Update version and changelog for 0.11.1 release

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
fix I2C slave addressing
2009-12-02 21:27:02 +01:00 · 2009-12-02 17:24:48 +01:00 · 2009-11-27 18:46:04 +01:00 · 2009-11-21 00:34:59 +01:00 · 2009-11-19 01:22:47 +01:00 · 2009-11-18 15:30:23 +01:00
122 changed files with 1354 additions and 683 deletions
--- a/151
+++ b/151
@@ -1,3 +1,154 @@
+Version 0.11.1
+  - fix I2C slave addressing (Juha Riihimäki)
+  - Revert "vga: do not resize the screen on hw_invalidate" (Aurelien Jarno)
+  - slirp: fix use-after-free (Mark McLoughlin)
+  - Fix sparc.ld (Blue Swirl)
+  - ELF codedump build failures (Laurent Desnogues)
+  - kvm: Move KVM mp_state accessors to i386-specific code (Hollis Blanchard)
+  - fix configure script with armv4l cpu (Laurent Desnogues)
+  - net: disable draining tap queue in one go (Mark McLoughlin)
+  - pcnet: Restart poll timer on pcnet_start (Jan Kiszka)
+  - Sparc32: Fix lance (Blue Swirl)
+  - mac99: fix segmentation fault on startup (Aurelien Jarno)
+  - usb-linux.c: fix buffer overflow (Jim Paris)
+  - ARM host: fix generated blocks linking (Laurent Desnogues)
+  - qemu serial: lost tx irqs (affecting FreeBSD's new uart(4) driver (Juergen Lock)
+  - exec-all.h: increase MAX_OP_PER_INSTR to 96 from 64 (Aurelien Jarno)
+
+version 0.11.0
+  - fix rtc polling mode (Bernhard Kauer)
+  - qcow2: order concurrent aio requests (Kevin Wolf)
+  - qemu-io: port to win32 (Stefan Weil)
+  - alpha: fix extlh instruction (Vince Weaver)
+  - tcg: fix size of local variables in tcg_gen_bswap64_i64 (Stefan Weil)
+  - net: fix send ordering (Jan Kiszka)
+  - escc: fix IRQ routing (Aurelien Jarno)
+  - versatile: fix Linux task preemption (Aurelien Jarno)
+  - curses: reduce memory usage by 250MB (Aurelien Jarno)
+
+version 0.11.0-rc2
+  - mips: fix conditional move off fp conditions codes (Nath Froyd)
+  - fix migration to obey -S (Paolo Bonzini)
+  - remove pc-0-10 machine type (Mark McLoughlin)
+  - vnc: fix copyrect screen corruption (Gerd Hoffman)
+  - fix vm state change handlers running order (Markus Armbruster)
+  - e1000: fix eerc and ics emulation (Bill Paul)
+  - fix sdl zooming with pl110 (Blue Swirl)
+  - sparc64: flush pending conditional evaluations (Igor Kovalenko)
+  - esp: fix interrupt register read (Blue Swirl)
+  - option rom makefile fixes (Paul Brook)
+  - fix sparse warnings (Blue Swirl)
+  - fix symfind (Laurent Desnogues)
+  - win32: fix default prefix (Stefan Weil)
+  - fix checksum writing in signboot (Alex Graf)
+  - fix sdl window resize (Stefano Stabellini)
+  - do not resize the screen on hw_invalidate (Stefano Stabellini)
+  - Add checks for -smbios option (Beth Kon)
+  - fix do_set_link (Luiz Capitulino)
+  - fix do_commit behavior (Luiz Capitulino)
+  - make windows notice media change (Gleb Natapov)
+  - check for PR_SET_NAME being defined (Nathan Froyd)
+  - fix migration for ide devices (Anthony Liguori)
+  - Use correct depth in vmware vga (Reimar Doffiner)
+  - support 32bpp cursors in sdl (Reimar Doffinger)
+  - fix device name completion for eject (Blue Swirl)
+  - make screendump use DisplayState properly (Stefano Stabellini)
+  - fix autostart with live migration (Avi Kivity)
+  - fix detached migration with exec (Chris Lalancette)
+  - fix segv when changing vnc password in sdl (Zach Amsden)
+  - fix vnc password clearing with stdio monitor (Zach Amsden)
+  - clean up VGA type selection (Zach Amsden)
+  - add missing linefeed in error message (Stefan Weil)
+	
+version 0.11.0-rc1
+  - add machine aliasing support (Mark McLoughlin)
+  - add getfd/closefd monitor commands (Mark McLoughlin)
+  - use correct headers for tap-win32 (Filip Navara)
+  - fix live migration (Glauber Costa)
+  - slirp: use monotonic clock if available (Ed Swierk)
+  - clear msix_entries_nr on error (Michael Tsirkin)
+  - HPET: fix reg writes (Beth Kon)
+  - slirp: fix guestfwd for incoming data (Jan Kiszka)
+  - fix build of qemu-thread.c on win32 (Sebastian Herbszt)
+  - improve signrom.sh portability (Christoph Egger)
+  - fix qemu-img convert to copy unallocated parts of the image
+	(Akkarit Sangpetch)
+  - vmdk: fix backing file handling (Kevin Wolf)
+  - scsi: add save/restore support (Nolan Leake)
+  - fix live migration for SCSI (Nolan Leake)
+  - various sparc build fixes (Blue Swirl)
+  - fix OpenBSD build (Blue Swirl)
+  - only allow -cpu host when using KVM (Anthony Liguori)
+  - fix build breakage when !KVM (Anthony Liguori)
+
+version 0.10.6:
+  - e1000: ignore reset command (Kevin Wolf)
+  - fix VNC memory allocation (Stefan Weil)
+  - fix raw_pread_aligned return value (Christoph Hellwig)
+  - allow monitor interaction when using -incoming exec: (Chris Lalancette)
+  - fix -net socket,listen (Jan Kiszka)
+  - live migration: don't send gratuitous packets all at once (Gleb Natapov)
+  - serial: fix lost characters after sysrq (Jason Wessel)
+  - Fix prototype of zfree (Stefan Weil)
+  - Handle EINTR with exec: migration (Uri Lublin)
+  - Delete io-handler before closing fd after migration (Uri Lublin)
+  - Fix qemu_aio_flush (Andrea Arcangeli)
+  - lsi53c895a: Implement additional registers (Sebastian Herbszt)
+  - virtio-blk: fix warning (Gerd Hoffman)
+  - i386: fix cpu reset (Nitin Kamble)
+  - kvm: fix irq injection into full queue (Jan Kiszka)
+  - Prevent CD-ROM eject while device is locked (Mark McLoughlin)
+  - Fix screen dump with blank screen (Eduardo Habkost)
+  - Fix memory leak with cpu_unregister_map_client (Isaku Yamahata)
+  - Fix memory leak in SDL (Jan Kiszka)
+  - Fix build on OS X 10.4 (John Arbuckle)
+  - Fix leak of vlan clients after hot remove (Mark McLoughlin)
+  - Fix migration after hot remove with eepro100 (Mark McLoughlin)
+  - Don't start a VM after failed migration if stopped (Anthony Liguori)
+  - Fix live migration under heavy IO load (Glauber Costa)
+  - Honor -S on incoming migration (Paolo Bonzini)
+  - Reset HPET config register on reset (Beth Kon)
+  - Reset PS2 keyboard/mouse on reset (Dinesh Subraveti)
+
+version 0.10.5:
+  - kvm: trim unsupported cpu features from cpuid (Avi Kivity)
+  - kvm: provide a better error message for -smp > 1 (Mark McLoughlin)
+  - Remove initrd printfs (Richard Jones)
+  - Initial variables found by valgrind (Jean-Christophe Dubois)
+  - Fix -initrd with > 4GB guests (Glauber Costa)
+  - Fix busy loop on live migration for certain platforms (Uri Lublin)
+  - Remove GCC 3.x requirements from docs (Hollis Blanchard)
+  - ETRAX: fixes for kernel command line, ethernet address, bmi (Edgar Iglesias)
+  - CRIS: Fix bmi (Edgar Iglesias)
+  - Fix bounce buffer errors (Avi Kivity)
+  - Fix regression in -kernel (Anthony Liguori)
+
+version 0.10.4:
+  - Improve block range checks to remove integer overflow (Kevin Wolf)
+  - e1000: do not re-init PCI config space 0 (Amit Shah)
+  - fix AIO deletion race (Alex Graf)
+  - reset option roms on reboot (Glauber Costa)
+  - fix qcow2 corruption in cluster freeing (Gleb Natapov)
+  - Enable power button event generation (Gleb Natapov)
+
+version 0.10.3:
+  - fix AIO cancellations (Avi Kivity)
+  - fix live migration error path on incoming
+  - avoid SEGV on pci hotplug failure (Chris Wright)
+  - fix serial option in -drive
+  - support DDIM for option roms (Glauber Costa)
+  - avoid fork/exec on pre-2.6.27 kernels with KVM (Jan Kiszka)
+  - block-vpc: don't silently create smaller images than requested (Kevin Wolf)
+  - Fix non-ACPI timer interrupt routing (Beth Kon)
+  - hpet: fix emulation of HPET_TN_SETVAL (Jan Kiszka)
+  - kvm: fix cpuid initialization (Jan Kiszka)
+  - qcow2: fix corruption on little endian hosts (Kevin Wolf)
+  - avoid leaing memory on hot unplug (Mark McLoughlin)
+  - fix savevm/migration after hot unplug (Mark McLoughlin)
+  - Fix keyboard mapping on newer Xords with non-default keymaps (balrog)
+  - Make PCI config status register read-only (Anthony Liguori)
+  - Fix crash on resolution change -> screen dump -> vga redraw (Avi Kivity)
+
 version 0.10.2:

  - fix savevm/loadvm (Anthony Liguori)
--- a/18
+++ b/18
@@ -40,7 +40,7 @@ ifdef CONFIG_WIN32
 LIBS+=-lwinmm -lws2_32 -liphlpapi
 endif

-build-all: $(TOOLS) $(DOCS) roms recurse-all
+build-all: $(TOOLS) $(DOCS) recurse-all

 config-host.mak: configure
 ifneq ($(wildcard config-host.mak),)
@@ -57,7 +57,14 @@ subdir-%:
 $(filter %-softmmu,$(SUBDIR_RULES)): libqemu_common.a
 $(filter %-user,$(SUBDIR_RULES)): libqemu_user.a

-recurse-all: $(SUBDIR_RULES)
+
+ROMSUBDIR_RULES=$(patsubst %,romsubdir-%, $(ROMS))
+romsubdir-%:
+	$(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C pc-bios/$* V="$(V)" TARGET_DIR="$*/",)
+
+ALL_SUBDIRS=$(TARGET_DIRS) $(patsubst %,pc-bios/%, $(ROMS))
+
+recurse-all: $(SUBDIR_RULES) $(ROMSUBDIR_RULES)

 #######################################################################
 # block-obj-y is code used by both qemu system emulation and qemu-img
@@ -235,7 +242,7 @@ clean:
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d
 	rm -f qemu-img-cmds.h
 	$(MAKE) -C tests clean
-	for d in $(TARGET_DIRS) $(ROMS) libhw32 libhw64; do \
+	for d in $(ALL_SUBDIRS) libhw32 libhw64; do \
 	$(MAKE) -C $$d $@ || exit 1 ; \
        done

@@ -260,11 +267,6 @@ else
 BLOBS=
 endif

-roms:
-	for d in $(ROMS); do \
-	$(MAKE) -C $$d || exit 1 ; \
-        done
-
 install-doc: $(DOCS)
 	$(INSTALL_DIR) "$(DESTDIR)$(docdir)"
 	$(INSTALL_DATA) qemu-doc.html  qemu-tech.html "$(DESTDIR)$(docdir)"
--- a/Makefile.target
+++ b/Makefile.target
@@ -262,8 +262,6 @@ endif
 obj-y = main.o syscall.o strace.o mmap.o signal.o path.o thunk.o \
      elfload.o linuxload.o uaccess.o envlist.o gdbstub.o gdbstub-xml.o \
      ioport-user.o
-LIBS+= $(PTHREADLIBS)
-LIBS+= $(CLOCKLIBS)
 obj-$(TARGET_HAS_BFLT) += flatload.o

 ifdef TARGET_HAS_ELFLOAD32
@@ -289,6 +287,9 @@ signal.o: CFLAGS += $(HELPER_CFLAGS)
 ARLIBS=../libqemu_user.a libqemu.a
 endif #CONFIG_LINUX_USER

+LIBS+= $(PTHREADLIBS)
+LIBS+= $(CLOCKLIBS)
+
 #########################################################
 # Darwin user emulator target

--- a/2
+++ b/2
@@ -1 +1 @@
-0.10.90
+0.11.1
--- a/aio.c
+++ b/aio.c
@@ -112,7 +112,7 @@ void qemu_aio_flush(void)
        LIST_FOREACH(node, &aio_handlers, node) {
            ret |= node->io_flush(node->opaque);
        }
-    } while (ret > 0);
+    } while (qemu_bh_poll() || ret > 0);
 }

 void qemu_aio_wait(void)
--- a/audio/alsaaudio.c
+++ b/audio/alsaaudio.c
@@ -25,6 +25,10 @@
 #include "qemu-common.h"
 #include "audio.h"

+#if QEMU_GNUC_PREREQ(4, 3)
+#pragma GCC diagnostic ignored "-Waddress"
+#endif
+
 #define AUDIO_CAP "alsa"
 #include "audio_int.h"

--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -481,7 +481,7 @@ static int oss_init_out (HWVoiceOut *hw, struct audsettings *as)
    oss->mmapped = 0;
    if (conf.try_mmap) {
        oss->pcm_buf = mmap (
-            0,
+            NULL,
            hw->samples << hw->info.shift,
            PROT_READ | PROT_WRITE,
            MAP_SHARED,
--- a/audio/sdlaudio.c
+++ b/audio/sdlaudio.c
@@ -201,7 +201,7 @@ static int sdl_open (SDL_AudioSpec *req, SDL_AudioSpec *obt)
    }

 #ifndef _WIN32
-    pthread_sigmask (SIG_SETMASK, &old, 0);
+    pthread_sigmask (SIG_SETMASK, &old, NULL);
 #endif
    return status;
 }
--- a/block/curl.c
+++ b/block/curl.c
@@ -269,7 +269,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
        return NULL;
    curl_easy_setopt(state->curl, CURLOPT_URL, s->url);
    curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5);
-    curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, curl_read_cb);
+    curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, (void *)curl_read_cb);
    curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state);
    curl_easy_setopt(state->curl, CURLOPT_PRIVATE, (void *)state);
    curl_easy_setopt(state->curl, CURLOPT_AUTOREFERER, 1);
@@ -358,11 +358,11 @@ static int curl_open(BlockDriverState *bs, const char *filename, int flags)
    // Get file size

    curl_easy_setopt(state->curl, CURLOPT_NOBODY, 1);
-    curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, curl_size_cb);
+    curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, (void *)curl_size_cb);
    if (curl_easy_perform(state->curl))
        goto out;
    curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &d);
-    curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, curl_read_cb);
+    curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, (void *)curl_read_cb);
    curl_easy_setopt(state->curl, CURLOPT_NOBODY, 0);
    if (d)
        s->len = (size_t)d;
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -684,6 +684,7 @@ uint64_t qcow2_alloc_cluster_offset(BlockDriverState *bs,
    int l2_index, ret;
    uint64_t l2_offset, *l2_table, cluster_offset;
    int nb_clusters, i = 0;
+    QCowL2Meta *old_alloc;

    ret = get_cluster_table(bs, offset, &l2_table, &l2_offset, &l2_index);
    if (ret == 0)
@@ -732,6 +733,44 @@ uint64_t qcow2_alloc_cluster_offset(BlockDriverState *bs,
    }
    nb_clusters = i;

