a2d Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 16:34:41 +0100
+Subject: [PATCH 24/47] qmp: add get_link_status
+
+---
+ net/net.c | 27 +++++++++++++++++++++++++++
+ qapi-schema.json | 15 +++++++++++++++
+ qmp-commands.hx | 23 +++++++++++++++++++++++
+ scripts/qapi.py | 2 ++
+ 4 files changed, 67 insertions(+)
+
+diff --git a/net/net.c b/net/net.c
+index 19b4d9e..5f890b7 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -1362,6 +1362,33 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
+ }
+ }
+
++int64_t qmp_get_link_status(const char *name, Error **errp)
++{
++ NetClientState *ncs[MAX_QUEUE_NUM];
++ NetClientState *nc;
++ int queues;
++ bool ret;
++
++ queues = qemu_find_net_clients_except(name, ncs,
++ NET_CLIENT_DRIVER__MAX,
++ MAX_QUEUE_NUM);
++
++ if (queues == 0) {
++ error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND,
++ "Device '%s' not found", name);
++ return (int64_t) -1;
++ }
++
++ nc = ncs[0];
++ ret = ncs[0]->link_down;
++
++ if (nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
++ ret = ncs[0]->peer->link_down;
++ }
++
++ return (int64_t) ret ? 0 : 1;
++}
++
+ void qmp_set_link(const char *name, bool up, Error **errp)
+ {
+ NetClientState *ncs[MAX_QUEUE_NUM];
+diff --git a/qapi-schema.json b/qapi-schema.json
+index 0c0faf7..d75e932 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -1786,6 +1786,21 @@
+ { 'command': 'set_link', 'data': {'name': 'str', 'up': 'bool'} }
+
+ ##
++# @get_link_status
++#
++# Get the current link state of the nics or nic.
++#
++# @name: name of the nic you get the state of
++#
++# Return: If link is up 1
++# If link is down 0
++# If an error occure an empty string.
++#
++# Notes: this is an Proxmox VE extension and not offical part of Qemu.
++##
++{ 'command': 'get_link_status', 'data': {'name': 'str'}, 'returns': 'int'}
++
++##
+ # @balloon:
+ #
+ # Request the balloon driver to change its balloon size.
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index 6342cd2..a84932a 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -1883,6 +1883,29 @@ Example:
+ EQMP
+
+ {
++ .name = "get_link_status",
++ .args_type = "name:s",
++ .mhandler.cmd_new = qmp_marshal_get_link_status,
++ },
++
++SQMP
++get_link_status
++--------
++
++Get the link status of a network adapter.
++
++Arguments:
++
++- "name": network device name (json-string)
++
++Example:
++
++-> { "execute": "get_link_status", "arguments": { "name": "e1000.0" } }
++<- { "return": {1} }
++
++EQMP
++
++ {
+ .name = "getfd",
+ .args_type = "fdname:s",
+ .params = "getfd name",
+diff --git a/scripts/qapi.py b/scripts/qapi.py
+index 21bc32f..f900659 100644
+--- a/scripts/qapi.py
++++ b/scripts/qapi.py
+@@ -39,6 +39,8 @@ builtin_types = {
+
+ # Whitelist of commands allowed to return a non-dictionary
+ returns_whitelist = [
++ 'get_link_status',
++
+ # From QMP:
+ 'human-monitor-command',
+ 'qom-get',
+--
+2.1.4
+
--- /dev/null
+From e1682387e4bed2357e1030933481ab63f648249b Mon Sep 17 00:00:00 2001
+From: Alexandre Derumier <aderumier@odiso.com>
+Date: Tue, 29 Sep 2015 15:37:44 +0200
+Subject: [PATCH 25/47] smm_available = false
+
+Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
+---
+ hw/i386/pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i386/pc.c b/hw/i386/pc.c
+index ba8a5a1..9c206fc 100644
+--- a/hw/i386/pc.c
++++ b/hw/i386/pc.c
+@@ -2084,7 +2084,7 @@ bool pc_machine_is_smm_enabled(PCMachineState *pcms)
+ if (tcg_enabled() || qtest_enabled()) {
+ smm_available = true;
+ } else if (kvm_enabled()) {
+- smm_available = kvm_has_smm();
++ smm_available = false;
+ }
+
+ if (smm_available) {
+--
+2.1.4
+
--- /dev/null
+From 017016151cb8f9a364f0b0006603772620966d5a Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 16:50:05 +0100
+Subject: [PATCH 26/47] use whitespace between VERSION and PKGVERSION
+
+Our kvm version parser expects a white space or comma after
+the version string, see PVE::QemuServer::kvm_user_version()
+---
+ vl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vl.c b/vl.c
+index c01b1b5..0b5a721 100644
+--- a/vl.c
++++ b/vl.c
+@@ -1920,7 +1920,7 @@ static void main_loop(void)
+
+ static void version(void)
+ {
+- printf("QEMU emulator version " QEMU_VERSION QEMU_PKGVERSION ", "
++ printf("QEMU emulator version " QEMU_VERSION " " QEMU_PKGVERSION ", "
+ QEMU_COPYRIGHT "\n");
+ }
+
+--
+2.1.4
+
--- /dev/null
+From 3400a70a51015f119c12d3600943baae97aabb0f Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 9 Dec 2015 16:51:23 +0100
+Subject: [PATCH 27/47] vma: add firewall
+
+---
+ blockdev.c | 78 ++++++++++++++++++++++++++++++++++----------------------
+ hmp.c | 2 +-
+ qapi-schema.json | 1 +
+ qmp-commands.hx | 2 +-
+ 4 files changed, 51 insertions(+), 32 deletions(-)
+
+diff --git a/blockdev.c b/blockdev.c
+index 2371cf3..bbb1502 100644
+--- a/blockdev.c
++++ b/blockdev.c
+@@ -3157,6 +3157,44 @@ void qmp_backup_cancel(Error **errp)
+ }
+ }
+
++static int config_to_vma(const char *file, BackupFormat format,
++ const char *backup_dir, VmaWriter *vmaw,
++ Error **errp)
++{
++ char *cdata = NULL;
++ gsize clen = 0;
++ GError *err = NULL;
++ if (!g_file_get_contents(file, &cdata, &clen, &err)) {
++ error_setg(errp, "unable to read file '%s'", file);
++ return 1;
++ }
++
++ char *basename = g_path_get_basename(file);
++
++ if (format == BACKUP_FORMAT_VMA) {
++ if (vma_writer_add_config(vmaw, basename, cdata, clen) != 0) {
++ error_setg(errp, "unable to add %s config data to vma archive", file);
++ g_free(cdata);
++ g_free(basename);
++ return 1;
++ }
++ } else if (format == BACKUP_FORMAT_DIR) {
++ char config_path[PATH_MAX];
++ snprintf(config_path, PATH_MAX, "%s/%s", backup_dir, basename);
++ if (!g_file_set_contents(config_path, cdata, clen, &err)) {
++ error_setg(errp, "unable to write config file '%s'", config_path);
++ g_free(cdata);
++ g_free(basename);
++ return 1;
++ }
++ }
++
++ g_free(basename);
++ g_free(cdata);
++
++ return 0;
++}
++
+ bool block_job_should_pause(BlockJob *job);
+ static void pvebackup_run_next_job(void)
+ {
+@@ -3184,6 +3222,7 @@ static void pvebackup_run_next_job(void)
+ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+ BackupFormat format,
+ bool has_config_file, const char *config_file,
++ bool has_firewall_file, const char *firewall_file,
+ bool has_devlist, const char *devlist,
+ bool has_speed, int64_t speed, Error **errp)
+ {
+@@ -3335,38 +3374,17 @@ UuidInfo *qmp_backup(const char *backup_file, bool has_format,
+
+ /* add configuration file to archive */
+ if (has_config_file) {
+- char *cdata = NULL;
+- gsize clen = 0;
+- GError *err = NULL;
+- if (!g_file_get_contents(config_file, &cdata, &clen, &err)) {
+- error_setg(errp, "unable to read file '%s'", config_file);
+- goto err;
+- }
+-
+- char *basename = g_path_get_basename(config_file);
+-
+- if (format == BACKUP_FORMAT_VMA) {
+- if (vma_writer_add_config(vmaw, basename, cdata, clen) != 0) {
+- error_setg(errp, "unable to add config data to vma archive");
+- g_free(cdata);
+- g_free(basename);
+- goto err;
+- }
+- } else if (format == BACKUP_FORMAT_DIR) {
+- char config_path[PATH_MAX];
+- snprintf(config_path, PATH_MAX, "%s/%s", backup_dir, basename);
+- if (!g_file_set_contents(config_path, cdata, clen, &err)) {
+- error_setg(errp, "unable to write config file '%s'", config_path);
+- g_free(cdata);
+- g_free(basename);
+- goto err;
+- }
+- }
+-
+- g_free(basename);
+- g_free(cdata);
++ if(config_to_vma(config_file, format, backup_dir, vmaw, errp) != 0) {
++ goto err;
++ }
+ }
+
++ /* add firewall file to archive */
++ if (has_firewall_file) {
++ if(config_to_vma(firewall_file, format, backup_dir, vmaw, errp) != 0) {
++ goto err;
++ }
++ }
+ /* initialize global backup_state now */
+
+ backup_state.cancel = false;
+diff --git a/hmp.c b/hmp.c
+index 030fd97..5c5e8ed 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -1550,7 +1550,7 @@ void hmp_backup(Monitor *mon, const QDict *qdict)
+ int64_t speed = qdict_get_try_int(qdict, "speed", 0);
+
+ qmp_backup(backup_file, true, dir ? BACKUP_FORMAT_DIR : BACKUP_FORMAT_VMA,
+- false, NULL, !!devlist,
++ false, NULL, false, NULL, !!devlist,
+ devlist, qdict_haskey(qdict, "speed"), speed, &error);
+
+ hmp_handle_error(mon, &error);
+diff --git a/qapi-schema.json b/qapi-schema.json
+index d75e932..7bb0ee0 100644
+--- a/qapi-schema.json
++++ b/qapi-schema.json
+@@ -420,6 +420,7 @@
+ { 'command': 'backup', 'data': { 'backup-file': 'str',
+ '*format': 'BackupFormat',
+ '*config-file': 'str',
++ '*firewall-file': 'str',
+ '*devlist': 'str', '*speed': 'int' },
+ 'returns': 'UuidInfo' }
+
+diff --git a/qmp-commands.hx b/qmp-commands.hx
+index a84932a..94cfac2 100644
+--- a/qmp-commands.hx
++++ b/qmp-commands.hx
+@@ -1315,7 +1315,7 @@ EQMP
+
+ {
+ .name = "backup",
+- .args_type = "backup-file:s,format:s?,config-file:F?,speed:o?,devlist:s?",
++ .args_type = "backup-file:s,format:s?,config-file:F?,firewall-file:F?,speed:o?,devlist:s?",
+ .mhandler.cmd_new = qmp_marshal_backup,
+ },
+
+--
+2.1.4
+
--- /dev/null
+From d5ef7dd4d2b53e4868289dca3770724cb9597ec5 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 10 Dec 2015 15:14:00 +0100
+Subject: [PATCH 28/47] savevm-async: migration and bdrv_open update
+
+---
+ savevm-async.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/savevm-async.c b/savevm-async.c
+index ae7ea84..7979435 100644
+--- a/savevm-async.c
++++ b/savevm-async.c
+@@ -154,10 +154,10 @@ static int block_state_close(void *opaque)
+ return bdrv_flush(snap_state.bs);
+ }
+
+-static int block_state_put_buffer(void *opaque, const uint8_t *buf,
+- int64_t pos, int size)
++static ssize_t block_state_put_buffer(void *opaque, const uint8_t *buf,
++ int64_t pos, size_t size)
+ {
+- int ret;
++ ssize_t ret;
+
+ assert(pos == snap_state.bs_pos);
+
+@@ -201,12 +201,13 @@ static void process_savevm_co(void *opaque)
+ }
+
+ while (snap_state.state == SAVE_STATE_ACTIVE) {
+- uint64_t pending_size;
++ uint64_t pending_size, pend_post, pend_nonpost;
+
+- pending_size = qemu_savevm_state_pending(snap_state.file, 0);
++ qemu_savevm_state_pending(snap_state.file, 0, &pend_nonpost, &pend_post);
++ pending_size = pend_post + pend_nonpost;
+
+ if (pending_size) {
+- ret = qemu_savevm_state_iterate(snap_state.file);
++ ret = qemu_savevm_state_iterate(snap_state.file, false);
+ if (ret < 0) {
+ save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
+ break;
+@@ -217,7 +218,7 @@ static void process_savevm_co(void *opaque)
+ if (store_and_stop())
+ break;
+ DPRINTF("savevm inerate finished\n");
+- qemu_savevm_state_complete_precopy(snap_state.file);
++ qemu_savevm_state_complete_precopy(snap_state.file, false);
+ DPRINTF("save complete\n");
+ save_snapshot_completed();
+ break;
+@@ -250,7 +251,6 @@ static const QEMUFileOps block_file_ops = {
+
+ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+ {
+- BlockDriver *drv = NULL;
+ Error *local_err = NULL;
+
+ int bdrv_oflags = BDRV_O_RDWR;
+@@ -289,7 +289,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+ QDict *options = NULL;
+ options = qdict_new();
+ qdict_put(options, "driver", qstring_from_str("raw"));
+- ret = bdrv_open(&snap_state.bs, statefile, NULL, options, bdrv_oflags, drv, &local_err);
++ ret = bdrv_open(&snap_state.bs, statefile, NULL, options, bdrv_oflags, &local_err);
+ if (ret < 0) {
+ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
+ goto restart;
+@@ -454,8 +454,8 @@ void qmp_delete_drive_snapshot(const char *device, const char *name,
+ }
+ }
+
+-static int loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
+- int size)
++static ssize_t loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
