It seems this assert() was somehow misplaced.

block/qcow2-refcount.c:2193:42: warning: Array access (from variable 'on_disk_reftable') results in a null pointer dereference
        on_disk_reftable[refblock_index] = refblock_offset;
        ~~~~~~~~~~~~~~~~                 ^

Reported-by: Clang Static Analyzer
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Screwed up in commit 3a55fc0f, v2.6.0.

If qemu_chr_fe_read_all() returns -EINTR the do {} statement continues and the
n accumulator used to complete reads upto sizeof(msg) is decremented by 4 (the
value of EINTR on Linux).
To avoid that, use simpler if() statements and continue if EINTR occured.

hw/misc/ivshmem.c:650:14: warning: Loss of sign in implicit conversion
    } while (n < sizeof(msg));
             ^

Reported-by: Clang Static Analyzer
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

since a negative value means it errored.

hw/core/loader.c:149:9: warning: Loss of sign in implicit conversion
    if (size > max_sz) {
        ^~~~
hw/core/loader.c:171:9: warning: Loss of sign in implicit conversion
    if (size > memory_region_size(mr)) {
        ^~~~

Reported-by: Clang Static Analyzer
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NAlistair Francis <alistair.francis@xilinx.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

This allow a one liner from fresh repository clone, i.e.:

  ./configure && make -j check-qtest-aarch64
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NAlex Bennée <alex.bennee@linaro.org>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NJohn Snow <jsnow@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Starting Qemu with "qemu-system-tricore -nographic -M tricore_testboard -S"
and entering "x 0" at the monitor prompt leads to Segmentation fault.
This happens because tricore_cpu_get_phys_page_debug() is not implemented
yet, this is a temporary workaround to avoid the crash.
Signed-off-by: NEduardo Otubo <otubo@redhat.com>
Tested-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

It got moved in qga/main.c from commit 2870dc34.
Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

If slirp is disabled, it will fail with:

qemu-system-x86_64: -netdev user,id=qtest-bn0: Parameter 'type' expects a netdev backend type
Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Currently get_maintainers.pl claims that the configure script is
maintained by Kamil:

 $ scripts/get_maintainer.pl -f configure
 Kamil Rytarowski <kamil@netbsd.org> (maintainer:NETBSD)
 qemu-devel@nongnu.org (open list:All patches CC here)

This happens because the regex pattern for the NETBSD entry triggers
on everything that contains the keyword "NetBSD". Ease the situation
a little bit by restricting this to "Subject:" lines only, like
we do it in the "trivial patches" section already.
Reported-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: NThomas Huth <thuth@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Starting qemu-system-unicore32 without the -kernel parameter results in
an assert() returns false and aborts qemu. This patch replaces it with a
proper error message followed by exit(1).
Signed-off-by: NEduardo Otubo <otubo@redhat.com>
Tested-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

user_creatable_add_opts() returns a reference (the other reference is
for the root parent/child link).

Leak introduced in commit a1af255f.
Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

ppc patch queue 2017-07-31

This has a couple of last minute bugfixes for qemu 2.10.

# gpg: Signature made Mon 31 Jul 2017 05:25:54 BST
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.10-20170731:
  Revert "spapr: populate device tree depending on XIVE_EXPLOIT option"
  spapr_drc: fix realize and unrealize
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This reverts commit b8768042.

I thought this was a harmless preliminary for XIVE enablement patches
we expect later on.  However, due to some subtle interactions between
qemu and SLOF (guest firmware) this breaks some things.  Revert it for
now, we'll work out how to fix it when the rest of the XIVE patches
are ready.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

If object_property_add_alias() returns an error in realize(), we should
propagate it to the caller and certainly not unref the DRC.

Same thing goes for unrealize(). Since object_property_del() is the last
call, we can even get rid of the intermediate Error *.