+    /*
+     * Check if there already is an AIO write request in flight which allocates
+     * the same cluster. In this case we need to wait until the previous
+     * request has completed and updated the L2 table accordingly.
+     */
+    LIST_FOREACH(old_alloc, &s->cluster_allocs, next_in_flight) {
+
+        uint64_t end_offset = offset + nb_clusters * s->cluster_size;
+        uint64_t old_offset = old_alloc->offset;
+        uint64_t old_end_offset = old_alloc->offset +
+            old_alloc->nb_clusters * s->cluster_size;
+
+        if (end_offset < old_offset || offset > old_end_offset) {
+            /* No intersection */
+        } else {
+            if (offset < old_offset) {
+                /* Stop at the start of a running allocation */
+                nb_clusters = (old_offset - offset) >> s->cluster_bits;
+            } else {
+                nb_clusters = 0;
+            }
+
+            if (nb_clusters == 0) {
+                /* Set dependency and wait for a callback */
+                m->depends_on = old_alloc;
+                m->nb_clusters = 0;
+                *num = 0;
+                return 0;
+            }
+        }
+    }
+
+    if (!nb_clusters) {
+        abort();
+    }
+
+    LIST_INSERT_HEAD(&s->cluster_allocs, m, next_in_flight);
+
    /* allocate a new cluster */

    cluster_offset = qcow2_alloc_clusters(bs, nb_clusters * s->cluster_size);
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -277,7 +277,7 @@ static int update_refcount(BlockDriverState *bs,
    int first_index = -1, last_index = -1;

 #ifdef DEBUG_ALLOC2
-    printf("update_refcount: offset=%lld size=%lld addend=%d\n",
+    printf("update_refcount: offset=%" PRId64 " size=%" PRId64 " addend=%d\n",
           offset, length, addend);
 #endif
    if (length <= 0)
@@ -380,7 +380,7 @@ retry:
            goto retry;
    }
 #ifdef DEBUG_ALLOC2
-    printf("alloc_clusters: size=%lld -> %lld\n",
+    printf("alloc_clusters: size=%" PRId64 " -> %" PRId64 "\n",
            size,
            (s->free_cluster_index - nb_clusters) << s->cluster_bits);
 #endif
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -219,6 +219,8 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
    if (qcow2_refcount_init(bs) < 0)
        goto fail;

+    LIST_INIT(&s->cluster_allocs);
+
    /* read qcow2 extensions */
    if (header.backing_file_offset)
        ext_end = header.backing_file_offset;
@@ -338,6 +340,7 @@ typedef struct QCowAIOCB {
    QEMUIOVector hd_qiov;
    QEMUBH *bh;
    QCowL2Meta l2meta;
+    LIST_ENTRY(QCowAIOCB) next_depend;
 } QCowAIOCB;

 static void qcow_aio_cancel(BlockDriverAIOCB *blockacb)
@@ -500,6 +503,7 @@ static QCowAIOCB *qcow_aio_setup(BlockDriverState *bs,
    acb->n = 0;
    acb->cluster_offset = 0;
    acb->l2meta.nb_clusters = 0;
+    LIST_INIT(&acb->l2meta.dependent_requests);
    return acb;
 }

@@ -517,6 +521,33 @@ static BlockDriverAIOCB *qcow_aio_readv(BlockDriverState *bs,
    return &acb->common;
 }

+static void qcow_aio_write_cb(void *opaque, int ret);
+
+static void run_dependent_requests(QCowL2Meta *m)
+{
+    QCowAIOCB *req;
+    QCowAIOCB *next;
+
+    /* Take the request off the list of running requests */
+    if (m->nb_clusters != 0) {
+        LIST_REMOVE(m, next_in_flight);
+    }
+
+    /*
+     * Restart all dependent requests.
+     * Can't use LIST_FOREACH here - the next link might not be the same
+     * any more after the callback  (request could depend on a different
+     * request now)
+     */
+    for (req = m->dependent_requests.lh_first; req != NULL; req = next) {
+        next = req->next_depend.le_next;
+        qcow_aio_write_cb(req, 0);
+    }
+
+    /* Empty the list for the next part of the request */
+    LIST_INIT(&m->dependent_requests);
+}
+
 static void qcow_aio_write_cb(void *opaque, int ret)
 {
    QCowAIOCB *acb = opaque;
@@ -528,14 +559,15 @@ static void qcow_aio_write_cb(void *opaque, int ret)

    acb->hd_aiocb = NULL;

+    if (ret >= 0) {
+        ret = qcow2_alloc_cluster_link_l2(bs, acb->cluster_offset, &acb->l2meta);
+    }
+
+    run_dependent_requests(&acb->l2meta);
+
    if (ret < 0)
        goto done;

-    if (qcow2_alloc_cluster_link_l2(bs, acb->cluster_offset, &acb->l2meta) < 0) {
-        qcow2_free_any_clusters(bs, acb->cluster_offset, acb->l2meta.nb_clusters);
-        goto done;
-    }
-
    acb->nb_sectors -= acb->n;
    acb->sector_num += acb->n;
    acb->buf += acb->n * 512;
@@ -555,6 +587,14 @@ static void qcow_aio_write_cb(void *opaque, int ret)
    acb->cluster_offset = qcow2_alloc_cluster_offset(bs, acb->sector_num << 9,
                                          index_in_cluster,
                                          n_end, &acb->n, &acb->l2meta);
+
+    /* Need to wait for another request? If so, we are done for now. */
+    if (!acb->cluster_offset && acb->l2meta.depends_on != NULL) {
+        LIST_INSERT_HEAD(&acb->l2meta.depends_on->dependent_requests,
+            acb, next_depend);
+        return;
+    }
+
    if (!acb->cluster_offset || (acb->cluster_offset & 511) != 0) {
        ret = -EIO;
        goto done;
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -98,6 +98,7 @@ typedef struct BDRVQcowState {
    uint8_t *cluster_cache;
    uint8_t *cluster_data;
    uint64_t cluster_cache_offset;
+    LIST_HEAD(QCowClusterAlloc, QCowL2Meta) cluster_allocs;

    uint64_t *refcount_table;
    uint64_t refcount_table_offset;
@@ -128,6 +129,8 @@ typedef struct QCowCreateState {
    int64_t refcount_block_offset;
 } QCowCreateState;

+struct QCowAIOCB;
+
 /* XXX This could be private for qcow2-cluster.c */
 typedef struct QCowL2Meta
 {
@@ -135,6 +138,10 @@ typedef struct QCowL2Meta
    int n_start;
    int nb_available;
    int nb_clusters;
+    struct QCowL2Meta *depends_on;
+    LIST_HEAD(QCowAioDependencies, QCowAIOCB) dependent_requests;
+
+    LIST_ENTRY(QCowL2Meta) next_in_flight;
 } QCowL2Meta;

 static inline int size_to_clusters(BDRVQcowState *s, int64_t size)
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -24,6 +24,7 @@
 #include "qemu-common.h"
 #include "qemu-timer.h"
 #include "qemu-char.h"
+#include "qemu-log.h"
 #include "block_int.h"
 #include "module.h"
 #ifdef CONFIG_AIO
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -170,7 +170,7 @@ static int vmdk_is_cid_valid(BlockDriverState *bs)
 {
 #ifdef CHECK_CID
    BDRVVmdkState *s = bs->opaque;
-    BlockDriverState *p_bs = s->hd->backing_hd;
+    BlockDriverState *p_bs = bs->backing_hd;
    uint32_t cur_pcid;

    if (p_bs) {
@@ -338,26 +338,26 @@ static int vmdk_parent_open(BlockDriverState *bs, const char * filename)
        p_name += sizeof("parentFileNameHint") + 1;
        if ((end_name = strchr(p_name,'\"')) == NULL)
            return -1;
-        if ((end_name - p_name) > sizeof (s->hd->backing_file) - 1)
+        if ((end_name - p_name) > sizeof (bs->backing_file) - 1)
            return -1;

-        pstrcpy(s->hd->backing_file, end_name - p_name + 1, p_name);
-        if (stat(s->hd->backing_file, &file_buf) != 0) {
+        pstrcpy(bs->backing_file, end_name - p_name + 1, p_name);
+        if (stat(bs->backing_file, &file_buf) != 0) {
            path_combine(parent_img_name, sizeof(parent_img_name),
-                         filename, s->hd->backing_file);
+                         filename, bs->backing_file);
        } else {
            pstrcpy(parent_img_name, sizeof(parent_img_name),
-                    s->hd->backing_file);
+                    bs->backing_file);
        }

-        s->hd->backing_hd = bdrv_new("");
-        if (!s->hd->backing_hd) {
+        bs->backing_hd = bdrv_new("");
+        if (!bs->backing_hd) {
            failure:
            bdrv_close(s->hd);
            return -1;
        }
        parent_open = 1;
-        if (bdrv_open(s->hd->backing_hd, parent_img_name, BDRV_O_RDONLY) < 0)
+        if (bdrv_open(bs->backing_hd, parent_img_name, BDRV_O_RDONLY) < 0)
            goto failure;
        parent_open = 0;
    }
@@ -464,13 +464,14 @@ static int get_whole_cluster(BlockDriverState *bs, uint64_t cluster_offset,

    // we will be here if it's first write on non-exist grain(cluster).
    // try to read from parent image, if exist
-    if (s->hd->backing_hd) {
-        BDRVVmdkState *ps = s->hd->backing_hd->opaque;
+    if (bs->backing_hd) {
+        BDRVVmdkState *ps = bs->backing_hd->opaque;

        if (!vmdk_is_cid_valid(bs))
            return -1;

-        parent_cluster_offset = get_cluster_offset(s->hd->backing_hd, NULL, offset, allocate);
+        parent_cluster_offset = get_cluster_offset(bs->backing_hd, NULL,
+            offset, allocate);

        if (parent_cluster_offset) {
            BDRVVmdkState *act_s = activeBDRV.hd->opaque;
@@ -621,10 +622,10 @@ static int vmdk_read(BlockDriverState *bs, int64_t sector_num,
            n = nb_sectors;
        if (!cluster_offset) {
            // try to read from parent image, if exist
-            if (s->hd->backing_hd) {
+            if (bs->backing_hd) {
                if (!vmdk_is_cid_valid(bs))
                    return -1;
-                ret = bdrv_read(s->hd->backing_hd, sector_num, buf, n);
+                ret = bdrv_read(bs->backing_hd, sector_num, buf, n);
                if (ret < 0)
                    return -1;
            } else {
--- a/bsd-user/bsdload.c
+++ b/bsd-user/bsdload.c
@@ -163,7 +163,7 @@ int loader_exec(const char * filename, char ** argv, char ** envp,

    bprm.p = TARGET_PAGE_SIZE*MAX_ARG_PAGES-sizeof(unsigned int);
    for (i=0 ; i<MAX_ARG_PAGES ; i++)       /* clear page-table */
-            bprm.page[i] = 0;
+            bprm.page[i] = NULL;
    retval = open(filename, O_RDONLY);
    if (retval < 0)
        return retval;
--- a/bsd-user/elfload.c
+++ b/bsd-user/elfload.c
@@ -545,8 +545,6 @@ static inline void memcpy_fromfs(void * to, const void * from, unsigned long n)
        memcpy(to, from, n);
 }

-extern unsigned long x86_stack_size;
-
 static int load_aout_interp(void * exptr, int interp_fd);

 #ifdef BSWAP_NEEDED
@@ -1014,7 +1012,7 @@ static const char *lookup_symbolxx(struct syminfo *s, target_ulong orig_addr)
    key.st_value = orig_addr;

    sym = bsearch(&key, syms, s->disas_num_syms, sizeof(*syms), symfind);
-    if (sym != 0) {
+    if (sym != NULL) {
        return s->disas_strtab + sym->st_name;
    }

@@ -1295,7 +1293,7 @@ int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs,
        }

        if (interp_elf_ex.e_ident[0] != 0x7f ||
-                strncmp(&interp_elf_ex.e_ident[1], "ELF",3) != 0) {
+                strncmp((char *)&interp_elf_ex.e_ident[1], "ELF",3) != 0) {
            interpreter_type &= ~INTERPRETER_ELF;
        }

--- a/bsd-user/qemu.h
+++ b/bsd-user/qemu.h
@@ -193,6 +193,9 @@ void mmap_fork_start(void);
 void mmap_fork_end(int child);
 #endif

+/* main.c */
+extern unsigned long x86_stack_size;
+
 /* user access */

 #define VERIFY_READ 0
--- a/bsd-user/uaccess.c
+++ b/bsd-user/uaccess.c
@@ -51,7 +51,7 @@ abi_long target_strlen(abi_ulong guest_addr1)
        ptr = lock_user(VERIFY_READ, guest_addr, max_len, 1);
        if (!ptr)
            return -TARGET_EFAULT;
-        len = qemu_strnlen(ptr, max_len);
+        len = qemu_strnlen((char *)ptr, max_len);
        unlock_user(ptr, guest_addr, 0);
        guest_addr += len;
        /* we don't allow wrapping or integer overflow */
--- a/buffered_file.c
+++ b/buffered_file.c
@@ -113,7 +113,7 @@ static int buffered_put_buffer(void *opaque, const uint8_t *buf, int64_t pos, in
    int offset = 0;
    ssize_t ret;

-    dprintf("putting %ld bytes at %Ld\n", size, pos);
+    dprintf("putting %d bytes at %" PRId64 "\n", size, pos);

    if (s->has_error) {
        dprintf("flush when error, bailing\n");
@@ -151,7 +151,7 @@ static int buffered_put_buffer(void *opaque, const uint8_t *buf, int64_t pos, in
    }

    if (offset >= 0) {
-        dprintf("buffering %ld bytes\n", size - offset);
+        dprintf("buffering %d bytes\n", size - offset);
        buffered_append(s, buf + offset, size - offset);
        offset = size;
    }
--- a/cmd.c
+++ b/cmd.c
@@ -20,6 +20,7 @@
 #include <string.h>
 #include <ctype.h>
 #include <errno.h>
+#include <sys/time.h>

 #include "cmd.h"

@@ -283,6 +284,26 @@ fetchline(void)
 }
 #endif

+static char *qemu_strsep(char **input, const char *delim)
+{
+    char *result = *input;
+    if (result != NULL) {
+    char *p = result;
+    for (p = result; *p != '\0'; p++) {
+        if (strchr(delim, *p)) {
+                break;
+            }
+        }
+        if (*p == '\0') {
+            *input = NULL;
+        } else {
+            *p = '\0';
+            *input = p + 1;
+        }
+    }
+    return result;
+}
+
 char **
 breakline(
 	char	*input,
@@ -292,7 +313,7 @@ breakline(
 	char	*p;
 	char	**rval = calloc(sizeof(char *), 1);