++ size_t size)
+ {
+ BlockDriverState *bs = (BlockDriverState *)opaque;
+ int64_t maxlen = bdrv_getlength(bs);
+@@ -478,7 +478,6 @@ static const QEMUFileOps loadstate_file_ops = {
+ int load_state_from_blockdev(const char *filename)
+ {
+ BlockDriverState *bs = NULL;
+- BlockDriver *drv = NULL;
+ Error *local_err = NULL;
+ Error *blocker = NULL;
+
+@@ -486,7 +485,7 @@ int load_state_from_blockdev(const char *filename)
+ int ret;
+
+ bs = bdrv_new();
+- ret = bdrv_open(&bs, filename, NULL, NULL, 0, drv, &local_err);
++ ret = bdrv_open(&bs, filename, NULL, NULL, 0, &local_err);
+ error_setg(&blocker, "block device is in use by load state");
+ bdrv_op_block_all(bs, blocker);
+
+--
+2.1.4
+
--- /dev/null
+From d42052d75321a1af75b039f8e31127b98485ec93 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 12 Jan 2016 09:09:49 +0100
+Subject: [PATCH 29/47] vnc: make x509 imply tls again
+
+---
+ ui/vnc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index b9f36b5..acbe3bd 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -3729,9 +3729,8 @@ void vnc_display_open(const char *id, Error **errp)
+ const char *path;
+ bool tls = false, x509 = false, x509verify = false;
+ tls = qemu_opt_get_bool(opts, "tls", false);
+- if (tls) {
+- path = qemu_opt_get(opts, "x509");
+-
++ path = qemu_opt_get(opts, "x509");
++ if (tls || path) {
+ if (path) {
+ x509 = true;
+ } else {
+--
+2.1.4
+
--- /dev/null
+From 51dd4df80640e1671de73c014c6273b154df920a Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 11 Jan 2016 10:40:31 +0100
+Subject: [PATCH 30/47] PVE VNC authentication
+
+---
+ crypto/tlscreds.c | 47 +++++++++++
+ crypto/tlscredspriv.h | 2 +
+ crypto/tlscredsx509.c | 13 ++--
+ crypto/tlssession.c | 1 +
+ include/crypto/tlscreds.h | 1 +
+ include/ui/console.h | 1 +
+ qemu-options.hx | 3 +
+ ui/vnc-auth-vencrypt.c | 194 ++++++++++++++++++++++++++++++++++++++--------
+ ui/vnc.c | 140 ++++++++++++++++++++++++++++++++-
+ ui/vnc.h | 4 +
+ vl.c | 9 +++
+ 11 files changed, 375 insertions(+), 40 deletions(-)
+
+diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
+index a896553..e9ae13c 100644
+--- a/crypto/tlscreds.c
++++ b/crypto/tlscreds.c
+@@ -158,6 +158,33 @@ qcrypto_tls_creds_prop_get_verify(Object *obj,
+
+
+ static void
++qcrypto_tls_creds_prop_set_pve(Object *obj,
++ bool value,
++ Error **errp G_GNUC_UNUSED)
++{
++ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
++
++ creds->pve = value;
++}
++
++
++static bool
++qcrypto_tls_creds_prop_get_pve(Object *obj,
++ Error **errp G_GNUC_UNUSED)
++{
++ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
++
++ return creds->pve;
++}
++
++bool qcrypto_tls_creds_is_pve(QCryptoTLSCreds *creds)
++{
++ Error *errp = NULL;
++ return qcrypto_tls_creds_prop_get_pve((Object*)creds, &errp);
++}
++
++
++static void
+ qcrypto_tls_creds_prop_set_dir(Object *obj,
+ const char *value,
+ Error **errp G_GNUC_UNUSED)
+@@ -250,6 +277,26 @@ qcrypto_tls_creds_init(Object *obj)
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->verifyPeer = true;
++ creds->pve = false;
++
++ object_property_add_bool(obj, "verify-peer",
++ qcrypto_tls_creds_prop_get_verify,
++ qcrypto_tls_creds_prop_set_verify,
++ NULL);
++ object_property_add_bool(obj, "pve",
++ qcrypto_tls_creds_prop_get_pve,
++ qcrypto_tls_creds_prop_set_pve,
++ NULL);
++ object_property_add_str(obj, "dir",
++ qcrypto_tls_creds_prop_get_dir,
++ qcrypto_tls_creds_prop_set_dir,
++ NULL);
++ object_property_add_enum(obj, "endpoint",
++ "QCryptoTLSCredsEndpoint",
++ QCryptoTLSCredsEndpoint_lookup,
++ qcrypto_tls_creds_prop_get_endpoint,
++ qcrypto_tls_creds_prop_set_endpoint,
++ NULL);
+ }
+
+
+diff --git a/crypto/tlscredspriv.h b/crypto/tlscredspriv.h
+index 13e9b6c..0356acc 100644
+--- a/crypto/tlscredspriv.h
++++ b/crypto/tlscredspriv.h
+@@ -36,6 +36,8 @@ int qcrypto_tls_creds_get_dh_params_file(QCryptoTLSCreds *creds,
+ gnutls_dh_params_t *dh_params,
+ Error **errp);
+
++bool qcrypto_tls_creds_is_pve(QCryptoTLSCreds *creds);
++
+ #endif
+
+ #endif /* QCRYPTO_TLSCREDSPRIV_H */
+diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
+index 520d34d..1ba971c 100644
+--- a/crypto/tlscredsx509.c
++++ b/crypto/tlscredsx509.c
+@@ -555,22 +555,23 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
+ *key = NULL, *dhparams = NULL;
+ int ret;
+ int rv = -1;
++ bool pve = qcrypto_tls_creds_is_pve(&creds->parent_obj);
+
+ trace_qcrypto_tls_creds_x509_load(creds,
+ creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
+
+ if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(&creds->parent_obj,
+- QCRYPTO_TLS_CREDS_X509_CA_CERT,
++ pve ? "pve-root-ca.pem" : QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CA_CRL,
+ false, &cacrl, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+- QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
++ pve ? "local/pve-ssl.pem" : QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
+ true, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+- QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
++ pve ? "local/pve-ssl.key" : QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
+ true, &key, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+@@ -579,13 +580,13 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
+ }
+ } else {
+ if (qcrypto_tls_creds_get_path(&creds->parent_obj,
+- QCRYPTO_TLS_CREDS_X509_CA_CERT,
++ pve ? "pve-root-ca.pem" : QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+- QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
++ pve ? "local/pve-ssl.pem" : QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
+ false, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+- QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
++ pve ? "local/pve-ssl.key" : QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
+ false, &key, errp) < 0) {
+ goto cleanup;
+ }
+diff --git a/crypto/tlssession.c b/crypto/tlssession.c
+index 2de42c6..768466a 100644
+--- a/crypto/tlssession.c
++++ b/crypto/tlssession.c
+@@ -23,6 +23,7 @@
+ #include "crypto/tlscredsanon.h"
+ #include "crypto/tlscredsx509.h"
+ #include "qapi/error.h"
++#include "crypto/tlscredspriv.h"
+ #include "qemu/acl.h"
+ #include "trace.h"
+
+diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
+index ad47d88..f86d379 100644
+--- a/include/crypto/tlscreds.h
++++ b/include/crypto/tlscreds.h
+@@ -55,6 +55,7 @@ struct QCryptoTLSCreds {
+ #endif
+ bool verifyPeer;
+ char *priority;
++ bool pve;
+ };
+
+
+diff --git a/include/ui/console.h b/include/ui/console.h
+index 2703a3a..db6dd22 100644
+--- a/include/ui/console.h
++++ b/include/ui/console.h
+@@ -456,6 +456,7 @@ static inline void cocoa_display_init(DisplayState *ds, int full_screen)
+ #endif
+
+ /* vnc.c */
++void pve_auth_setup(int vmid);
+ void vnc_display_init(const char *id);
+ void vnc_display_open(const char *id, Error **errp);
+ void vnc_display_add_client(const char *id, int csock, bool skipauth);
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 37fad3b..f943ae6 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -473,6 +473,9 @@ STEXI
+ @table @option
+ ETEXI
+
++DEF("id", HAS_ARG, QEMU_OPTION_id,
++ "-id n set the VMID\n", QEMU_ARCH_ALL)
++
+ DEF("fda", HAS_ARG, QEMU_OPTION_fda,
+ "-fda/-fdb file use 'file' as floppy disk 0/1 image\n", QEMU_ARCH_ALL)
+ DEF("fdb", HAS_ARG, QEMU_OPTION_fdb, "", QEMU_ARCH_ALL)
+diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c
+index 11c8c9a..d11f1df 100644
+--- a/ui/vnc-auth-vencrypt.c
++++ b/ui/vnc-auth-vencrypt.c
+@@ -28,6 +28,107 @@
+ #include "vnc.h"
+ #include "qapi/error.h"
+ #include "qemu/main-loop.h"
++#include "qemu/sockets.h"
++
++static int protocol_client_auth_plain(VncState *vs, uint8_t *data, size_t len)
++{
++ const char *err = NULL;
++ char username[256];
++ char passwd[512];
++
++ char clientip[256];
++ clientip[0] = 0;
++ struct sockaddr_in client;
++ socklen_t addrlen = sizeof(client);
++ if (getpeername(vs->csock, &client, &addrlen) == 0) {
++ inet_ntop(client.sin_family, &client.sin_addr,
++ clientip, sizeof(clientip));
++ }
++
++ if ((len != (vs->username_len + vs->password_len)) ||
++ (vs->username_len >= (sizeof(username)-1)) ||
++ (vs->password_len >= (sizeof(passwd)-1)) ) {
++ err = "Got unexpected data length";
++ goto err;
++ }
++
++ strncpy(username, (char *)data, vs->username_len);
++ username[vs->username_len] = 0;
++ strncpy(passwd, (char *)data + vs->username_len, vs->password_len);
++ passwd[vs->password_len] = 0;
++
++ VNC_DEBUG("AUTH PLAIN username: %s pw: %s\n", username, passwd);
++
++ if (pve_auth_verify(clientip, username, passwd) == 0) {
++ vnc_write_u32(vs, 0); /* Accept auth completion */
++ start_client_init(vs);
++ return 0;
++ }
++
++ err = "Authentication failed";
++err:
++ if (err) {
++ VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
++ vnc_write_u32(vs, 1); /* Reject auth */
++ if (vs->minor >= 8) {
++ int elen = strlen(err);
++ vnc_write_u32(vs, elen);
++ vnc_write(vs, err, elen);
++ }
++ }
++ vnc_flush(vs);
++ vnc_client_error(vs);
++
++ return 0;
++
++}
++
++static int protocol_client_auth_plain_start(VncState *vs, uint8_t *data, size_t len)
++{
++ uint32_t ulen = read_u32(data, 0);
++ uint32_t pwlen = read_u32(data, 4);
++ const char *err = NULL;
++
++ VNC_DEBUG("AUTH PLAIN START %u %u\n", ulen, pwlen);
++
++ if (!ulen) {
++ err = "No User name.";
++ goto err;
++ }
++ if (ulen >= 255) {
++ err = "User name too long.";
++ goto err;
++ }
++ if (!pwlen) {
++ err = "Password too short";
++ goto err;
++ }
++ if (pwlen >= 511) {
++ err = "Password too long.";
++ goto err;
++ }
++
++ vs->username_len = ulen;
++ vs->password_len = pwlen;
++
++ vnc_read_when(vs, protocol_client_auth_plain, ulen + pwlen);
++
++ return 0;
++err:
++ if (err) {
++ VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
++ vnc_write_u32(vs, 1); /* Reject auth */
++ if (vs->minor >= 8) {
++ int elen = strlen(err);
++ vnc_write_u32(vs, elen);
++ vnc_write(vs, err, elen);
++ }
++ }
++ vnc_flush(vs);
++ vnc_client_error(vs);
++
++ return 0;
++}
+
+ static void start_auth_vencrypt_subauth(VncState *vs)
+ {
+@@ -39,6 +140,17 @@ static void start_auth_vencrypt_subauth(VncState *vs)
+ start_client_init(vs);
+ break;
+
++ case VNC_AUTH_VENCRYPT_TLSPLAIN:
++ case VNC_AUTH_VENCRYPT_X509PLAIN:
++ VNC_DEBUG("Start TLS auth PLAIN\n");
++ vnc_read_when(vs, protocol_client_auth_plain_start, 8);
++ break;
++
++ case VNC_AUTH_VENCRYPT_PLAIN:
++ VNC_DEBUG("Start auth PLAIN\n");
++ vnc_read_when(vs, protocol_client_auth_plain_start, 8);
++ break;
++
+ case VNC_AUTH_VENCRYPT_TLSVNC:
+ case VNC_AUTH_VENCRYPT_X509VNC:
+ VNC_DEBUG("Start TLS auth VNC\n");
+@@ -87,44 +199,63 @@ static int protocol_client_vencrypt_auth(VncState *vs, uint8_t *data, size_t len
+ {
+ int auth = read_u32(data, 0);
+
+- if (auth != vs->subauth) {
++ if (auth != vs->subauth && auth != VNC_AUTH_VENCRYPT_PLAIN) {
+ VNC_DEBUG("Rejecting auth %d\n", auth);
+ vnc_write_u8(vs, 0); /* Reject auth */
+ vnc_flush(vs);
+ vnc_client_error(vs);
+ } else {
+- Error *err = NULL;
+- QIOChannelTLS *tls;
+- VNC_DEBUG("Accepting auth %d, setting up TLS for handshake\n", auth);
+- vnc_write_u8(vs, 1); /* Accept auth */
+- vnc_flush(vs);
+-
+- if (vs->ioc_tag) {
+- g_source_remove(vs->ioc_tag);
+- vs->ioc_tag = 0;
++ if (auth == VNC_AUTH_VENCRYPT_PLAIN) {
++ vs->subauth = auth;
++ start_auth_vencrypt_subauth(vs);
+ }
++ else
++ {
++ Error *err = NULL;
++ QIOChannelTLS *tls;
++ VNC_DEBUG("Accepting auth %d, setting up TLS for handshake\n", auth);
++ vnc_write_u8(vs, 1); /* Accept auth */
++ vnc_flush(vs);
+
+- tls = qio_channel_tls_new_server(
+- vs->ioc,
+- vs->vd->tlscreds,
+- vs->vd->tlsaclname,