And finally, unrealize() should undo all registrations performed by
realize().
Signed-off-by: NGreg Kurz <groug@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

nbd patches for 2017-07-28

- Philippe Mathieu-Daudé - nbd: fix memory leak in nbd_opt_go()

# gpg: Signature made Fri 28 Jul 2017 17:59:39 BST
# gpg:                using RSA key 0xA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>"
# gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
# gpg:                 aka "[jpeg image of size 6874]"
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2017-07-28:
  nbd: fix memory leak in nbd_opt_go()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

nbd/client.c:385:12: warning: Potential leak of memory pointed to by 'buf'

Reported-by: Clang Static Analyzer
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-Id: <20170727024224.22900-5-f4bug@amsat.org>
[introduced in commit 8ecaeae8]
Signed-off-by: NEric Blake <eblake@redhat.com>

MIPS patches 2017-07-28

Changes:
* Improve ths MIPS board kernel load error reporting
* Revert unnecessary warning messages

# gpg: Signature made Fri 28 Jul 2017 13:47:52 BST
# gpg:                using RSA key 0x2238EB86D5F797C2
# gpg: Good signature from "Yongbok Kim <yongbok.kim@imgtec.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8600 4CF5 3415 A5D9 4CFA  2B5C 2238 EB86 D5F7 97C2

* remotes/yongbok/tags/mips-20170728:
  Revert "elf-loader: warn about invalid endianness"
  hw/mips: load_elf_strerror to report kernel loading failure
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

ui: more keymap fixes for 2.10

# gpg: Signature made Fri 28 Jul 2017 13:59:01 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/ui-20170728-pull-request:
  ui: add pause key to linux_to_qcode
  ui: drop ac_search and ac_stop
  ui: correctly detect spice PAUSE scancode sequence
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This reverts c8e1158c "elf-loader: warn about invalid endianness"
as it produces a useless message every time an LE kernel image is
passed via -kernel on a ppc64-pseries machine. The pseries machine
already checks for ELF_LOAD_WRONG_ENDIAN and tries with big_endian=0.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>

Emulated MIPS boards bail out with a simple "could not load kernel" when
a kernel could not be load, without specifying the underlying reason.
Fix that by calling load_elf_strerror.

At the same time use error_report to report the error instead of
fprintf.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>

Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
Message-id: 20170728063432.27578-1-kraxel@redhat.com

Both keys exist already: "ac_search" is "find" and "ac_stop" is "stop".

Fixes: 37810e80Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
Message-id: 20170728063415.27480-1-kraxel@redhat.com

The SPICE input code is currently detcting 0xe1 0x1d 0x45 as
the PAUSE key make sequence and 0xe1 0x9d 0xc5 as the break
sequence. This is incorrect, because all 6 scancodes together
are the make sequence, and there is no break sequence.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
Message-id: 20170727174640.30359-1-berrange@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

More s390x fixes: Correct ilen, and ccw checking.

# gpg: Signature made Fri 28 Jul 2017 10:13:42 BST
# gpg:                using RSA key 0xDECF6B93C6F02FAF
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>"
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>"
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck/tags/s390x-20170728:
  s390x/css: fix bits must be zero check for TIC
  s390x/css: check ccw address validity
  target/s390x: fix pgm irq ilen in translate_pages()
  target/s390x: fix pgm irq ilen for stsi
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

According to the PoP bit positions 0-3 and 8-32 of the format-1 CCW must
contain zeros.  Bits 0-3 are already covered by cmd_code validity
checking, and bit 32 is covered by the CCW address checking.

Bits 8-31 correspond to CCW1.flags and CCW1.count.  Currently we only
check for the absence of certain flags.  Let's fix this.
Signed-off-by: NHalil Pasic <pasic@linux.vnet.ibm.com>
Message-Id: <20170725224442.13383-3-pasic@linux.vnet.ibm.com>
Reviewed-by: NDong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
[CH: tweaked comment]
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

According to the PoP channel command words (CCW) must be doubleword
aligned and 31 bit addressable for format 1 and 24 bit addressable for
format 0 CCWs.

If the channel subsystem encounters a ccw address which does not satisfy
this alignment requirement a program-check condition is recognised.