-	while (rval && (p = strsep(&input, " ")) != NULL) {
+	while (rval && (p = qemu_strsep(&input, " ")) != NULL) {
 		if (!*p)
 			continue;
 		c++;
--- a/11
+++ b/11
@@ -1374,7 +1374,7 @@ fi

 if test "$mingw32" = "yes" ; then
  if test -z "$prefix" ; then
-      prefix="c:\\\\Program Files\\\\Qemu"
+      prefix="c:/Program Files/Qemu"
  fi
  mansuffix=""
  datasuffix=""
@@ -1499,7 +1499,7 @@ case "$cpu" in
  i386|x86_64|alpha|cris|hppa|ia64|m68k|microbaze|mips|mips64|ppc|ppc64|s390|sparc|sparc64)
    ARCH=$cpu
  ;;
-  armv4b|arm4l)
+  armv4b|armv4l)
    ARCH=arm
  ;;
  *)
@@ -1802,13 +1802,16 @@ if test `expr "$target_list" : ".*softmmu.*"` != 0 ; then
  tools="qemu-img\$(EXESUF) $tools"
  if [ "$linux" = "yes" ] ; then
      tools="qemu-nbd\$(EXESUF) qemu-io\$(EXESUF) $tools"
+  elif test "$mingw32" = "yes" ; then
+      tools="qemu-io\$(EXESUF) $tools"
  fi
 fi
 echo "TOOLS=$tools" >> $config_host_mak

 roms=
-if test "$cpu" = "i386" -o "$cpu" = "x86_64" ; then
-  roms="pc-bios/optionrom"
+if test \( "$cpu" = "i386" -o "$cpu" = "x86_64" \) -a \
+        "$targetos" != "Darwin" ; then
+  roms="optionrom"
 fi
 echo "ROMS=$roms" >> $config_host_mak

--- a/curses.c
+++ b/curses.c
@@ -158,7 +158,7 @@ static void curses_cursor_position(DisplayState *ds, int x, int y)

 #include "curses_keys.h"

-static kbd_layout_t *kbd_layout = 0;
+static kbd_layout_t *kbd_layout = NULL;
 static int keycode2keysym[CURSES_KEYS];

 static void curses_refresh(DisplayState *ds)
@@ -368,7 +368,4 @@ void curses_display_init(DisplayState *ds, int full_screen)
    ds->surface = qemu_create_displaysurface_from(640, 400, 0, 0, (uint8_t*) screen);

    invalidate = 1;
-
-    /* Standard VGA initial text mode dimensions */
-    curses_resize(ds);
 }
--- a/curses_keys.h
+++ b/curses_keys.h
@@ -479,5 +479,5 @@ static const name2keysym_t name2keysym[] = {
    { "F20", 0x11c },
    { "Escape", 27 },

-    { 0, 0 },
+    { NULL, 0 },
 };
--- a/elf_ops.h
+++ b/elf_ops.h
@@ -67,7 +67,7 @@ static int glue(symfind, SZ)(const void *s0, const void *s1)
    int result = 0;
    if (key->st_value < sym->st_value) {
        result = -1;
-    } else if (key->st_value > sym->st_value + sym->st_size) {
+    } else if (key->st_value >= sym->st_value + sym->st_size) {
        result = 1;
    }
    return result;
@@ -82,7 +82,7 @@ static const char *glue(lookup_symbol, SZ)(struct syminfo *s, target_ulong orig_
    key.st_value = orig_addr;

    sym = bsearch(&key, syms, s->disas_num_syms, sizeof(*syms), glue(symfind, SZ));
-    if (sym != 0) {
+    if (sym != NULL) {
        return s->disas_strtab + sym->st_name;
    }

--- a/exec-all.h
+++ b/exec-all.h
@@ -34,7 +34,7 @@
 typedef struct TranslationBlock TranslationBlock;

 /* XXX: make safe guess about sizes */
-#define MAX_OP_PER_INSTR 64
+#define MAX_OP_PER_INSTR 96
 /* A Call op needs up to 6 + 2N parameters (N = number of arguments).  */
 #define MAX_OPC_PARAM 10
 #define OPC_BUF_SIZE 512
@@ -211,7 +211,9 @@ static inline void tb_set_jmp_target1(unsigned long jmp_addr, unsigned long addr
 #endif

    /* we could use a ldr pc, [pc, #-4] kind of branch and avoid the flush */
-    *(uint32_t *)jmp_addr |= ((addr - (jmp_addr + 8)) >> 2) & 0xffffff;
+    *(uint32_t *)jmp_addr =
+        (*(uint32_t *)jmp_addr & ~0xffffff)
+        | (((addr - (jmp_addr + 8)) >> 2) & 0xffffff);

 #if QEMU_GNUC_PREREQ(4, 1)
    __clear_cache((char *) jmp_addr, (char *) jmp_addr + 4);
--- a/exec.c
+++ b/exec.c
@@ -316,7 +316,7 @@ static inline PageDesc *page_find_alloc(target_ulong index)
 #if defined(CONFIG_USER_ONLY)
        size_t len = sizeof(PageDesc) * L2_SIZE;
        /* Don't use qemu_malloc because it may recurse.  */
-        p = mmap(0, len, PROT_READ | PROT_WRITE,
+        p = mmap(NULL, len, PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
        *lp = p;
        if (h2g_valid(p)) {
@@ -341,8 +341,9 @@ static inline PageDesc *page_find(target_ulong index)
        return NULL;

    p = *lp;
-    if (!p)
-        return 0;
+    if (!p) {
+        return NULL;
+    }
    return p + (index & (L2_SIZE - 1));
 }

@@ -655,7 +656,8 @@ static void tb_invalidate_check(target_ulong address)
        for(tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
            if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
                  address >= tb->pc + tb->size)) {
-                printf("ERROR invalidate: address=%08lx PC=%08lx size=%04x\n",
+                printf("ERROR invalidate: address=" TARGET_FMT_lx
+                       " PC=%08lx size=%04x\n",
                       address, (long)tb->pc, tb->size);
            }
        }
@@ -680,26 +682,6 @@ static void tb_page_check(void)
    }
 }

-static void tb_jmp_check(TranslationBlock *tb)
-{
-    TranslationBlock *tb1;
-    unsigned int n1;
-
-    /* suppress any remaining jumps to this TB */
-    tb1 = tb->jmp_first;
-    for(;;) {
-        n1 = (long)tb1 & 3;
-        tb1 = (TranslationBlock *)((long)tb1 & ~3);
-        if (n1 == 2)
-            break;
-        tb1 = tb1->jmp_next[n1];
-    }
-    /* check end of list */
-    if (tb1 != tb) {
-        printf("ERROR: jmp_list from 0x%08lx\n", (long)tb);
-    }
-}
-
 #endif

 /* invalidate one TB */
@@ -2939,7 +2921,7 @@ static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
    idx = SUBPAGE_IDX(start);
    eidx = SUBPAGE_IDX(end);
 #if defined(DEBUG_SUBPAGE)
-    printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %d\n", __func__,
+    printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__,
           mmio, start, end, idx, eidx, memory);
 #endif
    memory >>= IO_MEM_SHIFT;
--- a/feature_to_c.sh
+++ b/feature_to_c.sh
@@ -72,5 +72,5 @@ for input; do
  echo "  { \"$basename\", $arrayname }," >> $output
 done

-echo "  { 0, 0 }" >> $output
+echo "  { (char *)0, (char *)0 }" >> $output
 echo "};" >> $output
--- a/hw/arm_sysctl.c
+++ b/hw/arm_sysctl.c
@@ -7,6 +7,8 @@
 * This code is licenced under the GPL.
 */

+#include "hw.h"
+#include "qemu-timer.h"
 #include "sysbus.h"
 #include "primecell.h"
 #include "sysemu.h"
@@ -71,8 +73,7 @@ static uint32_t arm_sysctl_read(void *opaque, target_phys_addr_t offset)
    case 0x58: /* BOOTCS */
        return 0;
    case 0x5c: /* 24MHz */
-        /* ??? not implemented.  */
-        return 0;
+        return muldiv64(qemu_get_clock(vm_clock), 24000000, ticks_per_sec);
    case 0x60: /* MISC */
        return 0;
    case 0x84: /* PROCID0 */
--- a/hw/boards.h
+++ b/hw/boards.h
@@ -14,6 +14,7 @@ typedef void QEMUMachineInitFunc(ram_addr_t ram_size,

 typedef struct QEMUMachine {
    const char *name;
+    const char *alias;
    const char *desc;
    QEMUMachineInitFunc *init;
    int use_scsi;
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -2029,7 +2029,7 @@ static uint32_t cirrus_vga_mem_readb(void *opaque, target_phys_addr_t addr)
    } else {
 	val = 0xff;
 #ifdef DEBUG_CIRRUS
-	printf("cirrus: mem_readb %06x\n", addr);
+	printf("cirrus: mem_readb " TARGET_FMT_plx "\n", addr);
 #endif
    }
    return val;
@@ -2124,7 +2124,8 @@ static void cirrus_vga_mem_writeb(void *opaque, target_phys_addr_t addr,
 	}
    } else {
 #ifdef DEBUG_CIRRUS
-	printf("cirrus: mem_writeb %06x value %02x\n", addr, mem_value);
+        printf("cirrus: mem_writeb " TARGET_FMT_plx " value %02x\n", addr,
+               mem_value);
 #endif
    }
 }
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -154,6 +154,7 @@ set_interrupt_cause(E1000State *s, int index, uint32_t val)
    if (val)
        val |= E1000_ICR_INT_ASSERTED;
    s->mac_reg[ICR] = val;
+    s->mac_reg[ICS] = val;
    qemu_set_irq(s->dev.irq[0], (s->mac_reg[IMS] & s->mac_reg[ICR]) != 0);
 }

@@ -286,10 +287,14 @@ flash_eerd_read(E1000State *s, int x)
 {
    unsigned int index, r = s->mac_reg[EERD] & ~E1000_EEPROM_RW_REG_START;

+    if ((s->mac_reg[EERD] & E1000_EEPROM_RW_REG_START) == 0)
+        return (s->mac_reg[EERD]);
+
    if ((index = r >> E1000_EEPROM_RW_ADDR_SHIFT) > EEPROM_CHECKSUM_REG)
-        return 0;
-    return (s->eeprom_data[index] << E1000_EEPROM_RW_REG_DATA) |
-           E1000_EEPROM_RW_REG_DONE | r;
+        return (E1000_EEPROM_RW_REG_DONE | r);
+
+    return ((s->eeprom_data[index] << E1000_EEPROM_RW_REG_DATA) |
+           E1000_EEPROM_RW_REG_DONE | r);
 }

 static void
@@ -780,7 +785,7 @@ static uint32_t (*macreg_readops[])(E1000State *, int) = {
    getreg(WUFC),	getreg(TDT),	getreg(CTRL),	getreg(LEDCTL),
    getreg(MANC),	getreg(MDIC),	getreg(SWSM),	getreg(STATUS),
    getreg(TORL),	getreg(TOTL),	getreg(IMS),	getreg(TCTL),
-    getreg(RDH),	getreg(RDT),	getreg(VET),
+    getreg(RDH),	getreg(RDT),	getreg(VET),	getreg(ICS),

    [TOTH] = mac_read_clr8,	[TORH] = mac_read_clr8,	[GPRC] = mac_read_clr4,
    [GPTC] = mac_read_clr4,	[TPR] = mac_read_clr4,	[TPT] = mac_read_clr4,
--- a/hw/eccmemctl.c
+++ b/hw/eccmemctl.c
@@ -358,7 +358,7 @@ static SysBusDeviceInfo ecc_info = {
    .qdev.props = (Property[]) {
        {
            .name   = "version",
-            .info   = &qdev_prop_uint32,
+            .info   = &qdev_prop_hex32,
            .offset = offsetof(ECCState, version),
            .defval = (uint32_t[]) { -1 },
        },
--- a/hw/escc.c
+++ b/hw/escc.c
@@ -743,8 +743,8 @@ int escc_init(target_phys_addr_t base, qemu_irq irqA, qemu_irq irqB,
    qdev_prop_set_uint32(dev, "chnAtype", ser);
    qdev_init(dev);
    s = sysbus_from_qdev(dev);
-    sysbus_connect_irq(s, 0, irqA);
-    sysbus_connect_irq(s, 1, irqB);
+    sysbus_connect_irq(s, 0, irqB);
+    sysbus_connect_irq(s, 1, irqA);
    if (base) {
        sysbus_mmio_map(s, 0, base);
    }
@@ -970,22 +970,22 @@ static SysBusDeviceInfo escc_info = {
        {
            .name = "chrB",
            .info = &qdev_prop_ptr,
-            .offset = offsetof(SerialState, chn[1].chr),
+            .offset = offsetof(SerialState, chn[0].chr),
        },
        {
            .name = "chrA",
            .info = &qdev_prop_ptr,
-            .offset = offsetof(SerialState, chn[0].chr),
+            .offset = offsetof(SerialState, chn[1].chr),
        },
        {
            .name = "chnBtype",
            .info = &qdev_prop_uint32,
-            .offset = offsetof(SerialState, chn[1].type),
+            .offset = offsetof(SerialState, chn[0].type),
        },
        {
            .name = "chnAtype",
            .info = &qdev_prop_uint32,
-            .offset = offsetof(SerialState, chn[0].type),
+            .offset = offsetof(SerialState, chn[1].type),
        },
        {/* end of list */}
    }
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -422,7 +422,7 @@ static void parent_esp_reset(void *opaque, int irq, int level)
 static uint32_t esp_mem_readb(void *opaque, target_phys_addr_t addr)
 {
    ESPState *s = opaque;
-    uint32_t saddr;
+    uint32_t saddr, old_val;

    saddr = addr >> s->it_shift;
    DPRINTF("read reg[%d]: 0x%2.2x\n", saddr, s->rregs[saddr]);
@@ -445,10 +445,15 @@ static uint32_t esp_mem_readb(void *opaque, target_phys_addr_t addr)
        }
        break;
    case ESP_RINTR:
-        // Clear interrupt/error status bits
-        s->rregs[ESP_RSTAT] &= ~(STAT_GE | STAT_PE);
+        /* Clear sequence step, interrupt register and all status bits
+           except TC */
+        old_val = s->rregs[ESP_RINTR];
+        s->rregs[ESP_RINTR] = 0;
+        s->rregs[ESP_RSTAT] &= ~STAT_TC;
+        s->rregs[ESP_RSEQ] = SEQ_CD;
        esp_lower_irq(s);
-        break;
+
+        return old_val;
    default:
        break;
    }
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -33,6 +33,7 @@
 #include "qemu-timer.h"
 #include "isa.h"
 #include "sysbus.h"
+#include "qdev-addr.h"

 /********************************************************/
 /* debug Floppy devices */
@@ -1972,7 +1973,7 @@ static SysBusDeviceInfo fdc_info = {
    .qdev.props = (Property[]) {
        {
            .name = "io_base",
-            .info = &qdev_prop_uint32,
+            .info = &qdev_prop_taddr,
            .offset = offsetof(fdctrl_t, io_base),
        },
        {
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -371,7 +371,7 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
 {
    int i;
    HPETState *s = (HPETState *)opaque;
-    uint64_t old_val, new_val, index;
+    uint64_t old_val, new_val, val, index;

    dprintf("qemu: Enter hpet_ram_writel at %" PRIx64 " = %#x\n", addr, value);
    index = addr;
@@ -387,8 +387,8 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
        switch ((addr - 0x100) % 0x20) {
            case HPET_TN_CFG:
                dprintf("qemu: hpet_ram_writel HPET_TN_CFG\n");
-                timer->config = hpet_fixup_reg(new_val, old_val, 
-                                               HPET_TN_CFG_WRITE_MASK);
+                val = hpet_fixup_reg(new_val, old_val, HPET_TN_CFG_WRITE_MASK);
+                timer->config = (timer->config & 0xffffffff00000000ULL) | val;
                if (new_val & HPET_TN_32BIT) {
                    timer->cmp = (uint32_t)timer->cmp;
                    timer->period = (uint32_t)timer->period;
@@ -456,8 +456,8 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
            case HPET_ID:
                return;
            case HPET_CFG:
-                s->config = hpet_fixup_reg(new_val, old_val, 
-                                           HPET_CFG_WRITE_MASK);
+                val = hpet_fixup_reg(new_val, old_val, HPET_CFG_WRITE_MASK);
+                s->config = (s->config & 0xffffffff00000000ULL) | val;
                if (activating_bit(old_val, new_val, HPET_CFG_ENABLE)) {
                    /* Enable main counter and interrupt generation. */
                    s->hpet_offset = ticks_to_ns(s->hpet_counter)
@@ -541,8 +541,8 @@ static void hpet_reset(void *opaque) {
        timer->tn = i;
        timer->cmp = ~0ULL;
        timer->config =  HPET_TN_PERIODIC_CAP | HPET_TN_SIZE_CAP;
-        /* advertise availability of irqs 5,10,11 */
-        timer->config |=  0x00000c20ULL << 32;
+        /* advertise availability of ioapic inti2 */
+        timer->config |=  0x00000004ULL << 32;
        timer->state = s;
        timer->period = 0ULL;
        timer->wrap_flag = 0;
--- a/hw/hpet_emul.h
+++ b/hw/hpet_emul.h
@@ -18,12 +18,7 @@