+- &err);
+- if (!tls) {
+- VNC_DEBUG("Failed to setup TLS %s\n", error_get_pretty(err));
+- error_free(err);
+- vnc_client_error(vs);
+- return 0;
+- }
++ if (vs->ioc_tag) {
++ g_source_remove(vs->ioc_tag);
++ vs->ioc_tag = 0;
++ }
+
+- VNC_DEBUG("Start TLS VeNCrypt handshake process\n");
+- object_unref(OBJECT(vs->ioc));
+- vs->ioc = QIO_CHANNEL(tls);
+- vs->tls = qio_channel_tls_get_session(tls);
++ tls = qio_channel_tls_new_server(
++ vs->ioc,
++ vs->vd->tlscreds,
++ vs->vd->tlsaclname,
++ &err);
++ if (!tls) {
++ VNC_DEBUG("Failed to setup TLS %s\n", error_get_pretty(err));
++ error_free(err);
++ vnc_client_error(vs);
++ return 0;
++ vs->tls = qcrypto_tls_session_new(vs->vd->tlscreds,
++ NULL,
++ vs->vd->tlsaclname,
++ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
++ &err);
++ if (!vs->tls) {
++ VNC_DEBUG("Failed to setup TLS %s\n",
++ error_get_pretty(err));
++ error_free(err);
++ vnc_client_error(vs);
++ return 0;
++ }
++ }
+
+- qio_channel_tls_handshake(tls,
+- vnc_tls_handshake_done,
+- vs,
+- NULL);
++ VNC_DEBUG("Start TLS VeNCrypt handshake process\n");
++ object_unref(OBJECT(vs->ioc));
++ vs->ioc = QIO_CHANNEL(tls);
++ vs->tls = qio_channel_tls_get_session(tls);
++
++ qio_channel_tls_handshake(tls,
++ vnc_tls_handshake_done,
++ vs,
++ NULL);
++ }
+ }
+ return 0;
+ }
+@@ -138,10 +269,11 @@ static int protocol_client_vencrypt_init(VncState *vs, uint8_t *data, size_t len
+ vnc_flush(vs);
+ vnc_client_error(vs);
+ } else {
+- VNC_DEBUG("Sending allowed auth %d\n", vs->subauth);
++ VNC_DEBUG("Sending allowed auths %d %d\n", vs->subauth, VNC_AUTH_VENCRYPT_PLAIN);
+ vnc_write_u8(vs, 0); /* Accept version */
+- vnc_write_u8(vs, 1); /* Number of sub-auths */
++ vnc_write_u8(vs, 2); /* Number of sub-auths */
+ vnc_write_u32(vs, vs->subauth); /* The supported auth */
++ vnc_write_u32(vs, VNC_AUTH_VENCRYPT_PLAIN); /* Alternative supported auth */
+ vnc_flush(vs);
+ vnc_read_when(vs, protocol_client_vencrypt_auth, 4);
+ }
+diff --git a/ui/vnc.c b/ui/vnc.c
+index acbe3bd..2a18a20 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -55,6 +55,125 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
+ #include "vnc_keysym.h"
+ #include "crypto/cipher.h"
+
++static int pve_vmid = 0;
++
++void pve_auth_setup(int vmid) {
++ pve_vmid = vmid;
++}
++
++static char *
++urlencode(char *buf, const char *value)
++{
++ static const char *hexchar = "0123456789abcdef";
++ char *p = buf;
++ int i;
++ int l = strlen(value);
++ for (i = 0; i < l; i++) {
++ char c = value[i];
++ if (('a' <= c && c <= 'z') ||
++ ('A' <= c && c <= 'Z') ||
++ ('0' <= c && c <= '9')) {
++ *p++ = c;
++ } else if (c == 32) {
++ *p++ = '+';
++ } else {
++ *p++ = '%';
++ *p++ = hexchar[c >> 4];
++ *p++ = hexchar[c & 15];
++ }
++ }
++ *p = 0;
++
++ return p;
++}
++
++int
++pve_auth_verify(const char *clientip, const char *username, const char *passwd)
++{
++ struct sockaddr_in server;
++
++ int sfd = socket(AF_INET, SOCK_STREAM, 0);
++ if (sfd == -1) {
++ perror("pve_auth_verify: socket failed");
++ return -1;
++ }
++
++ struct hostent *he;
++ if ((he = gethostbyname("localhost")) == NULL) {
++ fprintf(stderr, "pve_auth_verify: error resolving hostname\n");
++ goto err;
++ }
++
++ memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
++ server.sin_family = AF_INET;
++ server.sin_port = htons(85);
++
++ if (connect(sfd, (struct sockaddr *)&server, sizeof(server))) {
++ perror("pve_auth_verify: error connecting to server");
++ goto err;
++ }
++
++ char buf[8192];
++ char form[8192];
++
++ char *p = form;
++ p = urlencode(p, "username");
++ *p++ = '=';
++ p = urlencode(p, username);
++
++ *p++ = '&';
++ p = urlencode(p, "password");
++ *p++ = '=';
++ p = urlencode(p, passwd);
++
++ *p++ = '&';
++ p = urlencode(p, "path");
++ *p++ = '=';
++ char authpath[256];
++ sprintf(authpath, "/vms/%d", pve_vmid);
++ p = urlencode(p, authpath);
++
++ *p++ = '&';
++ p = urlencode(p, "privs");
++ *p++ = '=';
++ p = urlencode(p, "VM.Console");
++
++ sprintf(buf, "POST /api2/json/access/ticket HTTP/1.1\n"
++ "Host: localhost:85\n"
++ "Connection: close\n"
++ "PVEClientIP: %s\n"
++ "Content-Type: application/x-www-form-urlencoded\n"
++ "Content-Length: %zd\n\n%s\n", clientip, strlen(form), form);
++ ssize_t len = strlen(buf);
++ ssize_t sb = send(sfd, buf, len, 0);
++ if (sb < 0) {
++ perror("pve_auth_verify: send failed");
++ goto err;
++ }
++ if (sb != len) {
++ fprintf(stderr, "pve_auth_verify: partial send error\n");
++ goto err;
++ }
++
++ len = recv(sfd, buf, sizeof(buf) - 1, 0);
++ if (len < 0) {
++ perror("pve_auth_verify: recv failed");
++ goto err;
++ }
++
++ buf[len] = 0;
++
++ //printf("DATA:%s\n", buf);
++
++ shutdown(sfd, SHUT_RDWR);
++
++ return strncmp(buf, "HTTP/1.1 200 OK", 15);
++
++err:
++ shutdown(sfd, SHUT_RDWR);
++ return -1;
++}
++
+ static QTAILQ_HEAD(, VncDisplay) vnc_displays =
+ QTAILQ_HEAD_INITIALIZER(vnc_displays);
+
+@@ -3413,11 +3532,17 @@ vnc_display_setup_auth(VncDisplay *vs,
+ if (object_dynamic_cast(OBJECT(vs->tlscreds),
+ TYPE_QCRYPTO_TLS_CREDS_X509)) {
+ VNC_DEBUG("Initializing VNC server with x509 password auth\n");
+- vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
++ if (vs->tlscreds->pve)
++ vs->subauth = VNC_AUTH_VENCRYPT_X509PLAIN;
++ else
++ vs->subauth = VNC_AUTH_VENCRYPT_X509VNC;
+ } else if (object_dynamic_cast(OBJECT(vs->tlscreds),
+ TYPE_QCRYPTO_TLS_CREDS_ANON)) {
+ VNC_DEBUG("Initializing VNC server with TLS password auth\n");
+- vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
++ if (vs->tlscreds->pve)
++ vs->subauth = VNC_AUTH_VENCRYPT_TLSPLAIN;
++ else
++ vs->subauth = VNC_AUTH_VENCRYPT_TLSVNC;
+ } else {
+ error_setg(errp,
+ "Unsupported TLS cred type %s",
+@@ -3508,6 +3633,7 @@ vnc_display_create_creds(bool x509,
+ bool x509verify,
+ const char *dir,
+ const char *id,
++ bool pve,
+ Error **errp)
+ {
+ gchar *credsid = g_strdup_printf("tlsvnc%s", id);
+@@ -3523,6 +3649,7 @@ vnc_display_create_creds(bool x509,
+ "endpoint", "server",
+ "dir", dir,
+ "verify-peer", x509verify ? "yes" : "no",
++ "pve", pve ? "yes" : "no",
+ NULL);
+ } else {
+ creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
+@@ -3530,6 +3657,7 @@ vnc_display_create_creds(bool x509,
+ credsid,
+ &err,
+ "endpoint", "server",
++ "pve", pve ? "yes" : "no",
+ NULL);
+ }
+
+@@ -3727,12 +3855,17 @@ void vnc_display_open(const char *id, Error **errp)
+ }
+ } else {
+ const char *path;
+- bool tls = false, x509 = false, x509verify = false;
++ bool tls = false, x509 = false, x509verify = false, pve = false;
+ tls = qemu_opt_get_bool(opts, "tls", false);
+ path = qemu_opt_get(opts, "x509");
+ if (tls || path) {
+ if (path) {
+ x509 = true;
++ if (!strcmp(path, "on")) {
++ /* magic to default to /etc/pve */
++ path = "/etc/pve";
++ pve = true;
++ }
+ } else {
+ path = qemu_opt_get(opts, "x509verify");
+ if (path) {
+@@ -3744,6 +3877,7 @@ void vnc_display_open(const char *id, Error **errp)
+ x509verify,
+ path,
+ vs->id,
++ pve,
+ errp);
+ if (!vs->tlscreds) {
+ goto fail;
+diff --git a/ui/vnc.h b/ui/vnc.h
+index ab5f244..2fde9d3 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -282,6 +282,8 @@ struct VncState
+ int auth;
+ int subauth; /* Used by VeNCrypt */
+ char challenge[VNC_AUTH_CHALLENGE_SIZE];
++ int username_len;
++ int password_len;
+ QCryptoTLSSession *tls; /* Borrowed pointer from channel, don't free */
+ #ifdef CONFIG_VNC_SASL
+ VncStateSASL sasl;
+@@ -577,4 +579,6 @@ int vnc_zrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h);
+ int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h);
+ void vnc_zrle_clear(VncState *vs);
+
++int pve_auth_verify(const char *clientip, const char *username, const char *passwd);
++
+ #endif /* QEMU_VNC_H */
+diff --git a/vl.c b/vl.c
+index 0b5a721..4742300 100644
+--- a/vl.c
++++ b/vl.c
+@@ -2950,6 +2950,7 @@ static int global_init_func(void *opaque, QemuOpts *opts, Error **errp)
+ int main(int argc, char **argv, char **envp)
+ {
+ int i;
++ long int vm_id_long = 0;
+ int snapshot, linux_boot;
+ const char *initrd_filename;
+ const char *kernel_filename, *kernel_cmdline;
+@@ -3722,6 +3723,14 @@ int main(int argc, char **argv, char **envp)
+ exit(1);
+ }
+ break;
++ case QEMU_OPTION_id:
++ vm_id_long = strtol(optarg, (char **) &optarg, 10);
++ if (*optarg != 0 || vm_id_long < 100 || vm_id_long > INT_MAX) {
++ fprintf(stderr, "Invalid ID\n");
++ exit(1);
++ }
++ pve_auth_setup(vm_id_long);
++ break;
+ case QEMU_OPTION_vnc:
+ vnc_parse(optarg, &error_fatal);
+ break;
+--
+2.1.4
+
--- /dev/null
+From e4958531f423dd635053559d05e8c86c208ceb02 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 8 Feb 2016 08:23:34 +0100
+Subject: [PATCH 31/47] vma-writer: don't bail out on zero-length files
+
+---
+ vma-writer.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/vma-writer.c b/vma-writer.c
+index 0d26fc6..a378762 100644
+--- a/vma-writer.c
++++ b/vma-writer.c
+@@ -130,7 +130,6 @@ int vma_writer_add_config(VmaWriter *vmaw, const char *name, gpointer data,
+ assert(vmaw->config_count < VMA_MAX_CONFIGS);
+ assert(name);
+ assert(data);
+- assert(len);
+
+ gchar *basename = g_path_get_basename(name);
+ uint32_t name_ptr = allocate_header_string(vmaw, basename);
+--
+2.1.4
+
--- /dev/null
+From 2dc69ead56b7ecd60eb513ab5b6c9978e06070ef Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 23 Feb 2016 15:48:41 +0100
+Subject: [PATCH 32/47] vma: better driver guessing for bdrv_open
+
+Only use 'raw' when the file actually ends with .raw and
+no protocol has been specified. With protocol pass the
+BDRV_O_PROTOCOL flag to tell bdrv_fill_options() to take it
+into account.
+---
+ vma.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/vma.c b/vma.c
+index 08e4725..8a27704 100644
+--- a/vma.c
++++ b/vma.c
+@@ -293,7 +293,20 @@ static int extract_content(int argc, char **argv)
+ }
+
+ BlockDriverState *bs = bdrv_new();
+- if (errp || bdrv_open(&bs, devfn, NULL, NULL, flags, &errp)) {
++
++ size_t devlen = strlen(devfn);
++ bool protocol = path_has_protocol(devfn);
++ QDict *options = NULL;
++ if (devlen > 4 && strcmp(devfn+devlen-4, ".raw") == 0 && !protocol) {
++ /* explicit raw format */
++ options = qdict_new();
++ qdict_put(options, "driver", qstring_from_str("raw"));
++ } else if (protocol) {
++ /* tell bdrv_open to honor the protocol */
++ flags |= BDRV_O_PROTOCOL;
++ }
++
++ if (errp || bdrv_open(&bs, devfn, NULL, options, flags, &errp)) {
+ g_error("can't open file %s - %s", devfn,
+ error_get_pretty(errp));
+ }
+--
+2.1.4
+
--- /dev/null
+From 6f6f38d2ef8f22a12f72e4d60f8a1fa978ac569a Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 17 Mar 2016 11:33:37 +0100
+Subject: [PATCH 33/47] block: add the zeroinit block driver filter
+
+---
+ block/Makefile.objs | 1 +
+ block/zeroinit.c | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 221 insertions(+)
+ create mode 100644 block/zeroinit.c
+
+diff --git a/block/Makefile.objs b/block/Makefile.objs
+index 2593a2f..930ca33 100644
+--- a/block/Makefile.objs
++++ b/block/Makefile.objs
+@@ -4,6 +4,7 @@ block-obj-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
+ block-obj-y += qed-check.o
+ block-obj-$(CONFIG_VHDX) += vhdx.o vhdx-endian.o vhdx-log.o
+ block-obj-y += quorum.o
++block-obj-y += zeroinit.o
+ block-obj-y += parallels.o blkdebug.o blkverify.o blkreplay.o
+ block-obj-y += block-backend.o snapshot.o qapi.o
+ block-obj-$(CONFIG_WIN32) += raw-win32.o win32-aio.o
+diff --git a/block/zeroinit.c b/block/zeroinit.c
+new file mode 100644
+index 0000000..c56a446
+--- /dev/null
++++ b/block/zeroinit.c
+@@ -0,0 +1,220 @@
++/*
++ * Filter to fake a zero-initialized block device.
