From f5c052b973b0b2b3aa15e6cb0b0ac48ab763a9b0 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 2 Nov 2016 20:58:25 +0100
Subject: [PATCH 1/6] target-i386: fix typo

The impact is small because kvm_get_vcpu_events fixes env->hflags, but
it is wrong and could cause INITs to be delayed arbitrarily with
-machine kernel_irqchip=off.

Reported-by: Achille Fouilleul <achille.fouilleul@gadz.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target-i386/kvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 1c0864ed16..f62264a7a8 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -2855,7 +2855,7 @@ MemTxAttrs kvm_arch_post_run(CPUState *cpu, struct kvm_run *run)
     if (run->flags & KVM_RUN_X86_SMM) {
         env->hflags |= HF_SMM_MASK;
     } else {
-        env->hflags &= HF_SMM_MASK;
+        env->hflags &= ~HF_SMM_MASK;
     }
     if (run->if_flag) {
         env->eflags |= IF_MASK;

From 004c8e0090025b4fde4e99fbc5a81049be8f79d1 Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Wed, 2 Nov 2016 17:18:50 +0300
Subject: [PATCH 2/6] vl.c: move pidfile creation up the line

With current code, pid file is open after various
sockets, chardevs, fsdevs and the like.  This causes
interesting effects, for example when monitor is a
unix-socket, and another qemu instance is already
running, new qemu first "damages" the socket and
next complain that it can't acquire the pid file and
exits, making running qemu unreachable.

Move pid file creation earlier, right after the call
to os_daemonize(), where we know our process id (pid).

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <1478096330-18081-1-git-send-email-mjt@msgid.tls.msk.ru>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 vl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/vl.c b/vl.c
index 319f6413f2..d77dd862f9 100644
--- a/vl.c
+++ b/vl.c
@@ -4063,6 +4063,11 @@ int main(int argc, char **argv, char **envp)
 
     os_daemonize();
 
+    if (pid_file && qemu_create_pidfile(pid_file) != 0) {
+        error_report("could not acquire pid file: %s", strerror(errno));
+        exit(1);
+    }
+
     if (qemu_init_main_loop(&main_loop_err)) {
         error_report_err(main_loop_err);
         exit(1);
@@ -4340,11 +4345,6 @@ int main(int argc, char **argv, char **envp)
     }
 #endif
 
-    if (pid_file && qemu_create_pidfile(pid_file) != 0) {
-        error_report("could not acquire pid file: %s", strerror(errno));
-        exit(1);
-    }
-
     if (qemu_opts_foreach(qemu_find_opts("device"),
                           device_help_func, NULL, NULL)) {
         exit(0);

From 5122787580ad7fc8f8540c73cd33612604172607 Mon Sep 17 00:00:00 2001
From: ZhuangYanying <ann.zhuangyanying@huawei.com>
Date: Fri, 4 Nov 2016 16:16:38 +0800
Subject: [PATCH 3/6] target-i386/machine: fix migrate faile because of Hyper-V
 HV_X64_MSR_VP_RUNTIME

Hyper-V HV_X64_MSR_VP_RUNTIME was introduced in linux-4.4 + qemu-2.5.

As long as the KVM module supports, qemu will save / load the
vmstate_msr_hyperv_runtime register during the migration.

Regardless of whether the hyperv_runtime configuration of x86_cpu_properties is
enabled.

The qemu-2.3 does not support this feature, of course, failed to migrate.

    linux-BGSfqC:/home/qemu # ./x86_64-softmmu/qemu-system-x86_64 --enable-kvm \
        -nodefaults -machine pc-i440fx-2.3,accel=kvm,usb=off -smp 4 -m 4096 -drive \
        file=/work/suse/sles11sp3.img.bak,format=raw,if=none,id=drive-virtio-disk0,cache=none \
        -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0 \
        -vnc :99 -device cirrus-vga,id=video0,vgamem_mb=8,bus=pci.0,addr=0x2 -monitor vc

    save_section_header:se->section_id=3,se->idstr:ram,se->instance_id=0,se->version_id=4
    save_section_header:se->section_id=0,se->idstr:timer,se->instance_id=0,se->version_id=2
    save_section_header:se->section_id=4,se->idstr:cpu_common,se->instance_id=0,se->version_id=1
    save_section_header:se->section_id=5,se->idstr:cpu,se->instance_id=0,se->version_id=12
    vmstate_subsection_save:vmsd->name:cpu/async_pf_msr
    hyperv_runtime_enable_needed:env->msr_hv_runtime=128902811
    vmstate_subsection_save:vmsd->name:cpu/msr_hyperv_runtime

Since hyperv_runtime is false, vm will not use hv->runtime_offset, then
vmstate_msr_hyperv_runtime is no need to transfer while migrating.