 #define FS_PER_NS 1000000
 #define HPET_NUM_TIMERS 3
-#define HPET_TIMER_TYPE_LEVEL 1
-#define HPET_TIMER_TYPE_EDGE 0
-#define HPET_TIMER_DELIVERY_APIC 0
-#define HPET_TIMER_DELIVERY_FSB 1
-#define HPET_TIMER_CAP_FSB_INT_DEL (1 << 15)
-#define HPET_TIMER_CAP_PER_INT (1 << 4)
+#define HPET_TIMER_TYPE_LEVEL 0x002

 #define HPET_CFG_ENABLE 0x001
 #define HPET_CFG_LEGACY 0x002
--- a/hw/i2c.c
+++ b/hw/i2c.c
@@ -81,9 +81,11 @@ int i2c_start_transfer(i2c_bus *bus, int address, int recv)
    i2c_slave *slave = NULL;

    LIST_FOREACH(qdev, &bus->qbus.children, sibling) {
-        slave = I2C_SLAVE_FROM_QDEV(qdev);
-        if (slave->address == address)
+        i2c_slave *candidate = I2C_SLAVE_FROM_QDEV(qdev);
+        if (candidate->address == address) {
+            slave = candidate;
            break;
+        }
    }

    if (!slave)
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -25,6 +25,7 @@
 #include "pc.h"
 #include "isa.h"
 #include "monitor.h"
+#include "qemu-timer.h"

 /* debug PIC */
 //#define DEBUG_PIC
--- a/hw/ide.c
+++ b/hw/ide.c
@@ -418,6 +418,7 @@ typedef struct IDEState {
    /* ATAPI specific */
    uint8_t sense_key;
    uint8_t asc;
+    uint8_t cdrom_changed;
    int packet_transfer_size;
    int elementary_transfer_size;
    int io_buffer_index;
@@ -501,6 +502,7 @@ typedef struct BMDMAState {
    QEMUIOVector qiov;
    int64_t sector_num;
    uint32_t nsector;
+    QEMUBH *bh;
 } BMDMAState;

 typedef struct PCIIDEState {
@@ -1109,11 +1111,13 @@ static void ide_sector_write(IDEState *s)
    }
 }

-static void ide_dma_restart_cb(void *opaque, int running, int reason)
+static void ide_dma_restart_bh(void *opaque)
 {
    BMDMAState *bm = opaque;
-    if (!running)
-        return;
+
+    qemu_bh_delete(bm->bh);
+    bm->bh = NULL;
+
    if (bm->status & BM_STATUS_DMA_RETRY) {
        bm->status &= ~BM_STATUS_DMA_RETRY;
        ide_dma_restart(bm->ide_if);
@@ -1123,6 +1127,19 @@ static void ide_dma_restart_cb(void *opaque, int running, int reason)
    }
 }

+static void ide_dma_restart_cb(void *opaque, int running, int reason)
+{
+    BMDMAState *bm = opaque;
+
+    if (!running)
+        return;
+
+    if (!bm->bh) {
+        bm->bh = qemu_bh_new(ide_dma_restart_bh, bm);
+        qemu_bh_schedule(bm->bh);
+    }
+}
+
 static void ide_write_dma_cb(void *opaque, int ret)
 {
    BMDMAState *bm = opaque;
@@ -1644,9 +1661,10 @@ static void ide_atapi_cmd(IDEState *s)
    }
    switch(s->io_buffer[0]) {
    case GPCMD_TEST_UNIT_READY:
-        if (bdrv_is_inserted(s->bs)) {
+        if (bdrv_is_inserted(s->bs) && !s->cdrom_changed) {
            ide_atapi_cmd_ok(s);
        } else {
+            s->cdrom_changed = 0;
            ide_atapi_cmd_error(s, SENSE_NOT_READY,
                                ASC_MEDIUM_NOT_PRESENT);
        }
@@ -2106,7 +2124,7 @@ static void cdrom_change_cb(void *opaque)

    s->sense_key = SENSE_UNIT_ATTENTION;
    s->asc = ASC_MEDIUM_MAY_HAVE_CHANGED;
-
+    s->cdrom_changed = 1;
    ide_set_irq(s);
 }

@@ -2870,11 +2888,12 @@ static void ide_save(QEMUFile* f, IDEState *s)

    qemu_put_8s(f, &s->sense_key);
    qemu_put_8s(f, &s->asc);
+    qemu_put_8s(f, &s->cdrom_changed);
    /* XXX: if a transfer is pending, we do not save it yet */
 }

 /* load per IDE drive data */
-static void ide_load(QEMUFile* f, IDEState *s)
+static void ide_load(QEMUFile* f, IDEState *s, int version_id)
 {
    s->mult_sectors=qemu_get_be32(f);
    s->identify_set=qemu_get_be32(f);
@@ -2898,6 +2917,13 @@ static void ide_load(QEMUFile* f, IDEState *s)

    qemu_get_8s(f, &s->sense_key);
    qemu_get_8s(f, &s->asc);
+    if (version_id == 3) {
+        qemu_get_8s(f, &s->cdrom_changed);
+    } else {
+        if (s->sense_key == SENSE_UNIT_ATTENTION &&
+                       s->asc == ASC_MEDIUM_MAY_HAVE_CHANGED)
+            s->cdrom_changed = 1;
+    }
    /* XXX: if a transfer is pending, we do not save it yet */
 }

@@ -3219,7 +3245,7 @@ static int pci_ide_load(QEMUFile* f, void *opaque, int version_id)
    PCIIDEState *d = opaque;
    int ret, i;

-    if (version_id != 2)
+    if (version_id != 2 && version_id != 3)
        return -EINVAL;
    ret = pci_device_load(&d->dev, f);
    if (ret < 0)
@@ -3249,7 +3275,7 @@ static int pci_ide_load(QEMUFile* f, void *opaque, int version_id)

    /* per IDE drive data */
    for(i = 0; i < 4; i++) {
-        ide_load(f, &d->ide_if[i]);
+        ide_load(f, &d->ide_if[i], version_id);
    }
    return 0;
 }
@@ -3339,7 +3365,7 @@ void pci_cmd646_ide_init(PCIBus *bus, BlockDriverState **hd_table,
    ide_init2(&d->ide_if[0], hd_table[0], hd_table[1], irq[0]);
    ide_init2(&d->ide_if[2], hd_table[2], hd_table[3], irq[1]);

-    register_savevm("ide", 0, 2, pci_ide_save, pci_ide_load, d);
+    register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
    qemu_register_reset(cmd646_reset, d);
    cmd646_reset(d);
 }
@@ -3398,7 +3424,7 @@ void pci_piix3_ide_init(PCIBus *bus, BlockDriverState **hd_table, int devfn,
        if (hd_table[i])
            hd_table[i]->private = &d->dev;

-    register_savevm("ide", 0, 2, pci_ide_save, pci_ide_load, d);
+    register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
 }

 /* hd_table must contain 4 block drivers */
@@ -3434,7 +3460,7 @@ void pci_piix4_ide_init(PCIBus *bus, BlockDriverState **hd_table, int devfn,
    ide_init_ioport(&d->ide_if[0], 0x1f0, 0x3f6);
    ide_init_ioport(&d->ide_if[2], 0x170, 0x376);

-    register_savevm("ide", 0, 2, pci_ide_save, pci_ide_load, d);
+    register_savevm("ide", 0, 3, pci_ide_save, pci_ide_load, d);
 }

 #if defined(TARGET_PPC)
@@ -3722,7 +3748,7 @@ static int pmac_ide_load(QEMUFile *f, void *opaque, int version_id)
    uint8_t drive1_selected;
    unsigned int i;

-    if (version_id != 1)
+    if (version_id != 1 && version_id != 3)
        return -EINVAL;

    /* per IDE interface data */
@@ -3732,7 +3758,7 @@ static int pmac_ide_load(QEMUFile *f, void *opaque, int version_id)

    /* per IDE drive data */
    for(i = 0; i < 2; i++) {
-        ide_load(f, &s[i]);
+        ide_load(f, &s[i], version_id);
    }
    return 0;
 }
@@ -3763,7 +3789,7 @@ int pmac_ide_init (BlockDriverState **hd_table, qemu_irq irq,

    pmac_ide_memory = cpu_register_io_memory(pmac_ide_read,
                                             pmac_ide_write, d);
-    register_savevm("ide", 0, 1, pmac_ide_save, pmac_ide_load, d);
+    register_savevm("ide", 0, 3, pmac_ide_save, pmac_ide_load, d);
    qemu_register_reset(pmac_ide_reset, d);
    pmac_ide_reset(d);

@@ -4156,6 +4182,9 @@ static int md_load(QEMUFile *f, void *opaque, int version_id)
    int i;
    uint8_t drive1_selected;

+    if (version_id != 0 && version_id != 3)
+        return -EINVAL;
+
    qemu_get_8s(f, &s->opt);
    qemu_get_8s(f, &s->stat);
    qemu_get_8s(f, &s->pins);
@@ -4169,7 +4198,7 @@ static int md_load(QEMUFile *f, void *opaque, int version_id)
    s->ide->cur_drive = &s->ide[(drive1_selected != 0)];

    for (i = 0; i < 2; i ++)
-        ide_load(f, &s->ide[i]);
+        ide_load(f, &s->ide[i], version_id);

    return 0;
 }
@@ -4395,12 +4424,12 @@ PCMCIACardState *dscm1xxxx_init(BlockDriverState *bdrv)
    md->card.cis = dscm1xxxx_cis;
    md->card.cis_len = sizeof(dscm1xxxx_cis);

-    ide_init2(md->ide, bdrv, 0, qemu_allocate_irqs(md_set_irq, md, 1)[0]);
+    ide_init2(md->ide, bdrv, NULL, qemu_allocate_irqs(md_set_irq, md, 1)[0]);
    md->ide->is_cf = 1;
    md->ide->mdata_size = METADATA_SIZE;
    md->ide->mdata_storage = (uint8_t *) qemu_mallocz(METADATA_SIZE);

-    register_savevm("microdrive", -1, 0, md_save, md_load, md);
+    register_savevm("microdrive", -1, 3, md_save, md_load, md);

    return &md->card;
 }
--- a/hw/iommu.c
+++ b/hw/iommu.c
@@ -406,7 +406,7 @@ static SysBusDeviceInfo iommu_info = {
    .qdev.props = (Property[]) {
        {
            .name = "version",
-            .info = &qdev_prop_uint32,
+            .info = &qdev_prop_hex32,
            .offset = offsetof(IOMMUState, version),
        },
        {/* end of property list */}
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -10,6 +10,8 @@
 /* ??? Need to check if the {read,write}[wl] routines work properly on
   big-endian targets.  */

+#include <assert.h>                             \
+
 #include "hw.h"
 #include "pci.h"
 #include "scsi-disk.h"
@@ -1981,6 +1983,174 @@ void lsi_scsi_attach(DeviceState *host, BlockDriverState *bd, int id)
    bd->private = &s->pci_dev;
 }