The situation with 31 bit addressable is a bit more complicated: both the
ORB and a format 1 CCW TIC hold the address of (the rest of) the channel
program, that is the address of the next CCW in a word, and the PoP
mandates that bit 0 of that word shall be zero -- or a program-check
condition is to be recognized -- and does not belong to the field holding
the ccw address.

Since in code the corresponding fields span across the whole word (unlike
in PoP where these are defined as 31 bit wide) we can check this by
applying a mask. The 24 addressable case isn't affecting TIC because the
address is composed of a halfword and a byte portion (no additional zero
bit requirements) and just slightly complicates the ORB case where also
bits 1-7 need to be zero.

The same requirements (especially n-bit addressability) apply to the
ccw addresses generated while chaining.

Let's make our CSS implementation follow the AR more closely.
Signed-off-by: NHalil Pasic <pasic@linux.vnet.ibm.com>
Message-Id: <20170727154842.23427-1-pasic@linux.vnet.ibm.com>
Reviewed-by: NDong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

0 is certainly wrong. Let's use ILEN_AUTO.
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20170721125609.11117-3-david@redhat.com>
Reviewed-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

The instruction is 4 bytes long.
Signed-off-by: NDavid Hildenbrand <david@redhat.com>
Message-Id: <20170721125609.11117-2-david@redhat.com>
Reviewed-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NCornelia Huck <cohuck@redhat.com>

ui: keymap fixes for 2.10

# gpg: Signature made Thu 27 Jul 2017 15:00:06 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/ui-20170727-pull-request:
  ps2: fix sending of PAUSE/BREAK scancodes
  ui: drop altgr and altgr_r QKeyCodes
  ps2: enable multimedia keys
  ui: add multimedia keys
  ui: update keymaps
  ui: move qemu_input_linux_to_qcode()
  ui: add next and prior keysyms
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The processing of the scancodes for PAUSE/BREAK  has been broken since
the conversion to qcodes in:

  commit 8c10e0ba
  Author: Hervé Poussineau <hpoussin@reactos.org>
  Date:   Thu Sep 15 22:06:26 2016 +0200

    ps2: use QEMU qcodes instead of scancodes

When using a VNC client, with the raw scancode extension, the client
will send a scancode of 0xc6 for both PAUSE and BREAK. There is mistakenly
no entry in the qcode_to_number table for this scancode, so
ps2_keyboard_event() just generates a log message and discards the
scancode

When using a SPICE client, it will also send 0xc6 for BREAK, but
will send 0xe1 0x1d 0x45 0xe1 0x9d 0xc5 for PAUSE. There is no
entry in the qcode_to_number table for the scancode 0xe1 because
it is a special XT keyboard prefix not mapping to any QKeyCode.
Again ps2_keyboard_event() just generates a log message and discards
the scancode. The following 0x1d, 0x45, 0x9d, 0xc5 scancodes get
handled correctly. Rather than trying to handle 3 byte sequences
of scancodes in the PS/2 driver, special case the SPICE input
code so that it captures the 3 byte pause sequence and turns it
into a Pause QKeyCode.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
Message-id: 20170727113243.23991-1-berrange@redhat.com
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The right alt key (alt_r aka KEY_RIGHTALT) is used for AltGr.
The altgr and altgr_r keys simply don't exist.  Drop them.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 20170727104720.30061-1-kraxel@redhat.com

Fixes: 8c10e0baSigned-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-6-kraxel@redhat.com

Add multimedia keys to QKeyCodes and to the keymaps.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-5-kraxel@redhat.com

Add recently added QKeyCodes to the keymaps.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-4-kraxel@redhat.com

Move from input-linux.c to input-keymap.c and export it,
so the function is available elsewhere too.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-3-kraxel@redhat.com

Page-up and Page-down were renamed.  Add the names to the keysym list
so we can parse both old and new names.  The keypad versions are already
present in the vnc map.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-2-kraxel@redhat.com

VFIO fixes 2017-07-26

 - Error path use after free bug fixes (Philippe Mathieu-Daudé)