Signed-off-by: ann.zhuangyanying@huawei.com
Message-Id: <1478247398-5016-1-git-send-email-ann.zhuangyanying@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target-i386/machine.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target-i386/machine.c b/target-i386/machine.c
index 48037f1575..760f82b6c7 100644
--- a/target-i386/machine.c
+++ b/target-i386/machine.c
@@ -709,6 +709,10 @@ static bool hyperv_runtime_enable_needed(void *opaque)
     X86CPU *cpu = opaque;
     CPUX86State *env = &cpu->env;
 
+    if (!cpu->hyperv_runtime) {
+        return false;
+    }
+
     return env->msr_hv_runtime != 0;
 }
 

From 2209401fa73e176ed093167b8f60aba797f25d49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 7 Nov 2016 13:59:22 +0400
Subject: [PATCH 4/6] qdev: fix use-after-free regression from becdfa00cfa
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Spotted by Coverity, CID 1365383.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20161107095922.31676-1-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/core/qdev-properties-system.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/hw/core/qdev-properties-system.c b/hw/core/qdev-properties-system.c
index c35f0f59d6..1b7ea50e9f 100644
--- a/hw/core/qdev-properties-system.c
+++ b/hw/core/qdev-properties-system.c
@@ -200,18 +200,14 @@ static void set_chr(Object *obj, Visitor *v, const char *name, void *opaque,
     }
 
     s = qemu_chr_find(str);
-    g_free(str);
     if (s == NULL) {
         error_setg(errp, "Property '%s.%s' can't find value '%s'",
                    object_get_typename(obj), prop->name, str);
-        return;
-    }
-
-    if (!qemu_chr_fe_init(be, s, errp)) {
+    } else if (!qemu_chr_fe_init(be, s, errp)) {
         error_prepend(errp, "Property '%s.%s' can't take value '%s': ",
                       object_get_typename(obj), prop->name, str);
-        return;
     }
+    g_free(str);
 }
 
 static void release_chr(Object *obj, const char *name, void *opaque)

From 175cad36a599bb24ab2a5cd195c96b1f123e25a9 Mon Sep 17 00:00:00 2001
From: Doug Evans <dje@google.com>
Date: Thu, 3 Nov 2016 21:48:56 +0000
Subject: [PATCH 5/6] target-i386: document how x86 gdb_num_core_regs is
 computed.

It helps when reading the code to see how the number is arrived at.

Signed-off-by: Doug Evans <dje@google.com>
Message-Id: <94eb2c187eda43dba005406c86f7@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target-i386/cpu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 14c5186fe7..6eec5dc86d 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -3721,6 +3721,9 @@ static void x86_cpu_common_class_init(ObjectClass *oc, void *data)
     cc->write_elf32_qemunote = x86_cpu_write_elf32_qemunote;
     cc->vmsd = &vmstate_x86_cpu;
 #endif
+    /* CPU_NB_REGS * 2 = general regs + xmm regs
+     * 25 = eip, eflags, 6 seg regs, st[0-7], fctrl,...,fop, mxcsr.
+     */
     cc->gdb_num_core_regs = CPU_NB_REGS * 2 + 25;
 #ifndef CONFIG_USER_ONLY
     cc->debug_excp_handler = breakpoint_handler;

From a5068244b4f0c994791303b6186b6f732adab6c2 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Mon, 7 Nov 2016 14:38:13 -0600
Subject: [PATCH 6/6] nbd: Don't inf-loop on early EOF

Commit 7d3123e converted a single read_sync() into a while loop
that assumed that read_sync() would either make progress or give
an error. But when the server hangs up early, the client sees
EOF (a read_sync() of 0) and never makes progress, which in turn
caused qemu-iotest './check -nbd 83' to go into an infinite loop.

Rework the loop to accomodate reads cut short by EOF.

Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1478551093-32757-1-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 nbd/client.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 7db4301d29..ffb0743bce 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -90,20 +90,21 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports);
  * the amount of bytes consumed. */
 static ssize_t drop_sync(QIOChannel *ioc, size_t size)
 {
-    ssize_t ret, dropped = size;
+    ssize_t ret = 0;
     char small[1024];
     char *buffer;
 
     buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
     while (size > 0) {
-        ret = read_sync(ioc, buffer, MIN(65536, size));
-        if (ret < 0) {
+        ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
+
+        if (count <= 0) {
             goto cleanup;
         }
-        assert(ret <= size);
-        size -= ret;
+        assert(count <= size);
+        size -= count;
+        ret += count;
     }
-    ret = dropped;
 
  cleanup:
     if (buffer != small) {