+static void lsi_scsi_save(QEMUFile *f, void *opaque)
+{
+    LSIState *s = opaque;
+
+    assert(s->dma_buf == NULL);
+    assert(s->current_dma_len == 0);
+    assert(s->active_commands == 0);
+
+    pci_device_save(&s->pci_dev, f);
+
+    qemu_put_sbe32s(f, &s->carry);
+    qemu_put_sbe32s(f, &s->sense);
+    qemu_put_sbe32s(f, &s->msg_action);
+    qemu_put_sbe32s(f, &s->msg_len);
+    qemu_put_buffer(f, s->msg, sizeof (s->msg));
+    qemu_put_sbe32s(f, &s->waiting);
+
+    qemu_put_be32s(f, &s->dsa);
+    qemu_put_be32s(f, &s->temp);
+    qemu_put_be32s(f, &s->dnad);
+    qemu_put_be32s(f, &s->dbc);
+    qemu_put_8s(f, &s->istat0);
+    qemu_put_8s(f, &s->istat1);
+    qemu_put_8s(f, &s->dcmd);
+    qemu_put_8s(f, &s->dstat);
+    qemu_put_8s(f, &s->dien);
+    qemu_put_8s(f, &s->sist0);
+    qemu_put_8s(f, &s->sist1);
+    qemu_put_8s(f, &s->sien0);
+    qemu_put_8s(f, &s->sien1);
+    qemu_put_8s(f, &s->mbox0);
+    qemu_put_8s(f, &s->mbox1);
+    qemu_put_8s(f, &s->dfifo);
+    qemu_put_8s(f, &s->ctest2);
+    qemu_put_8s(f, &s->ctest3);
+    qemu_put_8s(f, &s->ctest4);
+    qemu_put_8s(f, &s->ctest5);
+    qemu_put_8s(f, &s->ccntl0);
+    qemu_put_8s(f, &s->ccntl1);
+    qemu_put_be32s(f, &s->dsp);
+    qemu_put_be32s(f, &s->dsps);
+    qemu_put_8s(f, &s->dmode);
+    qemu_put_8s(f, &s->dcntl);
+    qemu_put_8s(f, &s->scntl0);
+    qemu_put_8s(f, &s->scntl1);
+    qemu_put_8s(f, &s->scntl2);
+    qemu_put_8s(f, &s->scntl3);
+    qemu_put_8s(f, &s->sstat0);
+    qemu_put_8s(f, &s->sstat1);
+    qemu_put_8s(f, &s->scid);
+    qemu_put_8s(f, &s->sxfer);
+    qemu_put_8s(f, &s->socl);
+    qemu_put_8s(f, &s->sdid);
+    qemu_put_8s(f, &s->ssid);
+    qemu_put_8s(f, &s->sfbr);
+    qemu_put_8s(f, &s->stest1);
+    qemu_put_8s(f, &s->stest2);
+    qemu_put_8s(f, &s->stest3);
+    qemu_put_8s(f, &s->sidl);
+    qemu_put_8s(f, &s->stime0);
+    qemu_put_8s(f, &s->respid0);
+    qemu_put_8s(f, &s->respid1);
+    qemu_put_be32s(f, &s->mmrs);
+    qemu_put_be32s(f, &s->mmws);
+    qemu_put_be32s(f, &s->sfs);
+    qemu_put_be32s(f, &s->drs);
+    qemu_put_be32s(f, &s->sbms);
+    qemu_put_be32s(f, &s->dbms);
+    qemu_put_be32s(f, &s->dnad64);
+    qemu_put_be32s(f, &s->pmjad1);
+    qemu_put_be32s(f, &s->pmjad2);
+    qemu_put_be32s(f, &s->rbc);
+    qemu_put_be32s(f, &s->ua);
+    qemu_put_be32s(f, &s->ia);
+    qemu_put_be32s(f, &s->sbc);
+    qemu_put_be32s(f, &s->csbc);
+    qemu_put_buffer(f, (uint8_t *)s->scratch, sizeof (s->scratch));
+    qemu_put_8s(f, &s->sbr);
+
+    qemu_put_buffer(f, (uint8_t *)s->script_ram, sizeof (s->script_ram));
+}
+
+static int lsi_scsi_load(QEMUFile *f, void *opaque, int version_id)
+{
+    LSIState *s = opaque;
+    int ret;
+
+    if (version_id > 0) {
+        return -EINVAL;
+    }
+
+    if ((ret = pci_device_load(&s->pci_dev, f)) < 0)
+        return ret;
+
+    qemu_get_sbe32s(f, &s->carry);
+    qemu_get_sbe32s(f, &s->sense);
+    qemu_get_sbe32s(f, &s->msg_action);
+    qemu_get_sbe32s(f, &s->msg_len);
+    qemu_get_buffer(f, s->msg, sizeof (s->msg));
+    qemu_get_sbe32s(f, &s->waiting);
+
+    qemu_get_be32s(f, &s->dsa);
+    qemu_get_be32s(f, &s->temp);
+    qemu_get_be32s(f, &s->dnad);
+    qemu_get_be32s(f, &s->dbc);
+    qemu_get_8s(f, &s->istat0);
+    qemu_get_8s(f, &s->istat1);
+    qemu_get_8s(f, &s->dcmd);
+    qemu_get_8s(f, &s->dstat);
+    qemu_get_8s(f, &s->dien);
+    qemu_get_8s(f, &s->sist0);
+    qemu_get_8s(f, &s->sist1);
+    qemu_get_8s(f, &s->sien0);
+    qemu_get_8s(f, &s->sien1);
+    qemu_get_8s(f, &s->mbox0);
+    qemu_get_8s(f, &s->mbox1);
+    qemu_get_8s(f, &s->dfifo);
+    qemu_get_8s(f, &s->ctest2);
+    qemu_get_8s(f, &s->ctest3);
+    qemu_get_8s(f, &s->ctest4);
+    qemu_get_8s(f, &s->ctest5);
+    qemu_get_8s(f, &s->ccntl0);
+    qemu_get_8s(f, &s->ccntl1);
+    qemu_get_be32s(f, &s->dsp);
+    qemu_get_be32s(f, &s->dsps);
+    qemu_get_8s(f, &s->dmode);
+    qemu_get_8s(f, &s->dcntl);
+    qemu_get_8s(f, &s->scntl0);
+    qemu_get_8s(f, &s->scntl1);
+    qemu_get_8s(f, &s->scntl2);
+    qemu_get_8s(f, &s->scntl3);
+    qemu_get_8s(f, &s->sstat0);
+    qemu_get_8s(f, &s->sstat1);
+    qemu_get_8s(f, &s->scid);
+    qemu_get_8s(f, &s->sxfer);
+    qemu_get_8s(f, &s->socl);
+    qemu_get_8s(f, &s->sdid);
+    qemu_get_8s(f, &s->ssid);
+    qemu_get_8s(f, &s->sfbr);
+    qemu_get_8s(f, &s->stest1);
+    qemu_get_8s(f, &s->stest2);
+    qemu_get_8s(f, &s->stest3);
+    qemu_get_8s(f, &s->sidl);
+    qemu_get_8s(f, &s->stime0);
+    qemu_get_8s(f, &s->respid0);
+    qemu_get_8s(f, &s->respid1);
+    qemu_get_be32s(f, &s->mmrs);
+    qemu_get_be32s(f, &s->mmws);
+    qemu_get_be32s(f, &s->sfs);
+    qemu_get_be32s(f, &s->drs);
+    qemu_get_be32s(f, &s->sbms);
+    qemu_get_be32s(f, &s->dbms);
+    qemu_get_be32s(f, &s->dnad64);
+    qemu_get_be32s(f, &s->pmjad1);
+    qemu_get_be32s(f, &s->pmjad2);
+    qemu_get_be32s(f, &s->rbc);
+    qemu_get_be32s(f, &s->ua);
+    qemu_get_be32s(f, &s->ia);
+    qemu_get_be32s(f, &s->sbc);
+    qemu_get_be32s(f, &s->csbc);
+    qemu_get_buffer(f, (uint8_t *)s->scratch, sizeof (s->scratch));
+    qemu_get_8s(f, &s->sbr);
+
+    qemu_get_buffer(f, (uint8_t *)s->script_ram, sizeof (s->script_ram));
+
+    return 0;
+}
+
 static int lsi_scsi_uninit(PCIDevice *d)
 {
    LSIState *s = (LSIState *) d;
@@ -2033,6 +2203,8 @@ static void lsi_scsi_init(PCIDevice *dev)
    lsi_soft_reset(s);

    scsi_bus_new(&dev->qdev, lsi_scsi_attach);
+
+    register_savevm("lsiscsi", -1, 0, lsi_scsi_save, lsi_scsi_load, s);
 }

 static PCIDeviceInfo lsi_info = {
--- a/hw/mc146818rtc.c
+++ b/hw/mc146818rtc.c
@@ -421,9 +421,10 @@ static void rtc_update_second2(void *opaque)
    }

    /* update ended interrupt */
+    s->cmos_data[RTC_REG_C] |= REG_C_UF;
    if (s->cmos_data[RTC_REG_B] & REG_B_UIE) {
-        s->cmos_data[RTC_REG_C] |= 0x90;
-        rtc_irq_raise(s->irq);
+      s->cmos_data[RTC_REG_C] |= REG_C_IRQF;
+      rtc_irq_raise(s->irq);
    }

    /* clear update in progress bit */
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -255,6 +255,7 @@ int msix_init(struct PCIDevice *dev, unsigned short nentries,
    return 0;

 err_config:
+    dev->msix_entries_nr = 0;
    cpu_unregister_io_memory(dev->msix_mmio_index);
 err_index:
    qemu_free(dev->msix_table_page);
--- a/hw/openpic.c
+++ b/hw/openpic.c
@@ -592,7 +592,7 @@ static void openpic_gbl_write (void *opaque, target_phys_addr_t addr, uint32_t v
    IRQ_dst_t *dst;
    int idx;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;
 #if defined TARGET_WORDS_BIGENDIAN
@@ -651,7 +651,7 @@ static uint32_t openpic_gbl_read (void *opaque, target_phys_addr_t addr)
    openpic_t *opp = opaque;
    uint32_t retval;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
@@ -824,7 +824,7 @@ static void openpic_cpu_write (void *opaque, target_phys_addr_t addr, uint32_t v
    IRQ_dst_t *dst;
    int idx, s_IRQ, n_IRQ;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;
 #if defined TARGET_WORDS_BIGENDIAN
@@ -886,7 +886,7 @@ static uint32_t openpic_cpu_read (void *opaque, target_phys_addr_t addr)
    uint32_t retval;
    int idx, n_IRQ;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
@@ -1264,8 +1264,7 @@ qemu_irq *openpic_init (PCIBus *bus, int *pmem_index, int nb_cpus,
 static void mpic_irq_raise(openpic_t *mpp, int n_CPU, IRQ_src_t *src)
 {
    int n_ci = IDR_CI0 - n_CPU;
-    DPRINTF("%s: cpu:%d irq:%d (testbit idr:%x ci:%d)\n", __func__,
-                    n_CPU, n_IRQ, mpp->src[n_IRQ].ide, n_ci);
+
    if(test_bit(&src->ide, n_ci)) {
        qemu_irq_raise(mpp->dst[n_CPU].irqs[OPENPIC_OUTPUT_CINT]);
    }
@@ -1313,7 +1312,7 @@ static void mpic_timer_write (void *opaque, target_phys_addr_t addr, uint32_t va
    openpic_t *mpp = opaque;
    int idx, cpu;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;
    addr &= 0xFFFF;
@@ -1347,7 +1346,7 @@ static uint32_t mpic_timer_read (void *opaque, target_phys_addr_t addr)
    uint32_t retval;
    int idx, cpu;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
@@ -1382,7 +1381,7 @@ static void mpic_src_ext_write (void *opaque, target_phys_addr_t addr,
    openpic_t *mpp = opaque;
    int idx = MPIC_EXT_IRQ;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;

@@ -1405,7 +1404,7 @@ static uint32_t mpic_src_ext_read (void *opaque, target_phys_addr_t addr)
    uint32_t retval;
    int idx = MPIC_EXT_IRQ;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
@@ -1432,7 +1431,7 @@ static void mpic_src_int_write (void *opaque, target_phys_addr_t addr,
    openpic_t *mpp = opaque;
    int idx = MPIC_INT_IRQ;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;

@@ -1455,7 +1454,7 @@ static uint32_t mpic_src_int_read (void *opaque, target_phys_addr_t addr)
    uint32_t retval;
    int idx = MPIC_INT_IRQ;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
@@ -1482,7 +1481,7 @@ static void mpic_src_msg_write (void *opaque, target_phys_addr_t addr,
    openpic_t *mpp = opaque;
    int idx = MPIC_MSG_IRQ;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;

@@ -1505,7 +1504,7 @@ static uint32_t mpic_src_msg_read (void *opaque, target_phys_addr_t addr)
    uint32_t retval;
    int idx = MPIC_MSG_IRQ;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
@@ -1532,7 +1531,7 @@ static void mpic_src_msi_write (void *opaque, target_phys_addr_t addr,
    openpic_t *mpp = opaque;
    int idx = MPIC_MSI_IRQ;

-    DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
+    DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
    if (addr & 0xF)
        return;

@@ -1554,7 +1553,7 @@ static uint32_t mpic_src_msi_read (void *opaque, target_phys_addr_t addr)
    uint32_t retval;
    int idx = MPIC_MSI_IRQ;

-    DPRINTF("%s: addr %08x\n", __func__, addr);
+    DPRINTF("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
    retval = 0xFFFFFFFF;
    if (addr & 0xF)
        return retval;
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -1100,11 +1100,6 @@ static CPUState *pc_new_cpu(const char *cpu_model)
    return env;
 }

-enum {
-    COMPAT_DEFAULT = 0,
-    COMPAT_0_10, /* compatible with qemu 0.10.x */
-};
-
 /* PC hardware initialisation */
 static void pc_init1(ram_addr_t ram_size,
                     const char *boot_device,
@@ -1112,8 +1107,7 @@ static void pc_init1(ram_addr_t ram_size,
                     const char *kernel_cmdline,
                     const char *initrd_filename,
                     const char *cpu_model,
-                     int pci_enabled,
-                     int compat_level)
+                     int pci_enabled)
 {
    char *filename;
    int ret, linux_boot, i;
@@ -1131,7 +1125,6 @@ static void pc_init1(ram_addr_t ram_size,
    BlockDriverState *fd[MAX_FD];
    int using_vga = cirrus_vga_enabled || std_vga_enabled || vmsvga_enabled;
    void *fw_cfg;
-    const char *virtio_blk_name, *virtio_console_name;

    if (ram_size >= 0xe0000000 ) {
        above_4g_mem_size = ram_size - 0xe0000000;
@@ -1422,26 +1415,13 @@ static void pc_init1(ram_addr_t ram_size,
        }
    }

-    switch (compat_level) {
-    case COMPAT_DEFAULT:
-    default:
-        virtio_blk_name = "virtio-blk-pci";
-        virtio_console_name = "virtio-console-pci";
-        break;
-
-    case COMPAT_0_10:
-        virtio_blk_name = "virtio-blk-pci-0-10";
-        virtio_console_name = "virtio-console-pci-0-10";
-        break;
-    }
-
    /* Add virtio block devices */
    if (pci_enabled) {
        int index;
        int unit_id = 0;

        while ((index = drive_get_index(IF_VIRTIO, 0, unit_id)) != -1) {
-            pci_dev = pci_create(virtio_blk_name,
+            pci_dev = pci_create("virtio-blk-pci",
                                 drives_table[index].devaddr);
            qdev_init(&pci_dev->qdev);
            unit_id++;
@@ -1458,7 +1438,7 @@ static void pc_init1(ram_addr_t ram_size,
    if (pci_enabled) {
        for(i = 0; i < MAX_VIRTIO_CONSOLES; i++) {
            if (virtcon_hds[i]) {
-                pci_create_simple(pci_bus, -1, virtio_console_name);
+                pci_create_simple(pci_bus, -1, "virtio-console-pci");
            }
        }
    }
@@ -1473,8 +1453,7 @@ static void pc_init_pci(ram_addr_t ram_size,
 {
    pc_init1(ram_size, boot_device,
             kernel_filename, kernel_cmdline,
-             initrd_filename, cpu_model,
-             1, COMPAT_DEFAULT);
+             initrd_filename, cpu_model, 1);
 }

 static void pc_init_isa(ram_addr_t ram_size,
@@ -1486,21 +1465,7 @@ static void pc_init_isa(ram_addr_t ram_size,
 {
    pc_init1(ram_size, boot_device,
             kernel_filename, kernel_cmdline,
-             initrd_filename, cpu_model,
-             0, COMPAT_DEFAULT);
-}
-
-static void pc_init_pci_0_10(ram_addr_t ram_size,
-                             const char *boot_device,
-                             const char *kernel_filename,
-                             const char *kernel_cmdline,
-                             const char *initrd_filename,
-                             const char *cpu_model)
-{
-    pc_init1(ram_size, boot_device,
-             kernel_filename, kernel_cmdline,
-             initrd_filename, cpu_model,
-             1, COMPAT_0_10);
+             initrd_filename, cpu_model, 0);
 }

 /* set CMOS shutdown status register (index 0xF) as S3_resume(0xFE)
@@ -1512,7 +1477,8 @@ void cmos_set_s3_resume(void)
 }

 static QEMUMachine pc_machine = {
-    .name = "pc",
+    .name = "pc-0.11",
+    .alias = "pc",
    .desc = "Standard PC",
    .init = pc_init_pci,
    .max_cpus = 255,
@@ -1549,21 +1515,11 @@ static QEMUMachine isapc_machine = {
    .max_cpus = 1,
 };