++ *
++ * Copyright (c) 2016 Wolfgang Bumiller <w.bumiller@proxmox.com>
++ * Copyright (c) 2016 Proxmox Server Solutions GmbH
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ */
++
++#include "qemu/osdep.h"
++#include "qapi/error.h"
++#include "block/block_int.h"
++#include "qapi/qmp/qdict.h"
++#include "qapi/qmp/qstring.h"
++#include "qemu/cutils.h"
++
++typedef struct {
++ bool has_zero_init;
++ int64_t extents;
++} BDRVZeroinitState;
++
++/* Valid blkverify filenames look like blkverify:path/to/raw_image:path/to/image */
++static void zeroinit_parse_filename(const char *filename, QDict *options,
++ Error **errp)
++{
++ QString *raw_path;
++
++ /* Parse the blkverify: prefix */
++ if (!strstart(filename, "zeroinit:", &filename)) {
++ /* There was no prefix; therefore, all options have to be already
++ present in the QDict (except for the filename) */
++ return;
++ }
++
++ raw_path = qstring_from_str(filename);
++ qdict_put(options, "x-next", raw_path);
++}
++
++static QemuOptsList runtime_opts = {
++ .name = "zeroinit",
++ .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head),
++ .desc = {
++ {
++ .name = "x-next",
++ .type = QEMU_OPT_STRING,
++ .help = "[internal use only, will be removed]",
++ },
++ {
++ .name = "x-zeroinit",
++ .type = QEMU_OPT_BOOL,
++ .help = "set has_initialized_zero flag",
++ },
++ { /* end of list */ }
++ },
++};
++
++static int zeroinit_open(BlockDriverState *bs, QDict *options, int flags,
++ Error **errp)
++{
++ BDRVZeroinitState *s = bs->opaque;
++ QemuOpts *opts;
++ Error *local_err = NULL;
++ int ret;
++
++ s->extents = 0;
++
++ opts = qemu_opts_create(&runtime_opts, NULL, 0, &error_abort);
++ qemu_opts_absorb_qdict(opts, options, &local_err);
++ if (local_err) {
++ error_propagate(errp, local_err);
++ ret = -EINVAL;
++ goto fail;
++ }
++
++ /* Open the raw file */
++ bs->file = bdrv_open_child(qemu_opt_get(opts, "x-next"), options, "next",
++ bs, &child_file, false, &local_err);
++ if (local_err) {
++ ret = -EINVAL;
++ error_propagate(errp, local_err);
++ goto fail;
++ }
++
++ /* set the options */
++ s->has_zero_init = qemu_opt_get_bool(opts, "x-zeroinit", true);
++
++ ret = 0;
++fail:
++ if (ret < 0) {
++ bdrv_unref_child(bs, bs->file);
++ }
++ qemu_opts_del(opts);
++ return ret;
++}
++
++static void zeroinit_close(BlockDriverState *bs)
++{
++ BDRVZeroinitState *s = bs->opaque;
++ (void)s;
++}
++
++static int64_t zeroinit_getlength(BlockDriverState *bs)
++{
++ return bdrv_getlength(bs->file->bs);
++}
++
++static BlockAIOCB *zeroinit_aio_readv(BlockDriverState *bs,
++ int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
++ BlockCompletionFunc *cb, void *opaque)
++{
++ return bdrv_aio_readv(bs->file, sector_num, qiov, nb_sectors,
++ cb, opaque);
++}
++
++static int coroutine_fn zeroinit_co_pwrite_zeroes(BlockDriverState *bs, int64_t offset,
++ int count, BdrvRequestFlags flags)
++{
++ BDRVZeroinitState *s = bs->opaque;
++ if (offset >= s->extents)
++ return 0;
++ return bdrv_pwrite_zeroes(bs->file, offset, count, flags);
++}
++
++static BlockAIOCB *zeroinit_aio_writev(BlockDriverState *bs,
++ int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
++ BlockCompletionFunc *cb, void *opaque)
++{
++ BDRVZeroinitState *s = bs->opaque;
++ int64_t extents = (sector_num << BDRV_SECTOR_BITS) + ((nb_sectors + 1) << BDRV_SECTOR_BITS);
++ if (extents > s->extents)
++ s->extents = extents;
++ return bdrv_aio_writev(bs->file, sector_num, qiov, nb_sectors,
++ cb, opaque);
++}
++
++static BlockAIOCB *zeroinit_aio_flush(BlockDriverState *bs,
++ BlockCompletionFunc *cb,
++ void *opaque)
++{
++ return bdrv_aio_flush(bs->file->bs, cb, opaque);
++}
++
++static bool zeroinit_recurse_is_first_non_filter(BlockDriverState *bs,
++ BlockDriverState *candidate)
++{
++ return bdrv_recurse_is_first_non_filter(bs->file->bs, candidate);
++}
++
++static coroutine_fn int zeroinit_co_flush(BlockDriverState *bs)
++{
++ return bdrv_co_flush(bs->file->bs);
++}
++
++static int zeroinit_has_zero_init(BlockDriverState *bs)
++{
++ BDRVZeroinitState *s = bs->opaque;
++ return s->has_zero_init;
++}
++
++static int64_t coroutine_fn zeroinit_co_get_block_status(BlockDriverState *bs,
++ int64_t sector_num,
++ int nb_sectors, int *pnum,
++ BlockDriverState **file)
++{
++ return bdrv_get_block_status(bs->file->bs, sector_num, nb_sectors, pnum, file);
++}
++
++static coroutine_fn BlockAIOCB *zeroinit_aio_pdiscard(BlockDriverState *bs,
++ int64_t offset, int count,
++ BlockCompletionFunc *cb, void *opaque)
++{
++ return bdrv_aio_pdiscard(bs->file->bs, offset, count, cb, opaque);
++}
++
++static int zeroinit_truncate(BlockDriverState *bs, int64_t offset)
++{
++ return bdrv_truncate(bs->file->bs, offset);
++}
++
++static int zeroinit_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
++{
++ return bdrv_get_info(bs->file->bs, bdi);
++}
++
++static BlockDriver bdrv_zeroinit = {
++ .format_name = "zeroinit",
++ .protocol_name = "zeroinit",
++ .instance_size = sizeof(BDRVZeroinitState),
++
++ .bdrv_parse_filename = zeroinit_parse_filename,
++ .bdrv_file_open = zeroinit_open,
++ .bdrv_close = zeroinit_close,
++ .bdrv_getlength = zeroinit_getlength,
++ .bdrv_co_flush_to_disk = zeroinit_co_flush,
++
++ .bdrv_co_pwrite_zeroes = zeroinit_co_pwrite_zeroes,
++ .bdrv_aio_writev = zeroinit_aio_writev,
++ .bdrv_aio_readv = zeroinit_aio_readv,
++ .bdrv_aio_flush = zeroinit_aio_flush,
++
++ .is_filter = true,
++ .bdrv_recurse_is_first_non_filter = zeroinit_recurse_is_first_non_filter,
++
++ .bdrv_has_zero_init = zeroinit_has_zero_init,
++
++ .bdrv_co_get_block_status = zeroinit_co_get_block_status,
++
++ .bdrv_aio_pdiscard = zeroinit_aio_pdiscard,
++
++ .bdrv_truncate = zeroinit_truncate,
++ .bdrv_get_info = zeroinit_get_info,
++};
++
++static void bdrv_zeroinit_init(void)
++{
++ bdrv_register(&bdrv_zeroinit);
++}
++
++block_init(bdrv_zeroinit_init);
+--
+2.1.4
+
--- /dev/null
+From 10ae69c411df788752628c8950bf9e76c8cf6af1 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 12 Apr 2016 13:49:44 +0200
+Subject: [PATCH 34/47] vma: add format option to device mapping
+
+The BDRV_O_PROTOCOL option breaks non-raw protocol devices,
+so we instead now allow the format to be explicitly
+specified from the outside.
+
+In other words we now too deprecate the automatic guessing
+of raw formats, just like qemu already does, and have to
+silence the warnings by passing the drive mapping.
+---
+ vma.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/vma.c b/vma.c
+index 8a27704..c8ad6c0 100644
+--- a/vma.c
++++ b/vma.c
+@@ -130,6 +130,7 @@ static int list_content(int argc, char **argv)
+ typedef struct RestoreMap {
+ char *devname;
+ char *path;
++ char *format;
+ bool write_zero;
+ } RestoreMap;
+
+@@ -217,13 +218,24 @@ static int extract_content(int argc, char **argv)
+ }
+ }
+
++ char *format = NULL;
++ if (strncmp(line, "format=", sizeof("format=")-1) == 0) {
++ format = line + sizeof("format=")-1;
++ char *colon = strchr(format, ':');
++ if (!colon) {
++ g_error("read map failed - found only a format ('%s')", inbuf);
++ }
++ format = g_strndup(format, colon - format);
++ line = colon+1;
++ }
++
+ const char *path;
+ bool write_zero;
+ if (line[0] == '0' && line[1] == ':') {
+- path = inbuf + 2;
++ path = line + 2;
+ write_zero = false;
+ } else if (line[0] == '1' && line[1] == ':') {
+- path = inbuf + 2;
++ path = line + 2;
+ write_zero = true;
+ } else {
+ g_error("read map failed - parse error ('%s')", inbuf);
+@@ -239,6 +251,7 @@ static int extract_content(int argc, char **argv)
+ RestoreMap *map = g_new0(RestoreMap, 1);
+ map->devname = g_strdup(devname);
+ map->path = g_strdup(path);
++ map->format = format;
+ map->write_zero = write_zero;
+
+ g_hash_table_insert(devmap, map->devname, map);
+@@ -263,6 +276,7 @@ static int extract_content(int argc, char **argv)
+ g_free(statefn);
+ } else if (di) {
+ char *devfn = NULL;
++ const char *format = NULL;
+ int flags = BDRV_O_RDWR;
+ bool write_zero = true;
+
+@@ -273,6 +287,7 @@ static int extract_content(int argc, char **argv)
+ g_error("no device name mapping for %s", di->devname);
+ }
+ devfn = map->path;
++ format = map->format;
+ write_zero = map->write_zero;
+ } else {
+ devfn = g_strdup_printf("%s/tmp-disk-%s.raw",
+@@ -295,15 +310,20 @@ static int extract_content(int argc, char **argv)
+ BlockDriverState *bs = bdrv_new();
+
+ size_t devlen = strlen(devfn);
+- bool protocol = path_has_protocol(devfn);
+ QDict *options = NULL;
+- if (devlen > 4 && strcmp(devfn+devlen-4, ".raw") == 0 && !protocol) {
++ if (format) {
++ /* explicit format from commandline */
++ options = qdict_new();
++ qdict_put(options, "driver", qstring_from_str(format));
++ } else if ((devlen > 4 && strcmp(devfn+devlen-4, ".raw") == 0) ||
++ strncmp(devfn, "/dev/", 5) == 0)
++ {
++ /* This part is now deprecated for PVE as well (just as qemu
++ * deprecated not specifying an explicit raw format, too.
