The comment I put in mmap-alloc to document the ppc64 rules
refers to the previous revision of the patch:
we don't look at memory alignment anymore, we check
the fs from which the fd is mapped, instead.

It's also not clear what does "in this case" refer
to, rearrange text to make it clearer.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Tue 22 Dec 2015 08:52:55 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/block-pull-request:
  sdhci: add optional quirk property to disable card insertion/removal interrupts
  sdhci: don't raise a command index error for an unexpected response
  sd: sdhci: Delete over-zealous power check
  scripts/gdb: Fix a python exception in mtree.py
  parallels: add format spec
  block/mirror: replace IOV_MAX with blk_get_max_iov()
  block: replace IOV_MAX with BlockLimits.max_iov
  block-backend: add blk_get_max_iov()
  block: add BlockLimits.max_iov field
  virtio-blk: trivial code optimization
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This is needed for a quirk of the Raspberry Pi (bcm2835/6) MMC
controller, where the card insert bit is documented as unimplemented
(always reads zero, doesn't generate interrupts) but is in fact
observed on hardware as set at power on, but is cleared (and remains
clear) on subsequent controller resets.
Signed-off-by: NAndrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 1450738069-18664-4-git-send-email-Andrew.Baumann@microsoft.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This deletes a block of code that raised a command index error if a
command returned response data, but the guest did not set the
appropriate bits in the response register to handle such a response. I
cannot find any documentation that suggests the controller should
behave in this way, the error code doesn't make sense (command index
error is defined for the case where the index in a response does not
match that of the issued command), and in at least one case (CMD23
issued by UEFI on Raspberry Pi 2), actual hardware does not do this.
Signed-off-by: NAndrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Message-id: 1450738069-18664-3-git-send-email-Andrew.Baumann@microsoft.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This check was conditionalising SD card operation on the card being
powered by the SDHCI host controller. It is however possible
(particularly in embedded systems) for the power control of the SD card
to be managed outside of SDHCI. This can be as trivial as hard-wiring
the SD slot VCC to a constant power-rail.

This means the guest SDHCI can validly opt-out of the SDHCI power
control feature while still using the card. So delete this check to
allow operation of the card with SDHCI power control.

This is needed for at least Xilinx Zynq and Raspberry Pi, and
also makes Freescale i.MX25 work for me. The digilent Zybo board
has a public schematic which shows SD VCC hardwiring:

http://digilentinc.com/Data/Products/ZYBO/ZYBO_sch_VB.3.pdf
bottom of page 3.
Signed-off-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: NSai Pavan Boddu <saipava@xilinx.com>
Signed-off-by: NAndrew Baumann <Andrew.Baumann@microsoft.com>
Message-id: 1450738069-18664-2-git-send-email-Andrew.Baumann@microsoft.com
[AB: Add Pi to list of devices fixed in commit message]
Signed-off-by: NAndrew Baumann <Andrew.Baumann@microsoft.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The following exception is threw:
Python Exception <class 'NameError'> name 'long' is not defined:
Error occurred in Python command: name 'long' is not defined

Python 2.4+, int()/long() have been unified, so replace long
with int.
Signed-off-by: NYang Wei <w90p710@gmail.com>
Message-id: 1449316340-4030-1-git-send-email-w90p710@gmail.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This specifies Parallels image format as implemented in Parallels Cloud
Server 6.10
Signed-off-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: NDenis V. Lunev <den@openvz.org>
Message-id: 1448626806-17591-1-git-send-email-den@openvz.org
CC: Eric Blake <eblake@redhat.com>
CC: John Snow <jsnow@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Use blk_get_max_iov() instead of hardcoding IOV_MAX, which may not apply
to all BlockDrivers.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Request merging must not result in a huge request that exceeds the
maximum number of iovec elements.  Use BlockLimits.max_iov instead of
hardcoding IOV_MAX.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Add a function to query BlockLimits.max_iov.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The maximum number of struct iovec elements depends on the
BlockDriverState.  The raw-posix and iSCSI protocols have a maximum of
IOV_MAX but others could have different values.