-static QEMUMachine pc_0_10_machine = {
-    .name = "pc-0-10",
-    .desc = "Standard PC compatible with qemu 0.10.x",
-    .init = pc_init_pci_0_10,
-    .max_cpus = 255,
-};
-
 static void pc_machine_init(void)
 {
    qemu_register_machine(&pc_machine);
    qemu_register_machine(&pc_machine_v0_10);
    qemu_register_machine(&isapc_machine);
-
-    /* For compatibility with 0.10.x */
-    qemu_register_machine(&pc_0_10_machine);
 }

 machine_init(pc_machine_init);
--- a/hw/pcnet.c
+++ b/hw/pcnet.c
@@ -936,6 +936,7 @@ static void pcnet_start(PCNetState *s)

    s->csr[0] &= ~0x0004;       /* clear STOP bit */
    s->csr[0] |= 0x0002;
+    pcnet_poll_timer(s);
 }

 static void pcnet_stop(PCNetState *s)
--- a/hw/pl110.c
+++ b/hw/pl110.c
@@ -169,6 +169,9 @@ static void pl110_invalidate_display(void * opaque)
 {
    pl110_state *s = (pl110_state *)opaque;
    s->invalidate = 1;
+    if (pl110_enabled(s)) {
+        qemu_console_resize(s->ds, s->cols, s->rows);
+    }
 }

 static void pl110_update_pallette(pl110_state *s, int n)
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -191,7 +191,7 @@ static void ppc_core99_init (ram_addr_t ram_size,
        kernel_size = load_elf(kernel_filename, kernel_base, NULL, &lowaddr, NULL);
        if (kernel_size > 0 && lowaddr != KERNEL_LOAD_ADDR) {
            kernel_size = load_elf(kernel_filename, (2 * kernel_base) - lowaddr,
-                                   NULL, 0, NULL);
+                                   NULL, NULL, NULL);
        }
        if (kernel_size < 0)
            kernel_size = load_aout(kernel_filename, kernel_base,
--- a/hw/ppc_oldworld.c
+++ b/hw/ppc_oldworld.c
@@ -223,7 +223,7 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
        kernel_size = load_elf(kernel_filename, kernel_base, NULL, &lowaddr, NULL);
        if (kernel_size > 0 && lowaddr != KERNEL_LOAD_ADDR) {
            kernel_size = load_elf(kernel_filename, (2 * kernel_base) - lowaddr,
-                                   NULL, 0, NULL);
+                                   NULL, NULL, NULL);
        }
        if (kernel_size < 0)
            kernel_size = load_aout(kernel_filename, kernel_base,
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -60,7 +60,8 @@ do {                                                     \
    }                                                    \
 } while (0)
 #elif defined (DEBUG_PPC_IO)
-#define PPC_IO_DPRINTF(fmt, ...) qemu_log_mask(CPU_LOG_IOPORT, ## __VA_ARGS__)
+#define PPC_IO_DPRINTF(fmt, ...) \
+qemu_log_mask(CPU_LOG_IOPORT, fmt, ## __VA_ARGS__)
 #else
 #define PPC_IO_DPRINTF(fmt, ...) do { } while (0)
 #endif
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -89,8 +89,8 @@ static uint32_t pcie500_cfgaddr_readl(void *opaque, target_phys_addr_t addr)
 {
    PPCE500PCIState *pci = opaque;

-    pci_debug("%s: (addr:%Lx) -> value:%x\n", __func__, addr,
-                    pci->pci_state.config_reg);
+    pci_debug("%s: (addr:" TARGET_FMT_plx ") -> value:%x\n", __func__, addr,
+              pci->pci_state.config_reg);
    return pci->pci_state.config_reg;
 }

@@ -105,7 +105,8 @@ static void pcie500_cfgaddr_writel(void *opaque, target_phys_addr_t addr,
 {
    PPCE500PCIState *controller = opaque;

-    pci_debug("%s: value:%x -> (addr%Lx)\n", __func__, value, addr);
+    pci_debug("%s: value:%x -> (addr:" TARGET_FMT_plx ")\n", __func__, value,
+              addr);
    controller->pci_state.config_reg = value & ~0x3;
 }

@@ -169,7 +170,8 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr)
        break;
    }

-    pci_debug("%s: win:%lx(addr:%Lx) -> value:%x\n",__func__,win,addr,value);
+    pci_debug("%s: win:%lx(addr:" TARGET_FMT_plx ") -> value:%x\n", __func__,
+              win, addr, value);
    return value;
 }

@@ -187,7 +189,8 @@ static void pci_reg_write4(void *opaque, target_phys_addr_t addr,

    win = addr & 0xfe0;

-    pci_debug("%s: value:%x -> win:%lx(addr:%Lx)\n",__func__,value,win,addr);
+    pci_debug("%s: value:%x -> win:%lx(addr:" TARGET_FMT_plx ")\n",
+              __func__, value, win, addr);

    switch (win) {
    case PPCE500_PCI_OW1:
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -117,9 +117,9 @@ static int parse_mac(DeviceState *dev, Property *prop, const char *str)
    char *p;

    for (i = 0, pos = 0; i < 6; i++, pos += 3) {
-        if (!isxdigit(str[pos]))
+        if (!qemu_isxdigit(str[pos]))
            return -1;
-        if (!isxdigit(str[pos+1]))
+        if (!qemu_isxdigit(str[pos+1]))
            return -1;
        if (i == 5 && str[pos+2] != '\0')
            return -1;
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -32,7 +32,6 @@

 /* This is a nasty hack to allow passing a NULL bus to qdev_create.  */
 static BusState *main_system_bus;
-extern struct BusInfo system_bus_info;

 static DeviceInfo *device_info_list;

--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -162,4 +162,7 @@ void qdev_prop_set_defaults(DeviceState *dev, Property *props);
 void qdev_prop_register_compat(CompatProperty *props);
 void qdev_prop_set_compat(DeviceState *dev);

+/* This is a nasty hack to allow passing a NULL bus to qdev_create.  */
+extern struct BusInfo system_bus_info;
+
 #endif
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -2090,12 +2090,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
            #define ETH_MTU     1500

            /* ip packet header */
-            ip_header *ip = 0;
+            ip_header *ip = NULL;
            int hlen = 0;
            uint8_t  ip_protocol = 0;
            uint16_t ip_data_len = 0;

-            uint8_t *eth_payload_data = 0;
+            uint8_t *eth_payload_data = NULL;
            size_t   eth_payload_len  = 0;

            int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -74,6 +74,7 @@ struct SCSIDeviceState
    scsi_completionfn completion;
    void *opaque;
    char drive_serial_str[21];
+    QEMUBH *bh;
 };

 /* Global pool of SCSIRequest structures.  */
@@ -172,7 +173,7 @@ static void scsi_read_complete(void * opaque, int ret)
        scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NO_SENSE);
        return;
    }
-    DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->iov.iov_len);
+    DPRINTF("Data ready tag=0x%x len=%" PRId64 "\n", r->tag, r->iov.iov_len);

    s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len);
 }
@@ -192,7 +193,7 @@ static void scsi_read_data(SCSIDevice *d, uint32_t tag)
        return;
    }
    if (r->sector_count == (uint32_t)-1) {
-        DPRINTF("Read buf_len=%d\n", r->iov.iov_len);
+        DPRINTF("Read buf_len=%" PRId64 "\n", r->iov.iov_len);
        r->sector_count = 0;
        s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len);
        return;
@@ -308,12 +309,13 @@ static int scsi_write_data(SCSIDevice *d, uint32_t tag)
    return 0;
 }

-static void scsi_dma_restart_cb(void *opaque, int running, int reason)
+static void scsi_dma_restart_bh(void *opaque)
 {
    SCSIDeviceState *s = opaque;
    SCSIRequest *r = s->requests;
-    if (!running)
-        return;
+
+    qemu_bh_delete(s->bh);
+    s->bh = NULL;

    while (r) {
        if (r->status & SCSI_REQ_STATUS_RETRY) {
@@ -324,6 +326,19 @@ static void scsi_dma_restart_cb(void *opaque, int running, int reason)
    }
 }

+static void scsi_dma_restart_cb(void *opaque, int running, int reason)
+{
+    SCSIDeviceState *s = opaque;
+
+    if (!running)
+        return;
+
+    if (!s->bh) {
+        s->bh = qemu_bh_new(scsi_dma_restart_bh, s);
+        qemu_bh_schedule(s->bh);
+    }
+}
+
 /* Return a pointer to the data buffer.  */
 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
 {
@@ -777,7 +792,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
    case 0x08:
    case 0x28:
    case 0x88:
-        DPRINTF("Read (sector %lld, count %d)\n", lba, len);
+        DPRINTF("Read (sector %" PRId64 ", count %d)\n", lba, len);
        if (lba > s->max_lba)
            goto illegal_lba;
        r->sector = lba * s->cluster_size;
@@ -786,7 +801,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
    case 0x0a:
    case 0x2a:
    case 0x8a:
-        DPRINTF("Write (sector %lld, count %d)\n", lba, len);
+        DPRINTF("Write (sector %" PRId64 ", count %d)\n", lba, len);
        if (lba > s->max_lba)
            goto illegal_lba;
        r->sector = lba * s->cluster_size;
@@ -794,7 +809,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
        is_write = 1;
        break;
    case 0x35:
-        DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
+        DPRINTF("Synchronise cache (sector %" PRId64 ", count %d)\n", lba, len);
        bdrv_flush(s->bdrv);
        break;
    case 0x43:
@@ -896,7 +911,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
        r->iov.iov_len = 16;
        break;
    case 0x2f:
-        DPRINTF("Verify (sector %d, count %d)\n", lba, len);
+        DPRINTF("Verify (sector %" PRId64 ", count %d)\n", lba, len);
        break;
    default:
 	DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -195,12 +195,10 @@ static void serial_update_irq(SerialState *s)
         * this is not in the specification but is observed on existing
         * hardware.  */
        tmp_iir = UART_IIR_CTI;
-    } else if ((s->ier & UART_IER_RDI) && (s->lsr & UART_LSR_DR)) {
-        if (!(s->fcr & UART_FCR_FE)) {
-           tmp_iir = UART_IIR_RDI;
-        } else if (s->recv_fifo.count >= s->recv_fifo.itl) {
-           tmp_iir = UART_IIR_RDI;
-        }
+    } else if ((s->ier & UART_IER_RDI) && (s->lsr & UART_LSR_DR) &&
+               (!(s->fcr & UART_FCR_FE) ||
+                s->recv_fifo.count >= s->recv_fifo.itl)) {
+        tmp_iir = UART_IIR_RDI;
    } else if ((s->ier & UART_IER_THRI) && s->thr_ipending) {
        tmp_iir = UART_IIR_THRI;
    } else if ((s->ier & UART_IER_MSI) && (s->msr & UART_MSR_ANY_DELTA)) {
--- a/hw/slavio_timer.c
+++ b/hw/slavio_timer.c
@@ -197,8 +197,8 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
            s->counthigh = val & (TIMER_MAX_COUNT64 >> 32);
            s->reached = 0;
            count = ((uint64_t)s->counthigh << 32) | s->count;
-            DPRINTF("processor %d user timer set to %016llx\n", s->slave_index,
-                    count);
+            DPRINTF("processor %d user timer set to %016" PRIx64 "\n",
+                    s->slave_index, count);
            if (s->timer)
                ptimer_set_count(s->timer, LIMIT_TO_PERIODS(s->limit - count));
        } else {
@@ -223,8 +223,8 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
            s->count = val & TIMER_MAX_COUNT64;
            s->reached = 0;
            count = ((uint64_t)s->counthigh) << 32 | s->count;
-            DPRINTF("processor %d user timer set to %016llx\n", s->slave_index,
-                    count);
+            DPRINTF("processor %d user timer set to %016" PRIx64 "\n",
+                    s->slave_index, count);
            if (s->timer)
                ptimer_set_count(s->timer, LIMIT_TO_PERIODS(s->limit - count));
        } else
--- a/hw/smbios.c
+++ b/hw/smbios.c
@@ -40,9 +40,20 @@ struct smbios_table {

 static uint8_t *smbios_entries;
 static size_t smbios_entries_len;
+static int smbios_type4_count = 0;
+
+static void smbios_validate_table(void)
+{
+    if (smbios_type4_count && smbios_type4_count != smp_cpus) {
+         fprintf(stderr,
+                 "Number of SMBIOS Type 4 tables must match cpu count.\n");
+        exit(1);
+    }
+}

 uint8_t *smbios_get_table(size_t *length)
 {
+    smbios_validate_table();
    *length = smbios_entries_len;
    return smbios_entries;
 }
@@ -173,8 +184,8 @@ int smbios_entry_add(const char *t)
        struct smbios_table *table;
        int size = get_image_size(buf);

-        if (size < sizeof(struct smbios_structure_header)) {
-            fprintf(stderr, "Cannot read smbios file %s", buf);
+        if (size == -1 || size < sizeof(struct smbios_structure_header)) {
+            fprintf(stderr, "Cannot read smbios file %s\n", buf);
            exit(1);
        }

@@ -196,6 +207,9 @@ int smbios_entry_add(const char *t)

        header = (struct smbios_structure_header *)(table->data);
        smbios_check_collision(header->type, SMBIOS_TABLE_ENTRY);
+        if (header->type == 4) {
+            smbios_type4_count++;
+        }

        smbios_entries_len += sizeof(*table) + size;
        (*(uint16_t *)smbios_entries) =
--- a/hw/sun4c_intctl.c
+++ b/hw/sun4c_intctl.c
@@ -107,9 +107,9 @@ void sun4c_irq_info(Monitor *mon, void *opaque)
    int64_t count;

    monitor_printf(mon, "IRQ statistics:\n");
-    count = s->irq_count[i];
+    count = s->irq_count;
    if (count > 0)
-        monitor_printf(mon, "%2d: %" PRId64 "\n", i, count);
+        monitor_printf(mon, " %" PRId64 "\n", count);
 #endif
 }

@@ -121,7 +121,6 @@ static void sun4c_check_interrupts(void *opaque)
    uint32_t pil_pending;
    unsigned int i;

-    DPRINTF("pending %x disabled %x\n", pending, s->intregm_disabled);
    pil_pending = 0;
    if (s->pending && !(s->reg & 0x80000000)) {
        for (i = 0; i < 8; i++) {
@@ -156,7 +155,7 @@ static void sun4c_set_irq(void *opaque, int irq, int level)
    if (pil > 0) {
        if (level) {
 #ifdef DEBUG_IRQ_COUNT
-            s->irq_count[pil]++;
+            s->irq_count++;
 #endif
            s->pending |= mask;
        } else {
--- a/hw/sun4m.c
+++ b/hw/sun4m.c
@@ -374,6 +374,7 @@ static void lance_init(NICInfo *nd, target_phys_addr_t leaddr,

    dev = qdev_create(NULL, "lance");
    dev->nd = nd;
+    qdev_prop_set_ptr(dev, "dma", dma_opaque);
    qdev_init(dev);
    s = sysbus_from_qdev(dev);
    sysbus_mmio_map(s, 0, leaddr);
@@ -510,11 +511,11 @@ static void ram_init(target_phys_addr_t addr, ram_addr_t RAM_size,
        exit(1);
    }
    dev = qdev_create(NULL, "memory");
-    qdev_init(dev);
    s = sysbus_from_qdev(dev);

    d = FROM_SYSBUS(RamDevice, s);
    d->size = RAM_size;
+    qdev_init(dev);

    sysbus_mmio_map(s, 0, addr);
 }
--- a/hw/sysbus.c
+++ b/hw/sysbus.c
@@ -32,7 +32,7 @@ struct BusInfo system_bus_info = {
 void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq)
 {
    assert(n >= 0 && n < dev->num_irq);
-    dev->irqs[n] = 0;
+    dev->irqs[n] = NULL;
    if (dev->irqp[n]) {
        *dev->irqp[n] = irq;
    }
--- a/hw/unin_pci.c
+++ b/hw/unin_pci.c
@@ -234,7 +234,7 @@ PCIBus *pci_pmac_init(qemu_irq *pic)
    cpu_register_physical_memory(0xf0c00000, 0x1000, pci_mem_data);

    d = pci_register_device(s->bus, "Uni-north AGP", sizeof(PCIDevice),
-                            11 << 3, NULL, NULL);
+                            12 << 3, NULL, NULL);
    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_APPLE);
    pci_config_set_device_id(d->config, PCI_DEVICE_ID_APPLE_UNI_N_AGP);
    d->config[0x08] = 0x00; // revision
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -905,7 +905,7 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)

    flag_r = (td.flags & OHCI_TD_R) != 0;
 #ifdef DEBUG_PACKET
-    dprintf(" TD @ 0x%.8x %u bytes %s r=%d cbp=0x%.8x be=0x%.8x\n",
+    dprintf(" TD @ 0x%.8x %" PRId64 " bytes %s r=%d cbp=0x%.8x be=0x%.8x\n",
            addr, len, str, flag_r, td.cbp, td.be);

    if (len > 0 && dir != OHCI_TD_DIR_IN) {
@@ -1677,7 +1677,7 @@ static void usb_ohci_init(OHCIState *ohci, int num_ports, int devfn,
            usb_bit_time = 1;
        }
 #endif
-        dprintf("usb-ohci: usb_bit_time=%lli usb_frame_time=%lli\n",
+        dprintf("usb-ohci: usb_bit_time=%" PRId64 " usb_frame_time=%" PRId64 "\n",
                usb_frame_time, usb_bit_time);
    }