++ */
+ /* explicit raw format */
+ options = qdict_new();
+ qdict_put(options, "driver", qstring_from_str("raw"));
+- } else if (protocol) {
+- /* tell bdrv_open to honor the protocol */
+- flags |= BDRV_O_PROTOCOL;
+ }
+
+ if (errp || bdrv_open(&bs, devfn, NULL, options, flags, &errp)) {
+--
+2.1.4
+
--- /dev/null
+From 927da5e2426aac5bef37c97604740deddedbda41 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 6 Apr 2016 16:45:15 +0200
+Subject: [PATCH 35/47] fix possible unitialised return value
+
+---
+ migration/savevm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/migration/savevm.c b/migration/savevm.c
+index b1bdfb6..cebba77 100644
+--- a/migration/savevm.c
++++ b/migration/savevm.c
+@@ -1020,7 +1020,7 @@ int qemu_savevm_state_complete_precopy(QEMUFile *f, bool iterable_only)
+ QJSON *vmdesc;
+ int vmdesc_len;
+ SaveStateEntry *se;
+- int ret;
++ int ret = -1;
+ bool in_postcopy = migration_in_postcopy(migrate_get_current());
+
+ trace_savevm_state_complete_precopy();
+--
+2.1.4
+
--- /dev/null
+From e6af4497017e37cb31f7cbd80137f41ce297d702 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 6 Apr 2016 16:47:54 +0200
+Subject: [PATCH 36/47] vnc: refactor to QIOChannelSocket
+
+---
+ ui/vnc-auth-vencrypt.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c
+index d11f1df..a529520 100644
+--- a/ui/vnc-auth-vencrypt.c
++++ b/ui/vnc-auth-vencrypt.c
+@@ -28,27 +28,23 @@
+ #include "vnc.h"
+ #include "qapi/error.h"
+ #include "qemu/main-loop.h"
+-#include "qemu/sockets.h"
++#include "io/channel-socket.h"
+
+ static int protocol_client_auth_plain(VncState *vs, uint8_t *data, size_t len)
+ {
+- const char *err = NULL;
++ Error *err = NULL;
+ char username[256];
+ char passwd[512];
+
+- char clientip[256];
+- clientip[0] = 0;
+- struct sockaddr_in client;
+- socklen_t addrlen = sizeof(client);
+- if (getpeername(vs->csock, &client, &addrlen) == 0) {
+- inet_ntop(client.sin_family, &client.sin_addr,
+- clientip, sizeof(clientip));
++ SocketAddress *clientip = qio_channel_socket_get_remote_address(vs->sioc, &err);
++ if (err) {
++ goto err;
+ }
+
+ if ((len != (vs->username_len + vs->password_len)) ||
+ (vs->username_len >= (sizeof(username)-1)) ||
+ (vs->password_len >= (sizeof(passwd)-1)) ) {
+- err = "Got unexpected data length";
++ error_setg(&err, "Got unexpected data length");
+ goto err;
+ }
+
+@@ -59,26 +55,31 @@ static int protocol_client_auth_plain(VncState *vs, uint8_t *data, size_t len)
+
+ VNC_DEBUG("AUTH PLAIN username: %s pw: %s\n", username, passwd);
+
+- if (pve_auth_verify(clientip, username, passwd) == 0) {
++ if (pve_auth_verify(clientip->u.inet.data->host, username, passwd) == 0) {
+ vnc_write_u32(vs, 0); /* Accept auth completion */
+ start_client_init(vs);
++ qapi_free_SocketAddress(clientip);
+ return 0;
+ }
+
+- err = "Authentication failed";
++ error_setg(&err, "Authentication failed");
+ err:
+ if (err) {
+- VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err);
++ const char *err_msg = error_get_pretty(err);
++ VNC_DEBUG("AUTH PLAIN ERROR: %s\n", err_msg);
+ vnc_write_u32(vs, 1); /* Reject auth */
+ if (vs->minor >= 8) {
+- int elen = strlen(err);
++ int elen = strlen(err_msg);
+ vnc_write_u32(vs, elen);
+- vnc_write(vs, err, elen);
++ vnc_write(vs, err_msg, elen);
+ }
++ error_free(err);
+ }
+ vnc_flush(vs);
+ vnc_client_error(vs);
+
++ qapi_free_SocketAddress(clientip);
++
+ return 0;
+
+ }
+--
+2.1.4
+
--- /dev/null
+From 0d4b69786584eec1386183b259c22f7cae6df69d Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 1 Jul 2016 15:47:29 +0200
+Subject: [PATCH 37/47] vma: use BlockBackend on extract
+
+As we else rely on bdrv_close_all() do clean up, which was rewritten
+in ca9bd24cf1d53775169ba9adc17e265554d1afed and fails on "dangling"
+BDS pointers, such a pointer exists with *bs.
+Use the BlockBackend to get our BDS and just unref the BlockBackend
+when done, it handles the rest for us.
+
+The other two calls to bdrv_close_all() happen in verify_content()
+and dump_config(), both do not have a BDS so no need to change here.
+---
+ vma.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/vma.c b/vma.c
+index c8ad6c0..a2ddd32 100644
+--- a/vma.c
++++ b/vma.c
+@@ -19,6 +19,7 @@
+ #include "qemu/error-report.h"
+ #include "qemu/main-loop.h"
+ #include "sysemu/char.h" /* qstring_from_str */
++#include "sysemu/block-backend.h"
+
+ static void help(void)
+ {
+@@ -263,6 +264,8 @@ static int extract_content(int argc, char **argv)
+ int vmstate_fd = -1;
+ guint8 vmstate_stream = 0;
+
++ BlockBackend *blk = NULL;
++
+ for (i = 1; i < 255; i++) {
+ VmaDeviceInfo *di = vma_reader_get_device_info(vmar, i);
+ if (di && (strcmp(di->devname, "vmstate") == 0)) {
+@@ -307,8 +310,6 @@ static int extract_content(int argc, char **argv)
+ write_zero = false;
+ }
+
+- BlockDriverState *bs = bdrv_new();
+-
+ size_t devlen = strlen(devfn);
+ QDict *options = NULL;
+ if (format) {
+@@ -326,10 +327,14 @@ static int extract_content(int argc, char **argv)
+ qdict_put(options, "driver", qstring_from_str("raw"));
+ }
+
+- if (errp || bdrv_open(&bs, devfn, NULL, options, flags, &errp)) {
++
++ if (errp || !(blk = blk_new_open(devfn, NULL, options, flags, &errp))) {
+ g_error("can't open file %s - %s", devfn,
+ error_get_pretty(errp));
+ }
++
++ BlockDriverState *bs = blk_bs(blk);
++
+ if (vma_reader_register_bs(vmar, i, bs, write_zero, &errp) < 0) {
+ g_error("%s", error_get_pretty(errp));
+ }
+@@ -362,6 +367,8 @@ static int extract_content(int argc, char **argv)
+
+ vma_reader_destroy(vmar);
+
++ blk_unref(blk);
++
+ bdrv_close_all();
+
+ return ret;
+--
+2.1.4
+
--- /dev/null
+From 1209cadf111aaf73b53e568f78104340b4ffb0bd Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 9 Sep 2016 14:51:28 +0200
+Subject: [PATCH 38/47] vma: byte based write calls
+
+---
+ vma-reader.c | 42 +++++++++++++++++++++---------------------
+ vma.c | 22 ++++++++++------------
+ vma.h | 2 +-
+ 3 files changed, 32 insertions(+), 34 deletions(-)
+
+diff --git a/vma-reader.c b/vma-reader.c
+index 78f1de9..2000889 100644
+--- a/vma-reader.c
++++ b/vma-reader.c
+@@ -25,7 +25,7 @@
+ static unsigned char zero_vma_block[VMA_BLOCK_SIZE];
+
+ typedef struct VmaRestoreState {
+- BlockDriverState *bs;
++ BlockBackend *target;
+ bool write_zeroes;
+ unsigned long *bitmap;
+ int bitmap_size;
+@@ -423,12 +423,12 @@ VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id)
+ }
+
+ static void allocate_rstate(VmaReader *vmar, guint8 dev_id,
+- BlockDriverState *bs, bool write_zeroes)
++ BlockBackend *target, bool write_zeroes)
+ {
+ assert(vmar);
+ assert(dev_id);
+
+- vmar->rstate[dev_id].bs = bs;
++ vmar->rstate[dev_id].target = target;
+ vmar->rstate[dev_id].write_zeroes = write_zeroes;
+
+ int64_t size = vmar->devinfo[dev_id].size;
+@@ -443,15 +443,15 @@ static void allocate_rstate(VmaReader *vmar, guint8 dev_id,
+ vmar->cluster_count += size/VMA_CLUSTER_SIZE;
+ }
+
+-int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockDriverState *bs,
++int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockBackend *target,
+ bool write_zeroes, Error **errp)
+ {
+ assert(vmar);
+- assert(bs != NULL);
++ assert(target != NULL);
+ assert(dev_id);
+- assert(vmar->rstate[dev_id].bs == NULL);
++ assert(vmar->rstate[dev_id].target == NULL);
+
+- int64_t size = bdrv_getlength(bs);
++ int64_t size = blk_getlength(target);
+ int64_t size_diff = size - vmar->devinfo[dev_id].size;
+
+ /* storage types can have different size restrictions, so it
+@@ -465,7 +465,7 @@ int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id, BlockDriverState *bs,
+ return -1;
+ }
+
+- allocate_rstate(vmar, dev_id, bs, write_zeroes);
++ allocate_rstate(vmar, dev_id, target, write_zeroes);
+
+ return 0;
+ }
+@@ -507,7 +507,7 @@ static size_t full_write(int fd, void *buf, size_t len)
+ }
+
+ static int restore_write_data(VmaReader *vmar, guint8 dev_id,
+- BlockDriverState *bs, int vmstate_fd,
++ BlockBackend *target, int vmstate_fd,
+ unsigned char *buf, int64_t sector_num,
+ int nb_sectors, Error **errp)
+ {
+@@ -523,10 +523,10 @@ static int restore_write_data(VmaReader *vmar, guint8 dev_id,
+ }
+ }
+ } else {
+- int res = bdrv_write(bs, sector_num, buf, nb_sectors);
++ int res = blk_pwrite(target, sector_num * BDRV_SECTOR_SIZE, buf, nb_sectors * BDRV_SECTOR_SIZE, 0);
+ if (res < 0) {
+- error_setg(errp, "bdrv_write to %s failed (%d)",
+- bdrv_get_device_name(bs), res);
++ error_setg(errp, "blk_pwrite to %s failed (%d)",
++ bdrv_get_device_name(blk_bs(target)), res);
+ return -1;
+ }
+ }
+@@ -556,11 +556,11 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+ }
+
+ VmaRestoreState *rstate = &vmar->rstate[dev_id];
+- BlockDriverState *bs = NULL;
++ BlockBackend *target = NULL;
+
+ if (dev_id != vmar->vmstate_stream) {
+- bs = rstate->bs;
+- if (!verify && !bs) {
++ target = rstate->target;
++ if (!verify && !target) {
+ error_setg(errp, "got wrong dev id %d", dev_id);
+ return -1;
+ }
+@@ -618,7 +618,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+
+ if (!verify) {
+ int nb_sectors = end_sector - sector_num;
+- if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ if (restore_write_data(vmar, dev_id, target, vmstate_fd,
+ buf + start, sector_num, nb_sectors,
+ errp) < 0) {
+ return -1;
+@@ -654,7 +654,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+
+ if (!verify) {
+ int nb_sectors = end_sector - sector_num;
+- if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ if (restore_write_data(vmar, dev_id, target, vmstate_fd,
+ buf + start, sector_num,
+ nb_sectors, errp) < 0) {
+ return -1;
+@@ -678,7 +678,7 @@ static int restore_extent(VmaReader *vmar, unsigned char *buf,
+ }
+
+ if (rstate->write_zeroes && !verify) {
+- if (restore_write_data(vmar, dev_id, bs, vmstate_fd,
++ if (restore_write_data(vmar, dev_id, target, vmstate_fd,
+ zero_vma_block, sector_num,
+ nb_sectors, errp) < 0) {
+ return -1;
+@@ -786,12 +786,12 @@ static int vma_reader_restore_full(VmaReader *vmar, int vmstate_fd,
+ int i;
+ for (i = 1; i < 256; i++) {
+ VmaRestoreState *rstate = &vmar->rstate[i];
+- if (!rstate->bs) {
++ if (!rstate->target) {
+ continue;
+ }
+
+- if (bdrv_flush(rstate->bs) < 0) {
+- error_setg(errp, "vma bdrv_flush %s failed",
++ if (blk_flush(rstate->target) < 0) {
++ error_setg(errp, "vma blk_flush %s failed",
+ vmar->devinfo[i].devname);
+ return -1;
+ }
+diff --git a/vma.c b/vma.c
+index a2ddd32..ff974bd 100644
+--- a/vma.c
++++ b/vma.c
+@@ -333,9 +333,7 @@ static int extract_content(int argc, char **argv)
+ error_get_pretty(errp));
+ }
+
+- BlockDriverState *bs = blk_bs(blk);
+-
+- if (vma_reader_register_bs(vmar, i, bs, write_zero, &errp) < 0) {
++ if (vma_reader_register_bs(vmar, i, blk, write_zero, &errp) < 0) {
+ g_error("%s", error_get_pretty(errp));
+ }
+
+@@ -427,7 +425,7 @@ static int verify_content(int argc, char **argv)
+ }
+
+ typedef struct BackupJob {
+- BlockDriverState *bs;
++ BlockBackend *target;
+ int64_t len;
+ VmaWriter *vmaw;
+ uint8_t dev_id;
+@@ -456,7 +454,7 @@ static void coroutine_fn backup_run(void *opaque)
+ int64_t start, end;
+ int ret = 0;
+
+- unsigned char *buf = qemu_blockalign(job->bs, VMA_CLUSTER_SIZE);
++ unsigned char *buf = blk_blockalign(job->target, VMA_CLUSTER_SIZE);
+
+ start = 0;
+ end = DIV_ROUND_UP(job->len / BDRV_SECTOR_SIZE,
+@@ -467,8 +465,8 @@ static void coroutine_fn backup_run(void *opaque)
+ iov.iov_len = VMA_CLUSTER_SIZE;
+ qemu_iovec_init_external(&qiov, &iov, 1);
+
+- ret = bdrv_co_readv(job->bs, start * BACKUP_SECTORS_PER_CLUSTER,
+- BACKUP_SECTORS_PER_CLUSTER, &qiov);
++ ret = blk_co_preadv(job->target, start * BACKUP_SECTORS_PER_CLUSTER,
++ BACKUP_SECTORS_PER_CLUSTER, &qiov, 0);
+ if (ret < 0) {
+ vma_writer_set_error(job->vmaw, "read error", -1);
+ goto out;
+@@ -563,14 +561,14 @@ static int create_archive(int argc, char **argv)
+ path = extract_devname(path, &devname, devcount++);
+
+ Error *errp = NULL;
+- BlockDriverState *bs;
++ BlockBackend *target;
+
+- bs = bdrv_open(path, NULL, NULL, 0, &errp);
+- if (!bs) {
++ target = blk_new_open(path, NULL, NULL, 0, &errp);
++ if (!target) {
+ unlink(archivename);
+ g_error("bdrv_open '%s' failed - %s", path, error_get_pretty(errp));
+ }
+- int64_t size = bdrv_getlength(bs);
++ int64_t size = blk_getlength(target);
+ int dev_id = vma_writer_register_stream(vmaw, devname, size);
+ if (dev_id <= 0) {
+ unlink(archivename);
+@@ -579,7 +577,7 @@ static int create_archive(int argc, char **argv)
+
+ BackupJob *job = g_new0(BackupJob, 1);
+ job->len = size;
+- job->bs = bs;
++ job->target = target;
+ job->vmaw = vmaw;
+ job->dev_id = dev_id;
+
+diff --git a/vma.h b/vma.h
+index 365ceb2..fa6f4df 100644
+--- a/vma.h
++++ b/vma.h
+@@ -140,7 +140,7 @@ VmaHeader *vma_reader_get_header(VmaReader *vmar);
+ GList *vma_reader_get_config_data(VmaReader *vmar);
+ VmaDeviceInfo *vma_reader_get_device_info(VmaReader *vmar, guint8 dev_id);
+ int vma_reader_register_bs(VmaReader *vmar, guint8 dev_id,
+- BlockDriverState *bs, bool write_zeroes,
++ BlockBackend *target, bool write_zeroes,
+ Error **errp);
+ int vma_reader_restore(VmaReader *vmar, int vmstate_fd, bool verbose,
+ Error **errp);
+--
+2.1.4
+
--- /dev/null
+From 8aaa1a8108aabdca93d866eeaa9308deae81cd70 Mon Sep 17 00:00:00 2001
+From: Alexandre Derumier <aderumier@odiso.com>
+Date: Tue, 26 Jul 2016 16:51:00 +0200
+Subject: [PATCH 39/47] rbd: disable rbd_cache_writethrough_until_flush with
+ cache=unsafe
+
+Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
+---
+ block/rbd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index 5cefdbb..b0bb516 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -552,6 +552,10 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags,
+ rados_conf_set(s->cluster, "rbd_cache", "true");
+ }
+
++ if (flags & BDRV_O_NO_FLUSH) {
++ rados_conf_set(s->cluster, "rbd_cache_writethrough_until_flush", "false");
++ }
++
+ r = rados_connect(s->cluster);
+ if (r < 0) {
+ error_setg_errno(errp, -r, "error connecting");
+--
+2.1.4
+
--- /dev/null
+From 383a94de8f4f887a95b8089b2f0141321d94f5fe Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 1 Aug 2016 10:52:46 +0200
+Subject: [PATCH 40/47] enable cache=unsafe for vma extract_content and
+ qmp_savevm_start
+
+We don't send any flush here, so we need to open with cache=unsafe.