Cc: Peter Lieven <pl@kamp.de>
Suggested-by: NKevin Wolf <kwolf@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

1. avoid possible superflous checking
2. make code more robustness

["make code more robustness" refers to avoiding integer
underflows/overflows.
--Stefan]
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Message-id: 1447207166-12612-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

NUMA queue, 2015-12-18

# gpg: Signature made Fri 18 Dec 2015 17:53:48 GMT using RSA key ID 984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"

* remotes/ehabkost/tags/numa-pull-request:
  numa: Clean up query-memdev error handling
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

qmp_query_memdev() has two error paths:

* When object_get_objects_root() returns null.  It never does, so
  simply drop the useless error handling.

* When query_memdev() fails.  It leaks err then.  But any failure
  there is actually a programming error.  Switch it to &error_abort,
  and drop the useless error handling.

Messed up in commit 76b5d850 "qmp: add query-memdev".
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>

Merge remote-tracking branch 'remotes/berrange/tags/pull-qcrypto-secrets-base-2015-12-18-1' into staging

Merge QCryptoSecret object support

# gpg: Signature made Fri 18 Dec 2015 16:51:21 GMT using RSA key ID 15104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>"

* remotes/berrange/tags/pull-qcrypto-secrets-base-2015-12-18-1:
  crypto: add support for loading encrypted x509 keys
  crypto: add QCryptoSecret object class for password/key handling
  qga: convert to use error checked base64 decode
  qemu-char: convert to use error checked base64 decode
  util: add base64 decoding function
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Block layer patches

# gpg: Signature made Fri 18 Dec 2015 13:41:03 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream: (48 commits)
  block/qapi: allow best-effort query
  qemu-img: abort when full_backing_filename not present
  block/qapi: explicitly warn if !has_full_backing_filename
  block/qapi: always report full_backing_filename
  block/qapi: do not redundantly print "actual path"
  qemu-iotests: s390x: fix test 068
  qemu-iotests: s390x: fix test 051
  qemu-iotests: refine common.config
  block: fix bdrv_ioctl called from coroutine
  block: use drained section around bdrv_snapshot_delete
  iotests: Update comments for bdrv_swap() in 094
  block: Remove prototype of bdrv_swap from header
  raw-posix: Make aio=native option binding
  qcow2: insert assert into qcow2_get_specific_info()
  iotests: Extend test 112 for qemu-img amend
  qcow2: Point to amend function in check
  qcow2: Invoke refcount order amendment function
  qcow2: Add function for refcount order amendment
  qcow2: Use intermediate helper CB for amend
  qcow2: Split upgrade/downgrade paths for amend
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Make use of the QCryptoSecret object to support loading of
encrypted x509 keys. The optional 'passwordid' parameter
to the tls-creds-x509 object type, provides the ID of a
secret object instance that holds the decryption password
for the PEM file.

 # printf "123456" > mypasswd.txt
 # $QEMU \
    -object secret,id=sec0,filename=mypasswd.txt \
    -object tls-creds-x509,passwordid=sec0,id=creds0,\
            dir=/home/berrange/.pki/qemu,endpoint=server \
    -vnc :1,tls-creds=creds0

This requires QEMU to be linked to GNUTLS >= 3.1.11. If
GNUTLS is too old an error will be reported if an attempt
is made to pass a decryption password.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Introduce a new QCryptoSecret object class which will be used
for providing passwords and keys to other objects which need
sensitive credentials.

The new object can provide secret values directly as properties,
or indirectly via a file. The latter includes support for file
descriptor passing syntax on UNIX platforms. Ordinarily passing
secret values directly as properties is insecure, since they
are visible in process listings, or in log files showing the
CLI args / QMP commands. It is possible to use AES-256-CBC to
encrypt the secret values though, in which case all that is
visible is the ciphertext.  For ad hoc developer testing though,
it is fine to provide the secrets directly without encryption
so this is not explicitly forbidden.