--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -72,7 +72,7 @@
 #ifdef DEBUG
 #define dprintf printf

-const char *pid2str(int pid)
+static const char *pid2str(int pid)
 {
    switch (pid) {
    case USB_TOKEN_SETUP: return "SETUP";
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -150,6 +150,8 @@ static uint16_t expand2[256];
 static uint8_t expand4to8[16];

 static void vga_screen_dump(void *opaque, const char *filename);
+static char *screen_dump_filename;
+static DisplayChangeListener *screen_dump_dcl;

 static void vga_dumb_update_retrace_info(VGAState *s)
 {
@@ -799,7 +801,7 @@ void vga_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
    uint32_t write_mask, bit_mask, set_mask;

 #ifdef DEBUG_VGA_MEM
-    printf("vga: [0x%x] = 0x%02x\n", addr, val);
+    printf("vga: [0x" TARGET_FMT_plx "] = 0x%02x\n", addr, val);
 #endif
    /* convert to VGA memory offset */
    memory_map_mode = (s->gr[6] >> 2) & 3;
@@ -832,7 +834,7 @@ void vga_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
        if (s->sr[2] & mask) {
            s->vram_ptr[addr] = val;
 #ifdef DEBUG_VGA_MEM
-            printf("vga: chain4: [0x%x]\n", addr);
+            printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
 #endif
            s->plane_updated |= mask; /* only used to detect font change */
            cpu_physical_memory_set_dirty(s->vram_offset + addr);
@@ -845,7 +847,7 @@ void vga_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
            addr = ((addr & ~1) << 1) | plane;
            s->vram_ptr[addr] = val;
 #ifdef DEBUG_VGA_MEM
-            printf("vga: odd/even: [0x%x]\n", addr);
+            printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
 #endif
            s->plane_updated |= mask; /* only used to detect font change */
            cpu_physical_memory_set_dirty(s->vram_offset + addr);
@@ -919,10 +921,10 @@ void vga_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
            (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
            (val & write_mask);
 #ifdef DEBUG_VGA_MEM
-            printf("vga: latch: [0x%x] mask=0x%08x val=0x%08x\n",
-                   addr * 4, write_mask, val);
+        printf("vga: latch: [0x" TARGET_FMT_plx "] mask=0x%08x val=0x%08x\n",
+               addr * 4, write_mask, val);
 #endif
-            cpu_physical_memory_set_dirty(s->vram_offset + (addr << 2));
+        cpu_physical_memory_set_dirty(s->vram_offset + (addr << 2));
    }
 }

@@ -2529,9 +2531,13 @@ int pci_vga_init(PCIBus *bus,
 /********************************************************/
 /* vga screen dump */

-static void vga_save_dpy_update(DisplayState *s,
+static void vga_save_dpy_update(DisplayState *ds,
                                int x, int y, int w, int h)
 {
+    if (screen_dump_filename) {
+        ppm_save(screen_dump_filename, ds->surface);
+        screen_dump_filename = NULL;
+    }
 }

 static void vga_save_dpy_resize(DisplayState *s)
@@ -2580,70 +2586,16 @@ int ppm_save(const char *filename, struct DisplaySurface *ds)
    return 0;
 }

-static void vga_screen_dump_blank(VGAState *s, const char *filename)
+static DisplayChangeListener* vga_screen_dump_init(DisplayState *ds)
 {
-    FILE *f;
-    unsigned int y, x, w, h;
-    unsigned char blank_sample[3] = { 0, 0, 0 };
+    DisplayChangeListener *dcl;

-    w = s->last_scr_width;
-    h = s->last_scr_height;
-
-    f = fopen(filename, "wb");
-    if (!f)
-        return;
-    fprintf(f, "P6\n%d %d\n%d\n", w, h, 255);
-    for (y = 0; y < h; y++) {
-        for (x = 0; x < w; x++) {
-            fwrite(blank_sample, 3, 1, f);
-        }
-    }
-    fclose(f);
-}
-
-static void vga_screen_dump_common(VGAState *s, const char *filename,
-                                   int w, int h)
-{
-    DisplayState *saved_ds, ds1, *ds = &ds1;
-    DisplayChangeListener dcl;
-
-    /* XXX: this is a little hackish */
-    vga_invalidate_display(s);
-    saved_ds = s->ds;
-
-    memset(ds, 0, sizeof(DisplayState));
-    memset(&dcl, 0, sizeof(DisplayChangeListener));
-    dcl.dpy_update = vga_save_dpy_update;
-    dcl.dpy_resize = vga_save_dpy_resize;
-    dcl.dpy_refresh = vga_save_dpy_refresh;
-    register_displaychangelistener(ds, &dcl);
-    ds->allocator = &default_allocator;
-    ds->surface = qemu_create_displaysurface(ds, w, h);
-
-    s->ds = ds;
-    s->graphic_mode = -1;
-    vga_update_display(s);
-
-    ppm_save(filename, ds->surface);
-
-    qemu_free_displaysurface(ds);
-    s->ds = saved_ds;
-}
-
-static void vga_screen_dump_graphic(VGAState *s, const char *filename)
-{
-    int w, h;
-
-    s->get_resolution(s, &w, &h);
-    vga_screen_dump_common(s, filename, w, h);
-}
-
-static void vga_screen_dump_text(VGAState *s, const char *filename)
-{
-    int w, h, cwidth, cheight;
-
-    vga_get_text_resolution(s, &w, &h, &cwidth, &cheight);
-    vga_screen_dump_common(s, filename, w * cwidth, h * cheight);
+    dcl = qemu_mallocz(sizeof(DisplayChangeListener));
+    dcl->dpy_update = vga_save_dpy_update;
+    dcl->dpy_resize = vga_save_dpy_resize;
+    dcl->dpy_refresh = vga_save_dpy_refresh;
+    register_displaychangelistener(ds, dcl);
+    return dcl;
 }

 /* save the vga display in a PPM image even if no display is
@@ -2652,11 +2604,11 @@ static void vga_screen_dump(void *opaque, const char *filename)
 {
    VGAState *s = (VGAState *)opaque;

-    if (!(s->ar_index & 0x20))
-        vga_screen_dump_blank(s, filename);
-    else if (s->gr[6] & 1)
-        vga_screen_dump_graphic(s, filename);
-    else
-        vga_screen_dump_text(s, filename);
+    if (!screen_dump_dcl)
+        screen_dump_dcl = vga_screen_dump_init(s->ds);
+
+    screen_dump_filename = (char *)filename;
    vga_invalidate_display(s);
+    vga_hw_update();
 }
+
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -26,6 +26,7 @@ typedef struct VirtIOBlock
    VirtQueue *vq;
    void *rq;
    char serial_str[BLOCK_SERIAL_STRLEN + 1];
+    QEMUBH *bh;
 } VirtIOBlock;

 static VirtIOBlock *to_virtio_blk(VirtIODevice *vdev)
@@ -302,13 +303,13 @@ static void virtio_blk_handle_output(VirtIODevice *vdev, VirtQueue *vq)
     */
 }

-static void virtio_blk_dma_restart_cb(void *opaque, int running, int reason)
+static void virtio_blk_dma_restart_bh(void *opaque)
 {
    VirtIOBlock *s = opaque;
    VirtIOBlockReq *req = s->rq;

-    if (!running)
-        return;
+    qemu_bh_delete(s->bh);
+    s->bh = NULL;

    s->rq = NULL;

@@ -318,6 +319,19 @@ static void virtio_blk_dma_restart_cb(void *opaque, int running, int reason)
    }
 }

+static void virtio_blk_dma_restart_cb(void *opaque, int running, int reason)
+{
+    VirtIOBlock *s = opaque;
+
+    if (!running)
+        return;
+
+    if (!s->bh) {
+        s->bh = qemu_bh_new(virtio_blk_dma_restart_bh, s);
+        qemu_bh_schedule(s->bh);
+    }
+}
+
 static void virtio_blk_reset(VirtIODevice *vdev)
 {
    /*
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -423,63 +423,37 @@ static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
    virtio_bind_device(vdev, &virtio_pci_bindings, proxy);
 }

-static void virtio_blk_init_pci_with_class(PCIDevice *pci_dev,
-                                           uint16_t class_code)
+static void virtio_blk_init_pci(PCIDevice *pci_dev)
 {
    VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
    VirtIODevice *vdev;

+    if (proxy->class_code != PCI_CLASS_STORAGE_SCSI &&
+        proxy->class_code != PCI_CLASS_STORAGE_OTHER)
+        proxy->class_code = PCI_CLASS_STORAGE_SCSI;
+
    vdev = virtio_blk_init(&pci_dev->qdev);
    virtio_init_pci(proxy, vdev,
                    PCI_VENDOR_ID_REDHAT_QUMRANET,
                    PCI_DEVICE_ID_VIRTIO_BLOCK,
-                    class_code, 0x00);
-}
-
-static void virtio_blk_init_pci(PCIDevice *pci_dev)
-{
-    VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
-  
-    if (proxy->class_code != PCI_CLASS_STORAGE_SCSI &&
-        proxy->class_code != PCI_CLASS_STORAGE_OTHER)
-        proxy->class_code = PCI_CLASS_STORAGE_SCSI;
- 
-    virtio_blk_init_pci_with_class(pci_dev, proxy->class_code);
-}
-
-static void virtio_blk_init_pci_0_10(PCIDevice *pci_dev)
-{
-    virtio_blk_init_pci_with_class(pci_dev, PCI_CLASS_STORAGE_OTHER);
-}
-
-static void virtio_console_init_pci_with_class(PCIDevice *pci_dev,
-                                               uint16_t class_code)
-{
-    VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
-    VirtIODevice *vdev;
-
-    vdev = virtio_console_init(&pci_dev->qdev);
-    virtio_init_pci(proxy, vdev,
-                    PCI_VENDOR_ID_REDHAT_QUMRANET,
-                    PCI_DEVICE_ID_VIRTIO_CONSOLE,
-                    class_code, 0x00);
+                    proxy->class_code, 0x00);
 }

 static void virtio_console_init_pci(PCIDevice *pci_dev)
 {
    VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
-  
+    VirtIODevice *vdev;
+
    if (proxy->class_code != PCI_CLASS_COMMUNICATION_OTHER &&
        proxy->class_code != PCI_CLASS_DISPLAY_OTHER && /* qemu 0.10 */
        proxy->class_code != PCI_CLASS_OTHERS)          /* qemu-kvm  */
        proxy->class_code = PCI_CLASS_COMMUNICATION_OTHER;

-    virtio_console_init_pci_with_class(pci_dev, proxy->class_code);
-}
-
-static void virtio_console_init_pci_0_10(PCIDevice *pci_dev)
-{
-    virtio_console_init_pci_with_class(pci_dev, PCI_CLASS_DISPLAY_OTHER);
+    vdev = virtio_console_init(&pci_dev->qdev);
+    virtio_init_pci(proxy, vdev,
+                    PCI_VENDOR_ID_REDHAT_QUMRANET,
+                    PCI_DEVICE_ID_VIRTIO_CONSOLE,
+                    proxy->class_code, 0x00);
 }

 static void virtio_net_init_pci(PCIDevice *pci_dev)
@@ -560,15 +534,6 @@ static PCIDeviceInfo virtio_info[] = {
        .qdev.name = "virtio-balloon-pci",
        .qdev.size = sizeof(VirtIOPCIProxy),
        .init      = virtio_balloon_init_pci,
-    },{
-        /* For compatibility with 0.10 */
-        .qdev.name = "virtio-blk-pci-0-10",
-        .qdev.size = sizeof(VirtIOPCIProxy),
-        .init      = virtio_blk_init_pci_0_10,
-    },{
-        .qdev.name = "virtio-console-pci-0-10",
-        .qdev.size = sizeof(VirtIOPCIProxy),
-        .init      = virtio_console_init_pci_0_10,
    },{
        /* end of list */
    }
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -923,7 +923,7 @@ static void vmsvga_reset(struct vmsvga_state_s *s)
    s->width = -1;
    s->height = -1;
    s->svgaid = SVGA_ID;
-    s->depth = 24;
+    s->depth = ds_get_bits_per_pixel(s->vga.ds);
    s->bypp = (s->depth + 7) >> 3;
    s->cursor.on = 0;
    s->redraw_fifo_first = 0;
@@ -1126,8 +1126,6 @@ static void vmsvga_init(struct vmsvga_state_s *s, int vga_ram_size)
    s->scratch_size = SVGA_SCRATCH_SIZE;
    s->scratch = (uint32_t *) qemu_malloc(s->scratch_size * 4);

-    vmsvga_reset(s);
-
 #ifdef EMBED_STDVGA
    vga_common_init((VGAState *) s, vga_ram_size);
    vga_init((VGAState *) s);
@@ -1142,6 +1140,8 @@ static void vmsvga_init(struct vmsvga_state_s *s, int vga_ram_size)
                                     vmsvga_screen_dump,
                                     vmsvga_text_update, &s->vga);

+    vmsvga_reset(s);
+
 #ifdef CONFIG_BOCHS_VBE
    /* XXX: use optimized standard vga accesses */
    cpu_register_physical_memory(VBE_DISPI_LFB_PHYSICAL_ADDRESS,
--- a/keymaps.c
+++ b/keymaps.c
@@ -75,7 +75,7 @@ static kbd_layout_t *parse_keyboard_layout(const name2keysym_t *table,
    if (!(filename && (f = fopen(filename, "r")))) {
 	fprintf(stderr,
 		"Could not read keymap file: '%s'\n", language);
-	return 0;
+	return NULL;
    }
    qemu_free(filename);
    for(;;) {
@@ -144,7 +144,7 @@ static kbd_layout_t *parse_keyboard_layout(const name2keysym_t *table,

 void *init_keyboard_layout(const name2keysym_t *table, const char *language)
 {
-    return parse_keyboard_layout(table, language, 0);
+    return parse_keyboard_layout(table, language, NULL);
 }


--- a/kvm-all.c
+++ b/kvm-all.c
@@ -193,26 +193,6 @@ err:
    return ret;
 }

-int kvm_put_mp_state(CPUState *env)
-{
-    struct kvm_mp_state mp_state = { .mp_state = env->mp_state };
-
-    return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, &mp_state);
-}
-
-int kvm_get_mp_state(CPUState *env)
-{
-    struct kvm_mp_state mp_state;
-    int ret;
-
-    ret = kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, &mp_state);
-    if (ret < 0) {
-        return ret;
-    }
-    env->mp_state = mp_state.mp_state;
-    return 0;
-}
-
 /*
 * dirty pages logging control
 */
--- a/kvm.h
+++ b/kvm.h
@@ -71,9 +71,6 @@ int kvm_vm_ioctl(KVMState *s, int type, ...);

 int kvm_vcpu_ioctl(CPUState *env, int type, ...);

-int kvm_get_mp_state(CPUState *env);
-int kvm_put_mp_state(CPUState *env);
-
 /* Arch specific hooks */

 int kvm_arch_post_run(CPUState *env, struct kvm_run *run);
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -134,13 +134,13 @@ static inline void init_thread(struct target_pt_regs *regs, struct image_info *i
    regs->rip = infop->entry;
 }