+
+Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
+---
+ savevm-async.c | 2 +-
+ vma.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/savevm-async.c b/savevm-async.c
+index 7979435..76cd8fa 100644
+--- a/savevm-async.c
++++ b/savevm-async.c
+@@ -253,7 +253,7 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+ {
+ Error *local_err = NULL;
+
+- int bdrv_oflags = BDRV_O_RDWR;
++ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_NO_FLUSH;
+ int ret;
+
+ if (snap_state.state != SAVE_STATE_DONE) {
+diff --git a/vma.c b/vma.c
+index ff974bd..a8fa4ff 100644
+--- a/vma.c
++++ b/vma.c
+@@ -280,7 +280,7 @@ static int extract_content(int argc, char **argv)
+ } else if (di) {
+ char *devfn = NULL;
+ const char *format = NULL;
+- int flags = BDRV_O_RDWR;
++ int flags = BDRV_O_RDWR | BDRV_O_NO_FLUSH;
+ bool write_zero = true;
+
+ if (readmap) {
+--
+2.1.4
+
--- /dev/null
+From 9ea20572325cbc6df31293b863ccb8d2ae0e1dbd Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 9 Sep 2016 15:21:19 +0200
+Subject: [PATCH 41/47] savevm-async updates
+
+---
+ savevm-async.c | 79 +++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 39 insertions(+), 40 deletions(-)
+
+diff --git a/savevm-async.c b/savevm-async.c
+index 76cd8fa..8c76137 100644
+--- a/savevm-async.c
++++ b/savevm-async.c
+@@ -20,6 +20,8 @@
+
+ /* #define DEBUG_SAVEVM_STATE */
+
++#define NOT_DONE 0x7fffffff /* used while emulated sync operation in progress */
++
+ #ifdef DEBUG_SAVEVM_STATE
+ #define DPRINTF(fmt, ...) \
+ do { printf("savevm-async: " fmt, ## __VA_ARGS__); } while (0)
+@@ -38,7 +40,7 @@ enum {
+
+
+ static struct SnapshotState {
+- BlockDriverState *bs;
++ BlockBackend *target;
+ size_t bs_pos;
+ int state;
+ Error *error;
+@@ -99,17 +101,17 @@ static int save_snapshot_cleanup(void)
+ ret = qemu_fclose(snap_state.file);
+ }
+
+- if (snap_state.bs) {
++ if (snap_state.target) {
+ /* try to truncate, but ignore errors (will fail on block devices).
+ * note: bdrv_read() need whole blocks, so we round up
+ */
+ size_t size = (snap_state.bs_pos + BDRV_SECTOR_SIZE) & BDRV_SECTOR_MASK;
+- bdrv_truncate(snap_state.bs, size);
+- bdrv_op_unblock_all(snap_state.bs, snap_state.blocker);
++ blk_truncate(snap_state.target, size);
++ blk_op_unblock_all(snap_state.target, snap_state.blocker);
+ error_free(snap_state.blocker);
+ snap_state.blocker = NULL;
+- bdrv_unref(snap_state.bs);
+- snap_state.bs = NULL;
++ blk_unref(snap_state.target);
++ snap_state.target = NULL;
+ }
+
+ return ret;
+@@ -151,21 +153,22 @@ static void save_snapshot_completed(void)
+ static int block_state_close(void *opaque)
+ {
+ snap_state.file = NULL;
+- return bdrv_flush(snap_state.bs);
++ return blk_flush(snap_state.target);
+ }
+
+-static ssize_t block_state_put_buffer(void *opaque, const uint8_t *buf,
+- int64_t pos, size_t size)
++static ssize_t block_state_writev_buffer(void *opaque, struct iovec *iov,
++ int iovcnt, int64_t pos)
+ {
+- ssize_t ret;
+-
+- assert(pos == snap_state.bs_pos);
++ int ret;
++ QEMUIOVector qiov;
+
+- if ((ret = bdrv_pwrite(snap_state.bs, snap_state.bs_pos, buf, size)) > 0) {
+- snap_state.bs_pos += ret;
++ qemu_iovec_init_external(&qiov, iov, iovcnt);
++ ret = blk_co_pwritev(snap_state.target, pos, qiov.size, &qiov, 0);
++ if (ret < 0) {
++ return ret;
+ }
+-
+- return ret;
++ snap_state.bs_pos += qiov.size;
++ return qiov.size;
+ }
+
+ static int store_and_stop(void) {
+@@ -227,7 +230,7 @@ static void process_savevm_co(void *opaque)
+ /* stop the VM if we get to the end of available space,
+ * or if pending_size is just a few MB
+ */
+- maxlen = bdrv_getlength(snap_state.bs) - 30*1024*1024;
++ maxlen = blk_getlength(snap_state.target) - 30*1024*1024;
+ if ((pending_size < 100000) ||
+ ((snap_state.bs_pos + pending_size) >= maxlen)) {
+ if (store_and_stop())
+@@ -244,7 +247,7 @@ static void process_savevm_co(void *opaque)
+ }
+
+ static const QEMUFileOps block_file_ops = {
+- .put_buffer = block_state_put_buffer,
++ .writev_buffer = block_state_writev_buffer,
+ .close = block_state_close,
+ };
+
+@@ -254,7 +257,6 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+ Error *local_err = NULL;
+
+ int bdrv_oflags = BDRV_O_RDWR | BDRV_O_NO_FLUSH;
+- int ret;
+
+ if (snap_state.state != SAVE_STATE_DONE) {
+ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+@@ -284,13 +286,11 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+ }
+
+ /* Open the image */
+- snap_state.bs = bdrv_new();
+-
+ QDict *options = NULL;
+ options = qdict_new();
+ qdict_put(options, "driver", qstring_from_str("raw"));
+- ret = bdrv_open(&snap_state.bs, statefile, NULL, options, bdrv_oflags, &local_err);
+- if (ret < 0) {
++ snap_state.target = blk_new_open(statefile, NULL, options, bdrv_oflags, &local_err);
++ if (!snap_state.target) {
+ error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open '%s'", statefile);
+ goto restart;
+ }
+@@ -304,9 +304,9 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+
+
+ error_setg(&snap_state.blocker, "block device is in use by savevm");
+- bdrv_op_block_all(snap_state.bs, snap_state.blocker);
++ blk_op_block_all(snap_state.target, snap_state.blocker);
+
+- Coroutine *co = qemu_coroutine_create(process_savevm_co);
++ Coroutine *co = qemu_coroutine_create(process_savevm_co, NULL);
+ qemu_coroutine_enter(co);
+
+ return;
+@@ -457,8 +457,8 @@ void qmp_delete_drive_snapshot(const char *device, const char *name,
+ static ssize_t loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
+ size_t size)
+ {
+- BlockDriverState *bs = (BlockDriverState *)opaque;
+- int64_t maxlen = bdrv_getlength(bs);
++ BlockBackend *be = opaque;
++ int64_t maxlen = blk_getlength(be);
+ if (pos > maxlen) {
+ return -EIO;
+ }
+@@ -468,7 +468,7 @@ static ssize_t loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
+ if (size == 0) {
+ return 0;
+ }
+- return bdrv_pread(bs, pos, buf, size);
++ return blk_pread(be, pos, buf, size);
+ }
+
+ static const QEMUFileOps loadstate_file_ops = {
+@@ -477,28 +477,27 @@ static const QEMUFileOps loadstate_file_ops = {
+
+ int load_state_from_blockdev(const char *filename)
+ {
+- BlockDriverState *bs = NULL;
++ BlockBackend *be;
+ Error *local_err = NULL;
+ Error *blocker = NULL;
+
+ QEMUFile *f;
+- int ret;
++ int ret = -EINVAL;
+
+- bs = bdrv_new();
+- ret = bdrv_open(&bs, filename, NULL, NULL, 0, &local_err);
+- error_setg(&blocker, "block device is in use by load state");
+- bdrv_op_block_all(bs, blocker);
++ be = blk_new_open(filename, NULL, NULL, 0, &local_err);
+
+- if (ret < 0) {
++ if (!be) {
+ error_report("Could not open VM state file");
+ goto the_end;
+ }
+
++ error_setg(&blocker, "block device is in use by load state");
++ blk_op_block_all(be, blocker);
++
+ /* restore the VM state */
+- f = qemu_fopen_ops(bs, &loadstate_file_ops);
++ f = qemu_fopen_ops(be, &loadstate_file_ops);
+ if (!f) {
+ error_report("Could not open VM state file");
+- ret = -EINVAL;
+ goto the_end;
+ }
+
+@@ -516,10 +515,10 @@ int load_state_from_blockdev(const char *filename)
+ ret = 0;
+
+ the_end:
+- if (bs) {
+- bdrv_op_unblock_all(bs, blocker);
++ if (be) {
++ blk_op_unblock_all(be, blocker);
+ error_free(blocker);
+- bdrv_unref(bs);
++ blk_unref(be);
+ }
+ return ret;
+ }
+--
+2.1.4
+
--- /dev/null
+From 704d008790dbccfd38aa55463c9e8bd873d08a3d Mon Sep 17 00:00:00 2001
+From: Alexandre Derumier <aderumier@odiso.com>
+Date: Tue, 13 Sep 2016 01:57:56 +0200
+Subject: [PATCH 42/47] qmp_snapshot_drive: add aiocontext
+
+Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
+---
+ savevm-async.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/savevm-async.c b/savevm-async.c
+index 8c76137..99ba132 100644
+--- a/savevm-async.c
++++ b/savevm-async.c
+@@ -345,6 +345,7 @@ void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
+ BlockBackend *blk;
+ BlockDriverState *bs;
+ QEMUSnapshotInfo sn1, *sn = &sn1;
++ AioContext *aio_context;
+ int ret;
+ #ifdef _WIN32
+ struct _timeb tb;
+@@ -371,20 +372,23 @@ void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
+ return;
+ }
+
++ aio_context = bdrv_get_aio_context(bs);
++ aio_context_acquire(aio_context);
++
+ if (bdrv_is_read_only(bs)) {
+ error_setg(errp, "Node '%s' is read only", device);
+- return;
++ goto out;
+ }
+
+ if (!bdrv_can_snapshot(bs)) {
+ error_setg(errp, QERR_UNSUPPORTED);
+- return;
++ goto out;
+ }
+
+ if (bdrv_snapshot_find(bs, sn, name) >= 0) {
+ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+ "snapshot '%s' already exists", name);
+- return;
++ goto out;
+ }
+
+ sn = &sn1;
+@@ -409,8 +413,11 @@ void qmp_snapshot_drive(const char *device, const char *name, Error **errp)
+ if (ret < 0) {
+ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+ "Error while creating snapshot on '%s'\n", device);
+- return;
++ goto out;
+ }
++
++out:
++ aio_context_release(aio_context);
+ }
+
+ void qmp_delete_drive_snapshot(const char *device, const char *name,
+--
+2.1.4
+
--- /dev/null
+From ed8e3b7faeb3a36e1105aac4813cd9876735bd81 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 21 Oct 2016 09:09:26 +0200
+Subject: [PATCH 43/47] vma: sizes passed to blk_co_preadv should be bytes now
+
+---
+ vma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vma.c b/vma.c
+index a8fa4ff..752a21b 100644
+--- a/vma.c
++++ b/vma.c
+@@ -465,8 +465,8 @@ static void coroutine_fn backup_run(void *opaque)
+ iov.iov_len = VMA_CLUSTER_SIZE;
+ qemu_iovec_init_external(&qiov, &iov, 1);
+
+- ret = blk_co_preadv(job->target, start * BACKUP_SECTORS_PER_CLUSTER,
+- BACKUP_SECTORS_PER_CLUSTER, &qiov, 0);
++ ret = blk_co_preadv(job->target, start * VMA_CLUSTER_SIZE,
++ VMA_CLUSTER_SIZE, &qiov, 0);
+ if (ret < 0) {
+ vma_writer_set_error(job->vmaw, "read error", -1);
+ goto out;
+--
+2.1.4
+
--- /dev/null
+From a7613eb93e702d5de5b40d17c4d4e95e8e5a010d Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 24 Oct 2016 09:32:36 +0200
+Subject: [PATCH 44/47] glusterfs: daemonize
+
+---
+ block/gluster.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 01b479f..6dcf926 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -341,9 +341,11 @@ static struct glfs *qemu_gluster_glfs_init(BlockdevOptionsGluster *gconf,
+ }
+ }
+
+- ret = glfs_set_logging(glfs, "-", gconf->debug_level);
+- if (ret < 0) {
+- goto out;
++ if (!is_daemonized()) {
++ ret = glfs_set_logging(glfs, "-", gconf->debug_level);
++ if (ret < 0) {
++ goto out;
++ }
+ }
+
+ ret = glfs_init(glfs);
+--
+2.1.4
+
--- /dev/null
+From 41cd2dcf03fe0187221a8d005f423cc091d76dfc Mon Sep 17 00:00:00 2001
+From: Alexandre Derumier <aderumier@odiso.com>
+Date: Mon, 7 Nov 2016 11:47:50 +0100
+Subject: [PATCH 45/47] qmp_delete_drive_snapshot : add aiocontext
+
+this fix snapshot delete of qcow2 with iothread enabled
+
+Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
+---
+ savevm-async.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/savevm-async.c b/savevm-async.c
+index 99ba132..660b25b 100644
+--- a/savevm-async.c
++++ b/savevm-async.c
+@@ -427,6 +427,7 @@ void qmp_delete_drive_snapshot(const char *device, const char *name,
+ BlockDriverState *bs;
+ QEMUSnapshotInfo sn1, *sn = &sn1;
+ Error *local_err = NULL;
++ AioContext *aio_context;
+
+ int ret;
+
+@@ -443,22 +444,28 @@ void qmp_delete_drive_snapshot(const char *device, const char *name,
+ return;
+ }
+
++ aio_context = bdrv_get_aio_context(bs);
++ aio_context_acquire(aio_context);
++
+ if (!bdrv_can_snapshot(bs)) {
+ error_setg(errp, QERR_UNSUPPORTED);
+- return;
++ goto out;
+ }
+
+ if (bdrv_snapshot_find(bs, sn, name) < 0) {
+ /* return success if snapshot does not exists */
+- return;
++ goto out;
+ }
+
+ ret = bdrv_snapshot_delete(bs, NULL, name, &local_err);
+ if (ret < 0) {
+ error_set(errp, ERROR_CLASS_GENERIC_ERROR,
+ "Error while deleting snapshot on '%s'\n", device);
+- return;
++ goto out;
+ }
++
++out:
++ aio_context_release(aio_context);
+ }
+
+ static ssize_t loadstate_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
+--
+2.1.4
+
--- /dev/null
+From 593664f6efe07973f54d3cbcc4203c05ad68f6cf Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 8 Nov 2016 11:13:06 +0100
+Subject: [PATCH 46/47] convert savevm-async to threads
+
+---
+ savevm-async.c | 144 +++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 88 insertions(+), 56 deletions(-)
+
+diff --git a/savevm-async.c b/savevm-async.c
+index 660b25b..7b4c219 100644
+--- a/savevm-async.c
++++ b/savevm-async.c
+@@ -48,6 +48,8 @@ static struct SnapshotState {
+ int saved_vm_running;
+ QEMUFile *file;
+ int64_t total_time;
++ QEMUBH *cleanup_bh;
++ QemuThread thread;
+ } snap_state;
+
+ SaveVMInfo *qmp_query_savevm(Error **errp)
+@@ -135,19 +137,6 @@ static void save_snapshot_error(const char *fmt, ...)