The anticipated scenario is that libvirtd will create a random
master key per QEMU instance (eg /var/run/libvirt/qemu/$VMNAME.key)
and will use that key to encrypt all passwords it provides to
QEMU via '-object secret,....'.  This avoids the need for libvirt
(or other mgmt apps) to worry about file descriptor passing.

It also makes life easier for people who are scripting the
management of QEMU, for whom FD passing is significantly more
complex.

Providing data inline (insecure, only for ad hoc dev testing)

  $QEMU -object secret,id=sec0,data=letmein

Providing data indirectly in raw format

  printf "letmein" > mypasswd.txt
  $QEMU -object secret,id=sec0,file=mypasswd.txt

Providing data indirectly in base64 format

  $QEMU -object secret,id=sec0,file=mykey.b64,format=base64

Providing data with encryption

  $QEMU -object secret,id=master0,file=mykey.b64,format=base64 \
        -object secret,id=sec0,data=[base64 ciphertext],\
	           keyid=master0,iv=[base64 IV],format=base64

Note that 'format' here refers to the format of the ciphertext
data. The decrypted data must always be in raw byte format.

More examples are shown in the updated docs.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Switch from using g_base64_decode over to qbase64_decode
in order to get error checking of the base64 input data.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Switch from using g_base64_decode over to qbase64_decode
in order to get error checking of the base64 input data.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The standard glib provided g_base64_decode doesn't provide any
kind of sensible error checking on its input. Add a QEMU custom
wrapper qbase64_decode which can be used with untrustworthy
input that can contain invalid base64 characters, embedded
NUL characters, or not be NUL terminated at all.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Merge VNC conversion to I/O channels

# gpg: Signature made Fri 18 Dec 2015 15:44:30 GMT using RSA key ID 15104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>"

* remotes/berrange/tags/pull-io-channel-vnc-2015-12-18-1:
  ui: convert VNC server to use QIOChannelWebsock
  ui: convert VNC server to use QIOChannelTLS
  ui: convert VNC server to use QIOChannelSocket
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

XSA-155 fixes

# gpg: Signature made Fri 18 Dec 2015 15:16:18 GMT using RSA key ID 70E1AE90
# gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>"

* remotes/sstabellini/tags/xsa155:
  xenfb: avoid reading twice the same fields from the shared page
  xen/blkif: Avoid double access to src->nr_segments
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.

This is part of XSA-155.
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>

src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function.  If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.

Fix it by removing the double access to src->nr_segments.

This is part of XSA-155.
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>

Remove custom websock handling code from the VNC server and use
the QIOChannelWebsock class instead.
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Switch VNC server over to using the QIOChannelTLS object for
the TLS session. This removes all remaining VNC specific code
for dealing with TLS handshakes.
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The minimal first step conversion to use QIOChannelSocket
classes instead of directly using POSIX sockets API. This
will later be extended to also cover the TLS, SASL and
websockets code.
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

block-next patches from before the 2.5.0 release.

# gpg: Signature made Fri Dec 18 14:38:44 2015 CET using RSA key ID E838ACAD
# gpg: Good signature from "Max Reitz <mreitz@redhat.com>"

* mreitz/tags/pull-block-for-kevin-2015-12-18:
  block/qapi: allow best-effort query
  qemu-img: abort when full_backing_filename not present
  block/qapi: explicitly warn if !has_full_backing_filename
  block/qapi: always report full_backing_filename
  block/qapi: do not redundantly print "actual path"
  qemu-iotests: s390x: fix test 068
  qemu-iotests: s390x: fix test 051
  qemu-iotests: refine common.config
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

For more complex BDS trees that can be created under normal circumstances,
we lose the ability to issue query commands because of our inability to
re-construct the absolute filename.

Instead, omit this field when it is a problem and present as much information
as we can.