# gpg: Signature made Wed 26 Jul 2017 18:49:00 BST
# gpg:                using RSA key 0x239B9B6E3BB08B22
# gpg: Good signature from "Alex Williamson <alex.williamson@redhat.com>"
# gpg:                 aka "Alex Williamson <alex@shazbot.org>"
# gpg:                 aka "Alex Williamson <alwillia@redhat.com>"
# gpg:                 aka "Alex Williamson <alex.l.williamson@gmail.com>"
# Primary key fingerprint: 42F6 C04E 540B D1A9 9E7B  8A90 239B 9B6E 3BB0 8B22

* remotes/awilliam/tags/vfio-fixes-20170726.0:
  vfio/pci: fix use of freed memory
  vfio/platform: fix use of freed memory
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

x86 bug fix for -rc1

Fix for a bug in "-cpu max" that breaks libvirt usage of
query-cpu-model-expansion.

# gpg: Signature made Wed 26 Jul 2017 19:35:28 BST
# gpg:                using RSA key 0x2807936F984DC5A6
# gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>"
# Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D C5A6

* remotes/ehabkost/tags/x86-pull-request:
  target/i386: Don't use x86_cpu_load_def() on "max" CPU model
  target/i386: Define CPUID_MODEL_ID_SZ macro
  target/i386: Use host_vendor_fms() in max_x86_cpu_initfn()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

When commit 0bacd8b3 ('i386: Don't set CPUClass::cpu_def on
"max" model') removed the CPUClass::cpu_def field, we kept using
the x86_cpu_load_def() helper directly in max_x86_cpu_initfn(),
emulating the previous behavior when CPUClass::cpu_def was set.

However, x86_cpu_load_def() is intended to help initialization of
CPU models from the builtin_x86_defs table, and does lots of
other steps that are not necessary for "max".

One of the things x86_cpu_load_def() do is to set the properties
listed at tcg_default_props/kvm_default_props.  We must not do
that on the "max" CPU model, otherwise under KVM we will
incorrectly report all KVM features as always available, and the
"svm" feature as always unavailable.  The latter caused the bug
reported at:

  https://bugzilla.redhat.com/show_bug.cgi?id=1467599
  ("Unable to start domain: the CPU is incompatible with host CPU:
  Host CPU does not provide required features: svm")

Replace x86_cpu_load_def() with simple object_property_set*()
calls.  In addition to fixing the above bug, this makes the KVM
branch in max_x86_cpu_initfn() very similar to the existing TCG
branch.

For reference, the full list of steps performed by
x86_cpu_load_def() is:

* Setting min-level and min-xlevel.  Already done by
  max_x86_cpu_initfn().
* Setting family/model/stepping/model-id.  Done by the code added
  to max_x86_cpu_initfn() in this patch.
* Copying def->features.  Wrong because "-cpu max" features need to
  be calculated at realize time.  This was not a problem in the
  current code because host_cpudef.features was all zeroes.
* x86_cpu_apply_props() calls.  This causes the bug above, and
  shouldn't be done.
* Setting CPUID_EXT_HYPERVISOR.  Not needed because it is already
  reported by x86_cpu_get_supported_feature_word(), and because
  "-cpu max" features need to be calculated at realize time.
* Setting CPU vendor to host CPU vendor if on KVM mode.
  Redundant, because max_x86_cpu_initfn() already sets it to the
  host CPU vendor.
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Message-Id: <20170712162058.10538-5-ehabkost@redhat.com>
Reviewed-by: NIgor Mammedov <imammedo@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>

Document cpu_x86_fill_model_id() and define CPUID_MODEL_ID_SZ to
help callers use the right buffer size.
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Message-Id: <20170712162058.10538-4-ehabkost@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>

The existing code duplicated the logic in host_vendor_fms(), so
reuse the helper function instead.
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Message-Id: <20170712162058.10538-3-ehabkost@redhat.com>
Reviewed-by: NIgor Mammedov <imammedo@redhat.com>
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>