+ g_free (msg);
+
+ snap_state.state = SAVE_STATE_ERROR;
+-
+- save_snapshot_cleanup();
+-}
+-
+-static void save_snapshot_completed(void)
+-{
+- DPRINTF("save_snapshot_completed\n");
+-
+- if (save_snapshot_cleanup() < 0) {
+- snap_state.state = SAVE_STATE_ERROR;
+- } else {
+- snap_state.state = SAVE_STATE_COMPLETED;
+- }
+ }
+
+ static int block_state_close(void *opaque)
+@@ -156,51 +145,90 @@ static int block_state_close(void *opaque)
+ return blk_flush(snap_state.target);
+ }
+
++typedef struct BlkRwCo {
++ int64_t offset;
++ QEMUIOVector *qiov;
++ int ret;
++} BlkRwCo;
++
++static void block_state_write_entry(void *opaque) {
++ BlkRwCo *rwco = opaque;
++ rwco->ret = blk_co_pwritev(snap_state.target, rwco->offset, rwco->qiov->size,
++ rwco->qiov, 0);
++}
++
+ static ssize_t block_state_writev_buffer(void *opaque, struct iovec *iov,
+ int iovcnt, int64_t pos)
+ {
+- int ret;
+ QEMUIOVector qiov;
++ AioContext *aio_context;
++ Coroutine *co;
++ BlkRwCo rwco;
++
++ assert(pos == snap_state.bs_pos);
++ rwco = (BlkRwCo) {
++ .offset = pos,
++ .qiov = &qiov,
++ .ret = NOT_DONE,
++ };
+
+ qemu_iovec_init_external(&qiov, iov, iovcnt);
+- ret = blk_co_pwritev(snap_state.target, pos, qiov.size, &qiov, 0);
+- if (ret < 0) {
+- return ret;
++
++ aio_context = blk_get_aio_context(snap_state.target);
++ aio_context_acquire(aio_context);
++ co = qemu_coroutine_create(&block_state_write_entry, &rwco);
++ qemu_coroutine_enter(co);
++ while (rwco.ret == NOT_DONE) {
++ aio_poll(aio_context, true);
+ }
++ aio_context_release(aio_context);
++
+ snap_state.bs_pos += qiov.size;
+ return qiov.size;
+ }
+
+-static int store_and_stop(void) {
+- if (global_state_store()) {
+- save_snapshot_error("Error saving global state");
+- return 1;
++static void process_savevm_cleanup(void *opaque)
++{
++ int ret;
++ qemu_bh_delete(snap_state.cleanup_bh);
++ snap_state.cleanup_bh = NULL;
++ qemu_mutex_unlock_iothread();
++ qemu_thread_join(&snap_state.thread);
++ qemu_mutex_lock_iothread();
++ ret = save_snapshot_cleanup();
++ if (ret < 0) {
++ save_snapshot_error("save_snapshot_cleanup error %d", ret);
++ } else if (snap_state.state == SAVE_STATE_ACTIVE) {
++ snap_state.state = SAVE_STATE_COMPLETED;
++ } else {
++ save_snapshot_error("process_savevm_cleanup: invalid state: %d",
++ snap_state.state);
+ }
+- if (runstate_is_running()) {
+- vm_stop(RUN_STATE_SAVE_VM);
++ if (snap_state.saved_vm_running) {
++ vm_start();
++ snap_state.saved_vm_running = false;
+ }
+- return 0;
+ }
+
+-static void process_savevm_co(void *opaque)
++static void *process_savevm_thread(void *opaque)
+ {
+ int ret;
+ int64_t maxlen;
++
+ MigrationParams params = {
+ .blk = 0,
+ .shared = 0
+ };
+
+- snap_state.state = SAVE_STATE_ACTIVE;
++ rcu_register_thread();
+
+- qemu_mutex_unlock_iothread();
+ qemu_savevm_state_header(snap_state.file);
+ ret = qemu_savevm_state_begin(snap_state.file, ¶ms);
+- qemu_mutex_lock_iothread();
+
+ if (ret < 0) {
+ save_snapshot_error("qemu_savevm_state_begin failed");
+- return;
++ rcu_unregister_thread();
++ return NULL;
+ }
+
+ while (snap_state.state == SAVE_STATE_ACTIVE) {
+@@ -209,41 +237,43 @@ static void process_savevm_co(void *opaque)
+ qemu_savevm_state_pending(snap_state.file, 0, &pend_nonpost, &pend_post);
+ pending_size = pend_post + pend_nonpost;
+
+- if (pending_size) {
+- ret = qemu_savevm_state_iterate(snap_state.file, false);
+- if (ret < 0) {
+- save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
+- break;
+- }
+- DPRINTF("savevm inerate pending size %lu ret %d\n", pending_size, ret);
++ maxlen = blk_getlength(snap_state.target) - 30*1024*1024;
++
++ if (pending_size > 400000 && snap_state.bs_pos + pending_size < maxlen) {
++ qemu_mutex_lock_iothread();
++ ret = qemu_savevm_state_iterate(snap_state.file, false);
++ if (ret < 0) {
++ save_snapshot_error("qemu_savevm_state_iterate error %d", ret);
++ break;
++ }
++ qemu_mutex_unlock_iothread();
++ DPRINTF("savevm inerate pending size %lu ret %d\n", pending_size, ret);
+ } else {
+- DPRINTF("done iterating\n");
+- if (store_and_stop())
++ qemu_mutex_lock_iothread();
++ qemu_system_wakeup_request(QEMU_WAKEUP_REASON_OTHER);
++ ret = global_state_store();
++ if (ret) {
++ save_snapshot_error("global_state_store error %d", ret);
++ break;
++ }
++ ret = vm_stop_force_state(RUN_STATE_FINISH_MIGRATE);
++ if (ret < 0) {
++ save_snapshot_error("vm_stop_force_state error %d", ret);
+ break;
++ }
+ DPRINTF("savevm inerate finished\n");
+ qemu_savevm_state_complete_precopy(snap_state.file, false);
++ qemu_savevm_state_cleanup();
+ DPRINTF("save complete\n");
+- save_snapshot_completed();
+ break;
+ }
+-
+- /* stop the VM if we get to the end of available space,
+- * or if pending_size is just a few MB
+- */
+- maxlen = blk_getlength(snap_state.target) - 30*1024*1024;
+- if ((pending_size < 100000) ||
+- ((snap_state.bs_pos + pending_size) >= maxlen)) {
+- if (store_and_stop())
+- break;
+- }
+ }
+
+- if(snap_state.state == SAVE_STATE_CANCELLED) {
+- save_snapshot_completed();
+- Error *errp = NULL;
+- qmp_savevm_end(&errp);
+- }
++ qemu_bh_schedule(snap_state.cleanup_bh);
++ qemu_mutex_unlock_iothread();
+
++ rcu_unregister_thread();
++ return NULL;
+ }
+
+ static const QEMUFileOps block_file_ops = {
+@@ -306,8 +336,10 @@ void qmp_savevm_start(bool has_statefile, const char *statefile, Error **errp)
+ error_setg(&snap_state.blocker, "block device is in use by savevm");
+ blk_op_block_all(snap_state.target, snap_state.blocker);
+
+- Coroutine *co = qemu_coroutine_create(process_savevm_co, NULL);
+- qemu_coroutine_enter(co);
++ snap_state.state = SAVE_STATE_ACTIVE;
++ snap_state.cleanup_bh = qemu_bh_new(process_savevm_cleanup, &snap_state);
++ qemu_thread_create(&snap_state.thread, "savevm-async", process_savevm_thread,
++ NULL, QEMU_THREAD_JOINABLE);
+
+ return;
+
+--
+2.1.4
+
--- /dev/null
+From 519bcfc6d86a42a643ee65a0741bb2418c7d2e67 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 30 Nov 2016 10:27:47 +0100
+Subject: [PATCH 47/47] glusterfs: allow partial reads
+
+This should deal with qemu bug #1644754 until upstream
+decides which way to go. The general direction seems to be
+away from sector based block APIs and with that in mind, and
+when comparing to other network block backends (eg. nfs)
+treating partial reads as errors doesn't seem to make much
+sense.