This will change the expected output in iotest 110, where we will now see a
json filename and the lack of an absolute filename instead of an error.
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Message-id: 1450122916-4706-6-git-send-email-jsnow@redhat.com
Reviewed-by: NMax Reitz <mreitz@redhat.com>
Signed-off-by: NMax Reitz <mreitz@redhat.com>

...But only if we have the backing_filename. It means something Scary
happened and we can't really be quite exactly sure if we can trust the
backing_filename.
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>
Message-id: 1450122916-4706-5-git-send-email-jsnow@redhat.com
Signed-off-by: NMax Reitz <mreitz@redhat.com>

Disambiguate "Backing filename and full backing filename are equivalent"
from "full backing filename could not be determined."
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Message-id: 1450122916-4706-4-git-send-email-jsnow@redhat.com
Reviewed-by: NMax Reitz <mreitz@redhat.com>
Signed-off-by: NMax Reitz <mreitz@redhat.com>

Always report full_backing_filename, even if it's the same as
backing_filename. In the next patch, full_backing_filename may be
omitted if it cannot be generated instead of allowing e.g. drive_query
to abort if it runs into this scenario.

The presence or absence of the "full" field becomes useful information.
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>
Message-id: 1450122916-4706-3-git-send-email-jsnow@redhat.com
Signed-off-by: NMax Reitz <mreitz@redhat.com>

If it happens to match the backing path, that was the actual path.
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NMax Reitz <mreitz@redhat.com>
Message-id: 1450122916-4706-2-git-send-email-jsnow@redhat.com
Signed-off-by: NMax Reitz <mreitz@redhat.com>

Now, s390-virtio-ccw is default machine and s390-ccw.img is default boot
loader. If the s390-virtio-ccw machine finds no device to load from and
errors out, then emits a panic and exits the vm. This breaks test cases
068 for s390x.
Adding the parameter of "-no-shutdown" for s390-ccw-virtio will pause VM
before shutdown.
Acked-by: NMax Reitz <mreitz@redhat.com>
Reviewed-by: NSascha Silbe <silbe@linux.vnet.ibm.com>
Signed-off-by: NBo Tu <tubo@linux.vnet.ibm.com>
Message-id: 1449136891-26850-4-git-send-email-tubo@linux.vnet.ibm.com
Signed-off-by: NMax Reitz <mreitz@redhat.com>

The tests for ide device should only be tested for the pc
platform.
Set device_id to "drive0", and replace every "-drive file..."
by "-drive file=...,if=none,id=$device_id", then x86 and s390x
can get the common output in the test of "Snapshot mode".
Warning message expected for s390x when drive without device.
A x86 platform specific output file is also needed.
Reviewed-by: NSascha Silbe <silbe@linux.vnet.ibm.com>
Signed-off-by: NBo Tu <tubo@linux.vnet.ibm.com>
Message-id: 1449136891-26850-3-git-send-email-tubo@linux.vnet.ibm.com
Signed-off-by: NMax Reitz <mreitz@redhat.com>

Replacing awk with sed, then it's easier to read.
Replacing "[ ! -z "$default_alias_machine" ]" with
"[[ $default_alias_machine ]]", then it's slightly shorter.
Reviewed-by: NMax Reitz <mreitz@redhat.com>
Suggested-By: NSascha Silbe <silbe@linux.vnet.ibm.com>
Reviewed-by: NSascha Silbe <silbe@linux.vnet.ibm.com>
Reviewed-by: NEric Blake   <eblake@redhat.com>
Signed-off-by: NBo Tu <tubo@linux.vnet.ibm.com>
Message-id: 1449136891-26850-2-git-send-email-tubo@linux.vnet.ibm.com
Signed-off-by: NMax Reitz <mreitz@redhat.com>

When called from a coroutine, bdrv_ioctl must be asynchronous just like
e.g. bdrv_flush.  The code was incorrectly making it synchronous, fix
it.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Do not use bdrv_drain, since by itself it does not guarantee
anything.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>