+---
+ block/gluster.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 6dcf926..17c51ed 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -39,6 +39,7 @@ typedef struct GlusterAIOCB {
+ QEMUBH *bh;
+ Coroutine *coroutine;
+ AioContext *aio_context;
++ bool is_write;
+ } GlusterAIOCB;
+
+ typedef struct BDRVGlusterState {
+@@ -623,8 +624,10 @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg)
+ acb->ret = 0; /* Success */
+ } else if (ret < 0) {
+ acb->ret = -errno; /* Read/Write failed */
++ } else if (acb->is_write) {
++ acb->ret = -EIO; /* Partial write - fail it */
+ } else {
+- acb->ret = -EIO; /* Partial read/write - fail it */
++ acb->ret = 0; /* Success */
+ }
+
+ acb->bh = aio_bh_new(acb->aio_context, qemu_gluster_complete_aio, acb);
+@@ -861,6 +864,7 @@ static coroutine_fn int qemu_gluster_co_pwrite_zeroes(BlockDriverState *bs,
+ acb.ret = 0;
+ acb.coroutine = qemu_coroutine_self();
+ acb.aio_context = bdrv_get_aio_context(bs);
++ acb.is_write = true;
+
+ ret = glfs_zerofill_async(s->fd, offset, size, gluster_finish_aiocb, &acb);
+ if (ret < 0) {
+@@ -979,9 +983,11 @@ static coroutine_fn int qemu_gluster_co_rw(BlockDriverState *bs,
+ acb.aio_context = bdrv_get_aio_context(bs);
+
+ if (write) {
++ acb.is_write = true;
+ ret = glfs_pwritev_async(s->fd, qiov->iov, qiov->niov, offset, 0,
+ gluster_finish_aiocb, &acb);
+ } else {
++ acb.is_write = false;
+ ret = glfs_preadv_async(s->fd, qiov->iov, qiov->niov, offset, 0,
+ gluster_finish_aiocb, &acb);
+ }
+@@ -1044,6 +1050,7 @@ static coroutine_fn int qemu_gluster_co_flush_to_disk(BlockDriverState *bs)
+ acb.ret = 0;
+ acb.coroutine = qemu_coroutine_self();
+ acb.aio_context = bdrv_get_aio_context(bs);
++ acb.is_write = true;
+
+ ret = glfs_fsync_async(s->fd, gluster_finish_aiocb, &acb);
+ if (ret < 0) {
+@@ -1090,6 +1097,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs,
+ acb.ret = 0;
+ acb.coroutine = qemu_coroutine_self();
+ acb.aio_context = bdrv_get_aio_context(bs);
++ acb.is_write = true;
+
+ ret = glfs_discard_async(s->fd, offset, size, gluster_finish_aiocb, &acb);
+ if (ret < 0) {
+--
+2.1.4
+
--- /dev/null
+pve/0001-fr-ca-keymap-corrections.patch
+pve/0002-Adjust-network-script-path-to-etc-kvm.patch
+pve/0003-vnc-altgr-emulation.patch
+pve/0004-qemu-img-return-success-on-info-without-snapshots.patch
+pve/0005-use-kvm-by-default.patch
+pve/0006-virtio-balloon-fix-query.patch
+pve/0007-set-the-CPU-model-to-kvm64-32-instead-of-qemu64-32.patch
+pve/0008-qapi-modify-query-machines.patch
+pve/0009-qapi-modify-spice-query.patch
+pve/0010-ui-spice-default-to-pve-certs-unless-otherwise-speci.patch
+pve/0011-introduce-new-vma-archive-format.patch
+pve/0012-vma-add-verify-command.patch
+pve/0013-vma-add-config-command-to-dump-the-config.patch
+pve/0014-backup-modify-job-api.patch
+pve/0015-backup-add-pve-monitor-commands.patch
+pve/0016-backup-vma-add-dir-format.patch
+pve/0017-backup-do-not-return-errors-in-dump-callback.patch
+pve/0018-backup-vma-correctly-propagate-error.patch
+pve/0019-backup-vma-remove-async-queue.patch
+pve/0020-backup-vma-run-flush-inside-coroutine.patch
+pve/0021-backup-do-not-use-bdrv_drain_all.patch
+pve/0022-internal-snapshot-async.patch
+pve/0023-backup-vma-allow-empty-backups.patch
+pve/0024-qmp-add-get_link_status.patch
+pve/0025-smm_available-false.patch
+pve/0026-use-whitespace-between-VERSION-and-PKGVERSION.patch
+pve/0027-vma-add-firewall.patch
+pve/0028-savevm-async-migration-and-bdrv_open-update.patch
+pve/0029-vnc-make-x509-imply-tls-again.patch
+pve/0030-PVE-VNC-authentication.patch
+pve/0031-vma-writer-don-t-bail-out-on-zero-length-files.patch
+pve/0032-vma-better-driver-guessing-for-bdrv_open.patch
+pve/0033-block-add-the-zeroinit-block-driver-filter.patch
+pve/0034-vma-add-format-option-to-device-mapping.patch
+pve/0035-fix-possible-unitialised-return-value.patch
+pve/0036-vnc-refactor-to-QIOChannelSocket.patch
+pve/0037-vma-use-BlockBackend-on-extract.patch
+pve/0038-vma-byte-based-write-calls.patch
+pve/0039-rbd-disable-rbd_cache_writethrough_until_flush-with-.patch
+pve/0040-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch
+pve/0041-savevm-async-updates.patch
+pve/0042-qmp_snapshot_drive-add-aiocontext.patch
+pve/0043-vma-sizes-passed-to-blk_co_preadv-should-be-bytes-no.patch
+pve/0044-glusterfs-daemonize.patch
+pve/0045-qmp_delete_drive_snapshot-add-aiocontext.patch
+pve/0046-convert-savevm-async-to-threads.patch
+pve/0047-glusterfs-allow-partial-reads.patch
+#see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all
+extra/x86-lapic-Load-LAPIC-state-at-post_load.patch
+extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
+extra/0002-net-vmxnet-initialise-local-tx-descriptor.patch
+extra/0003-net-limit-allocation-in-nc_sendv_compat.patch
+extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
+extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
+extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
+extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
+extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
+extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
+extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
+extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
+extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
+extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
+extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
+extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
+extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
+extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
+extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
+extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
+extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
+extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
+extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
+extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
+extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
+extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
+extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
+extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
+extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
+extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
+extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
+extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
+extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
+extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
+extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
+extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
+extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
+extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
+extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
+extra/0003-cirrus-fix-blit-address-mask-handling.patch
+extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
+extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
+extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
+extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
+extra/0001-cirrus-fix-patterncopy-checks.patch
+extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
+extra/CVE-2017-2620_cirrus_add_blit_is_unsafe_call_to_cirrus_bitblt_cputovideo.patch
--- /dev/null
+#!/bin/bash
+
+# Abort if any command returns an error value
+set -e
+
+case "$1" in
+ configure)
+
+ # remove stale /etc/qemu (files are in /etc/kvm)
+ # file is now in /usr/share/kvm/cpus-x86_64.conf
+ rm -f /etc/qemu/target-x86_64.conf
+ if test -d /etc/qemu; then rmdir /etc/qemu; fi
+ rm -f /etc/kvm/target-x86_64.conf
+
+ # There are three sub-cases:
+ if test "${2+set}" != set; then
+ # We're being installed by an ancient dpkg which doesn't remember
+ # which version was most recently configured, or even whether
+ # there is a most recently configured version.
+ :
+
+ elif test -z "$2" -o "$2" = "<unknown>"; then
+ # The package has not ever been configured on this system, or was
+ # purged since it was last configured.
+ :
+
+ else
+ # Version $2 is the most recently configured version of this
+ # package.
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package FROM THIS VERSION
+ # to version $2. Undo the effects of "prerm upgrade $2".
+ :
+
+ ;;
+ abort-remove)
+ if test "$2" != in-favour; then
+ echo "$0: undocumented call to \`postinst $*'" 1>&2
+ exit 0
+ fi
+ # Back out of an attempt to remove this package, which was due to
+ # a conflict with package $3 (version $4). Undo the effects of
+ # "prerm remove in-favour $3 $4".
+ :
+
+ ;;
+ abort-deconfigure)
+ if test "$2" != in-favour -o "$5" != removing; then
+ echo "$0: undocumented call to \`postinst $*'" 1>&2
+ exit 0
+ fi
+ # Back out of an attempt to deconfigure this package, which was
+ # due to package $6 (version $7) which we depend on being removed
+ # to make way for package $3 (version $4). Undo the effects of
+ # "prerm deconfigure in-favour $3 $4 removing $6 $7".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+# These are used for cross-compiling and for saving the configure script
+# from having to guess our platform (since we know it already)
+DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+
+PACKAGE=pve-qemu-kvm
+destdir := $(CURDIR)/debian/$(PACKAGE)
+
+ifneq "$(wildcard /usr/share/quilt/quilt.make)" ""
+include /usr/share/quilt/quilt.make
+endif
+
+CFLAGS = -Wall
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -O0
+else
+ CFLAGS += -O2
+endif
+
+config.status: configure
+ dh_testdir
+ # Add here commands to configure the package.
+ ./configure --with-confsuffix="/kvm" --target-list=x86_64-softmmu --prefix=/usr --datadir=/usr/share --docdir=/usr/share/doc/pve-qemu-kvm --sysconfdir=/etc --localstatedir=/var --disable-xen --enable-gnutls --enable-sdl --enable-uuid --enable-linux-aio --enable-rbd --enable-libiscsi --disable-smartcard --audio-drv-list="alsa" --enable-spice --enable-usb-redir --enable-glusterfs --enable-libusb --disable-gtk --enable-xfsctl --enable-numa --disable-strip --enable-jemalloc --disable-libnfs --disable-fdt
+
+build: patch build-stamp
+
+build-stamp: config.status
+ dh_testdir
+
+ # Add here commands to compile the package.
+ $(MAKE)
+
+ #docbook-to-man debian/kvm.sgml > kvm.1
+
+ touch $@
+
+clean: unpatch
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp
+
+ # Add here commands to clean up after the build process.
+ -$(MAKE) distclean
+ifneq "$(wildcard /usr/share/misc/config.sub)" ""
+ cp -f /usr/share/misc/config.sub config.sub
+endif
+ifneq "$(wildcard /usr/share/misc/config.guess)" ""
+ cp -f /usr/share/misc/config.guess config.guess
+endif
+
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Add here commands to install the package into debian/pve-kvm.
+ $(MAKE) DESTDIR=$(destdir) install
+
+ mv $(destdir)/usr/bin/qemu-system-x86_64 $(destdir)/usr/bin/kvm
+ mv $(destdir)/usr/share/man/man1/qemu.1 $(destdir)/usr/share/man/man1/kvm.1
+
+ # Install the userspace utilities
+ install -s -m 0755 vma $(destdir)/usr/bin/
+
+ install -D -m 0755 $(CURDIR)/debian/kvm-ifup $(destdir)/etc/kvm/kvm-ifup
+ install -D -m 0755 $(CURDIR)/debian/kvm-ifdown $(destdir)/etc/kvm/kvm-ifdown
+
+ #install ovmf uefi rom
+ install -D -m 0644 $(CURDIR)/debian/OVMF_CODE-pure-efi.fd $(destdir)/usr/share/kvm/OVMF_CODE-pure-efi.fd
+ install -D -m 0644 $(CURDIR)/debian/OVMF_VARS-pure-efi.fd $(destdir)/usr/share/kvm/OVMF_VARS-pure-efi.fd
+
+ # we do not need openbios files (sparc/ppc)
+ rm -rf $(destdir)/usr/share/kvm/openbios-*
+ # remove ppc files
+ rm $(destdir)/usr/share/kvm/*.dtb
+ rm $(destdir)/usr/share/kvm/ppc_rom.bin
+ rm $(destdir)/usr/share/kvm/s390-ccw.img
+ rm $(destdir)/usr/share/kvm/slof.bin
+ rm $(destdir)/usr/share/kvm/spapr-rtas.bin
+ rm $(destdir)/usr/share/kvm/u-boot.e500
+ # remove Aplha files
+ rm $(destdir)/usr/share/kvm/palcode-clipper
+
+ # remove guest agent (that is only required for a guest)
+ rm $(destdir)/usr/bin/qemu-ga
+
+ # Remove things we don't package at all, would be a "kvm-dev" package
+ rm -Rf $(destdir)/usr/include/linux/
+ rm -Rf $(destdir)/usr/include
+ rm -Rf $(destdir)/usr/lib*
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_installexamples
+# dh_install
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+# dh_python
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+ dh_installman
+ dh_link
+ dh_strip --dbg-package=pve-qemu-kvm-dbg
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_makeshlibs
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
--- /dev/null
+Subproject commit 0d83fccb4fb3140d21feeb37ba069ba71029aaa7
--- /dev/null
+= Virtual Machine Archive format (VMA) =
+
+This format contains a header which includes the VM configuration as
+binary blobs, and a list of devices (dev_id, name).
+
+The actual VM image data is stored inside extents. An extent contains
+up to 64 clusters, and start with a 512 byte header containing
+additional information for those clusters.
+
+We use a cluster size of 65536, and use 8 bytes for each
+cluster in the header to store the following information:
+
+* 1 byte dev_id (to identity the drive)
+* 1 byte not used (reserved)
+* 2 bytes zero indicator (mark zero regions (16x4096))
+* 4 bytes cluster number
+
+We only store non-zero blocks (such block is 4096 bytes).
+
+Each archive is marked with a uuid. The archive header and all
+extent headers includes that uuid and a MD5 checksum (over header
+data).
+
+All numbers in VMA archive are stored in Big Endian byte order.
+
+== VMA Header ==
+
+ Byte 0 - 3: magic
+ VMA magic string ("VMA\x00")
+
+ 4 - 7: version
+ Version number (valid value is 1)
+
+ 8 - 23: uuid
+ Unique ID, Same uuid is used to mark extents.
+
+ 24 - 31: ctime
+ Backup time stamp (seconds since epoch)
+
+ 32 - 47: md5sum
+ Header checksum (from byte 0 to header_size). This field
+ is filled with zero to generate the checksum.
+
+ 48 - 51: blob_buffer_offset
+ Start of blob buffer (multiple of 512)
+
+ 52 - 55: blob_buffer_size
+ Size of blob buffer (multiple of 512)
+
+ 56 - 59: header_size
+ Overall size of this header (multiple of 512)
+
+ 60 - 2043: reserved
+
+ 2044 - 3067: uint32_t config_names[256]
+ Offsets into blob_buffer table
+
+ 3068 - 4091: uint32_t config_data[256]
+ Offsets into blob_buffer table
+
+ 4092 - 4095: reserved
+
+ 4096 - 12287: VmaDeviceInfoHeader dev_info[256]
+ The offset in this table is used as 'dev_id' inside
+ the data streams.
+
+ 12288 - header_size: Blob buffer
+
+
+=== Devive Info Header (VmaDeviceInfoHeader) ===
+
+This is use to store details about the contained disk images.
+
+ Byte 0 - 3: devive name (offsets into blob_buffer table)
+
+ 4 - 7: reserved
+
+ 8 - 15: device size in bytes
+
+ 16 - 31: reserved
+
+Note: Devive name 'vmstate' is reserved to store VM RAM state.
+
+=== Blob buffer ===
+
+The blob buffer is used to store both configuration file names and
+configuration data.
+
+This region contain a list of binary data blobs. Each blob starts with
+a 2 byte size field, followed by the actual data.
+
+== Image Data Streams ==
+
+The VMA header is followed by the image data stream. Image data is grouped
+with extents, which contains up to 59 clusters from different images.
+
+=== VMA Extent Header ===
+
+ Byte 0 - 3: magic
+ VMA extent magic string ("VMAE")
+
+ 4 - 5: reserved
+
+ 6 - 7: block_count
+ Overall number of contained 4K block
+
+ 8 - 23: uuid
+ Unique ID, Same uuid as used in the VMA header.
+
+ 24 - 39: md5sum
+ Header checksum (from byte 0 to header_size). This field
+ is filled with zero to generate the checksum.
+
+ 40 - 511: blockinfo[59]
+
+
+Each 'blockinfo' (8 bytes) give further details about contained clusters:
+
+ Byte 0 - 1: mask
+ Bitmap used to indicate non-zero 4K blocks inside the
+ cluster.
+
+ 2: reserved
+
+ 3: dev_id
+ Device ID (offset into dev_info table)
+
+ 4 - 7: cluster_num
+
+The extend header if followed by the actual cluster data, where we only
+store non-zero 4K blocks.
+