-typedef target_ulong    elf_greg_t;
+typedef target_ulong    target_elf_greg_t;
 typedef uint32_t        target_uid_t;
 typedef uint32_t        target_gid_t;
 typedef int32_t         target_pid_t;

 #define ELF_NREG    27
-typedef elf_greg_t  elf_gregset_t[ELF_NREG];
+typedef target_elf_greg_t  target_elf_gregset_t[ELF_NREG];

 /*
 * Note that ELF_NREG should be 29 as there should be place for
@@ -149,7 +149,7 @@ typedef elf_greg_t  elf_gregset_t[ELF_NREG];
 *
 * See linux kernel: arch/x86/include/asm/elf.h
 */
-static void elf_core_copy_regs(elf_gregset_t *regs, const CPUState *env)
+static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUState *env)
 {
    (*regs)[0] = env->regs[15];
    (*regs)[1] = env->regs[14];
@@ -211,13 +211,13 @@ static inline void init_thread(struct target_pt_regs *regs, struct image_info *i
    regs->edx = 0;
 }

-typedef target_ulong    elf_greg_t;
+typedef target_ulong    target_elf_greg_t;
 typedef uint16_t        target_uid_t;
 typedef uint16_t        target_gid_t;
 typedef int32_t         target_pid_t;

 #define ELF_NREG    17
-typedef elf_greg_t  elf_gregset_t[ELF_NREG];
+typedef target_elf_greg_t  target_elf_gregset_t[ELF_NREG];

 /*
 * Note that ELF_NREG should be 19 as there should be place for
@@ -226,7 +226,7 @@ typedef elf_greg_t  elf_gregset_t[ELF_NREG];
 *
 * See linux kernel: arch/x86/include/asm/elf.h
 */
-static void elf_core_copy_regs(elf_gregset_t *regs, const CPUState *env)
+static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUState *env)
 {
    (*regs)[0] = env->regs[R_EBX];
    (*regs)[1] = env->regs[R_ECX];
@@ -286,15 +286,15 @@ static inline void init_thread(struct target_pt_regs *regs, struct image_info *i
    regs->ARM_r10 = infop->start_data;
 }

-typedef uint32_t elf_greg_t;
+typedef uint32_t target_elf_greg_t;
 typedef uint16_t target_uid_t;
 typedef uint16_t target_gid_t;
 typedef int32_t  target_pid_t;

 #define ELF_NREG    18
-typedef elf_greg_t  elf_gregset_t[ELF_NREG];
+typedef target_elf_greg_t  target_elf_gregset_t[ELF_NREG];

-static void elf_core_copy_regs(elf_gregset_t *regs, const CPUState *env)
+static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUState *env)
 {
    (*regs)[0] = env->regs[0];
    (*regs)[1] = env->regs[1];
@@ -1199,7 +1199,7 @@ static int symfind(const void *s0, const void *s1)
    int result = 0;
    if (key->st_value < sym->st_value) {
        result = -1;
-    } else if (key->st_value > sym->st_value + sym->st_size) {
+    } else if (key->st_value >= sym->st_value + sym->st_size) {
        result = 1;
    }
    return result;
@@ -1220,7 +1220,7 @@ static const char *lookup_symbolxx(struct syminfo *s, target_ulong orig_addr)
    key.st_value = orig_addr;

    sym = bsearch(&key, syms, s->disas_num_syms, sizeof(*syms), symfind);
-    if (sym != 0) {
+    if (sym != NULL) {
        return s->disas_strtab + sym->st_name;
    }

@@ -1725,7 +1725,7 @@ int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs,

 /*
 * Definitions to generate Intel SVR4-like core files.
- * These mostly have the same names as the SVR4 types with "elf_"
+ * These mostly have the same names as the SVR4 types with "target_elf_"
 * tacked on the front to prevent clashes with linux definitions,
 * and the typedef forms have been avoided.  This is mostly like
 * the SVR4 structure, but more Linuxy, with things that Linux does
@@ -1745,9 +1745,9 @@ int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs,
 * Next you define type of register set used for dumping.  ELF specification
 * says that it needs to be array of elf_greg_t that has size of ELF_NREG.
 *
- * typedef <target_regtype> elf_greg_t;
+ * typedef <target_regtype> target_elf_greg_t;
 * #define ELF_NREG <number of registers>
- * typedef elf_greg_t elf_gregset_t[ELF_NREG];
+ * typedef taret_elf_greg_t target_elf_gregset_t[ELF_NREG];
 *
 * Then define following types to match target types.  Actual types can
 * be found from linux kernel (arch/<ARCH>/include/asm/posix_types.h):
@@ -1759,7 +1759,8 @@ int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs,
 * Last step is to implement target specific function that copies registers
 * from given cpu into just specified register set.  Prototype is:
 *
- * static void elf_core_copy_regs(elf_gregset_t *regs, const CPUState *env);
+ * static void elf_core_copy_regs(taret_elf_gregset_t *regs,
+ *                                const CPUState *env);
 *
 * Parameters:
 *     regs - copy register values into here (allocated and zeroed by caller)
@@ -1779,14 +1780,14 @@ struct memelfnote {
    size_t     notesz;
 };

-struct elf_siginfo {
+struct target_elf_siginfo {
    int  si_signo; /* signal number */
    int  si_code;  /* extra code */
    int  si_errno; /* errno */
 };

-struct elf_prstatus {
-    struct elf_siginfo pr_info;      /* Info associated with signal */
+struct target_elf_prstatus {
+    struct target_elf_siginfo pr_info;      /* Info associated with signal */
    short              pr_cursig;    /* Current signal */
    target_ulong       pr_sigpend;   /* XXX */
    target_ulong       pr_sighold;   /* XXX */
@@ -1798,13 +1799,13 @@ struct elf_prstatus {
    struct target_timeval pr_stime;  /* XXX System time */
    struct target_timeval pr_cutime; /* XXX Cumulative user time */
    struct target_timeval pr_cstime; /* XXX Cumulative system time */
-    elf_gregset_t      pr_reg;       /* GP registers */
+    target_elf_gregset_t      pr_reg;       /* GP registers */
    int                pr_fpvalid;   /* XXX */
 };

 #define ELF_PRARGSZ     (80) /* Number of chars for args */

-struct elf_prpsinfo {
+struct target_elf_prpsinfo {
    char         pr_state;       /* numeric process state */
    char         pr_sname;       /* char for pr_state */
    char         pr_zomb;        /* zombie */
@@ -1821,7 +1822,7 @@ struct elf_prpsinfo {
 /* Here is the structure in which status of each thread is captured. */
 struct elf_thread_status {
    TAILQ_ENTRY(elf_thread_status)  ets_link;
-    struct elf_prstatus prstatus;   /* NT_PRSTATUS */
+    struct target_elf_prstatus prstatus;   /* NT_PRSTATUS */
 #if 0
    elf_fpregset_t fpu;             /* NT_PRFPREG */
    struct task_struct *thread;
@@ -1833,8 +1834,8 @@ struct elf_thread_status {

 struct elf_note_info {
    struct memelfnote   *notes;
-    struct elf_prstatus *prstatus;  /* NT_PRSTATUS */
-    struct elf_prpsinfo *psinfo;    /* NT_PRPSINFO */
+    struct target_elf_prstatus *prstatus;  /* NT_PRSTATUS */
+    struct target_elf_prpsinfo *psinfo;    /* NT_PRPSINFO */

    TAILQ_HEAD(thread_list_head, elf_thread_status) thread_list;
 #if 0
@@ -1876,8 +1877,8 @@ static int vma_walker(void *priv, unsigned long start, unsigned long end,
 static void fill_elf_header(struct elfhdr *, int, uint16_t, uint32_t);
 static void fill_note(struct memelfnote *, const char *, int,
    unsigned int, void *);
-static void fill_prstatus(struct elf_prstatus *, const TaskState *, int);
-static int fill_psinfo(struct elf_prpsinfo *, const TaskState *);
+static void fill_prstatus(struct target_elf_prstatus *, const TaskState *, int);
+static int fill_psinfo(struct target_elf_prpsinfo *, const TaskState *);
 static void fill_auxv_note(struct memelfnote *, const TaskState *);
 static void fill_elf_note_phdr(struct elf_phdr *, int, off_t);
 static size_t note_size(const struct memelfnote *);
@@ -1891,10 +1892,10 @@ static int write_note(struct memelfnote *, int);
 static int write_note_info(struct elf_note_info *, int);

 #ifdef BSWAP_NEEDED
-static void bswap_prstatus(struct elf_prstatus *);
-static void bswap_psinfo(struct elf_prpsinfo *);
+static void bswap_prstatus(struct target_elf_prstatus *);
+static void bswap_psinfo(struct target_elf_prpsinfo *);

-static void bswap_prstatus(struct elf_prstatus *prstatus)
+static void bswap_prstatus(struct target_elf_prstatus *prstatus)
 {
    prstatus->pr_info.si_signo = tswapl(prstatus->pr_info.si_signo);
    prstatus->pr_info.si_code = tswapl(prstatus->pr_info.si_code);
@@ -1911,7 +1912,7 @@ static void bswap_prstatus(struct elf_prstatus *prstatus)
    prstatus->pr_fpvalid = tswap32(prstatus->pr_fpvalid);
 }

-static void bswap_psinfo(struct elf_prpsinfo *psinfo)
+static void bswap_psinfo(struct target_elf_prpsinfo *psinfo)
 {
    psinfo->pr_flag = tswapl(psinfo->pr_flag);
    psinfo->pr_uid = tswap16(psinfo->pr_uid);
@@ -2105,7 +2106,7 @@ static size_t note_size(const struct memelfnote *note)
    return (note->notesz);
 }

-static void fill_prstatus(struct elf_prstatus *prstatus,
+static void fill_prstatus(struct target_elf_prstatus *prstatus,
    const TaskState *ts, int signr)
 {
    (void) memset(prstatus, 0, sizeof (*prstatus));
@@ -2120,7 +2121,7 @@ static void fill_prstatus(struct elf_prstatus *prstatus,
 #endif
 }

-static int fill_psinfo(struct elf_prpsinfo *psinfo, const TaskState *ts)
+static int fill_psinfo(struct target_elf_prpsinfo *psinfo, const TaskState *ts)
 {
    char *filename, *base_filename;
    unsigned int i, len;
--- a/linux-user/linuxload.c
+++ b/linux-user/linuxload.c
@@ -165,7 +165,7 @@ int loader_exec(const char * filename, char ** argv, char ** envp,

    bprm->p = TARGET_PAGE_SIZE*MAX_ARG_PAGES-sizeof(unsigned int);
    for (i=0 ; i<MAX_ARG_PAGES ; i++)       /* clear page-table */
-            bprm->page[i] = 0;
+            bprm->page[i] = NULL;
    retval = open(filename, O_RDONLY);
    if (retval < 0)
        return retval;
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -145,8 +145,8 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
    int prot1, ret;

 #ifdef DEBUG_MMAP
-    printf("mprotect: start=0x" TARGET_FMT_lx
-           "len=0x" TARGET_FMT_lx " prot=%c%c%c\n", start, len,
+    printf("mprotect: start=0x" TARGET_ABI_FMT_lx
+           "len=0x" TARGET_ABI_FMT_lx " prot=%c%c%c\n", start, len,
           prot & PROT_READ ? 'r' : '-',
           prot & PROT_WRITE ? 'w' : '-',
           prot & PROT_EXEC ? 'x' : '-');
@@ -331,8 +331,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
    mmap_lock();
 #ifdef DEBUG_MMAP
    {
-        printf("mmap: start=0x" TARGET_FMT_lx
-               " len=0x" TARGET_FMT_lx " prot=%c%c%c flags=",
+        printf("mmap: start=0x" TARGET_ABI_FMT_lx
+               " len=0x" TARGET_ABI_FMT_lx " prot=%c%c%c flags=",
               start, len,
               prot & PROT_READ ? 'r' : '-',
               prot & PROT_WRITE ? 'w' : '-',
@@ -352,7 +352,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
            printf("[MAP_TYPE=0x%x] ", flags & MAP_TYPE);
            break;
        }
-        printf("fd=%d offset=" TARGET_FMT_lx "\n", fd, offset);
+        printf("fd=%d offset=" TARGET_ABI_FMT_lx "\n", fd, offset);
    }
 #endif

@@ -523,7 +523,7 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
    page_set_flags(start, start + len, prot | PAGE_VALID);
 the_end:
 #ifdef DEBUG_MMAP
-    printf("ret=0x" TARGET_FMT_lx "\n", start);
+    printf("ret=0x" TARGET_ABI_FMT_lx "\n", start);
    page_dump(stdout);
    printf("\n");
 #endif
@@ -540,7 +540,9 @@ int target_munmap(abi_ulong start, abi_ulong len)
    int prot, ret;

 #ifdef DEBUG_MMAP
-    printf("munmap: start=0x%lx len=0x%lx\n", start, len);
+    printf("munmap: start=0x" TARGET_ABI_FMT_lx " len=0x"
+           TARGET_ABI_FMT_lx "\n",
+           start, len);
 #endif
    if (start & ~TARGET_PAGE_MASK)
        return -EINVAL;
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -584,8 +584,8 @@ int do_sigaction(int sig, const struct target_sigaction *act,
        return -EINVAL;
    k = &sigact_table[sig - 1];
 #if defined(DEBUG_SIGNAL)
-    fprintf(stderr, "sigaction sig=%d act=0x%08x, oact=0x%08x\n",
-            sig, (int)act, (int)oact);
+    fprintf(stderr, "sigaction sig=%d act=0x%p, oact=0x%p\n",
+            sig, act, oact);
 #endif
    if (oact) {
        oact->_sa_handler = tswapl(k->_sa_handler);
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6977,7 +6977,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
    }
 fail:
 #ifdef DEBUG
-    gemu_log(" = %ld\n", ret);
+    gemu_log(" = " TARGET_ABI_FMT_ld "\n", ret);
 #endif
    if(do_strace)
        print_syscall_ret(num, ret);
--- a/migration-exec.c
+++ b/migration-exec.c
@@ -73,10 +73,7 @@ MigrationState *exec_start_outgoing_migration(const char *command,
        goto err_after_open;
    }

-    if (fcntl(s->fd, F_SETFD, O_NONBLOCK) == -1) {
-        dprintf("Unable to set nonblocking mode on file descriptor\n");
-        goto err_after_open;
-    }
+    socket_set_nonblock(s->fd);

    s->opaque = qemu_popen(f, "w");

@@ -118,6 +115,8 @@ static void exec_accept_incoming_migration(void *opaque)
    dprintf("successfully loaded vm state\n");
    /* we've successfully migrated, close the fd */
    qemu_set_fd_handler2(qemu_popen_fd(f), NULL, NULL, NULL, NULL);
+    if (autostart)
+        vm_start();

 err:
    qemu_fclose(f);
--- a/migration-tcp.c
+++ b/migration-tcp.c
@@ -166,6 +166,8 @@ static void tcp_accept_incoming_migration(void *opaque)
    /* we've successfully migrated, close the server socket */
    qemu_set_fd_handler2(s, NULL, NULL, NULL, NULL);
    close(s);
+    if (autostart)
+        vm_start();

 out_fopen:
    qemu_fclose(f);
--- a/monitor.c
+++ b/monitor.c
@@ -70,6 +70,14 @@ typedef struct mon_cmd_t {
    const char *help;
 } mon_cmd_t;

+/* file descriptors passed via SCM_RIGHTS */
+typedef struct mon_fd_t mon_fd_t;
+struct mon_fd_t {
+    char *name;
+    int fd;
+    LIST_ENTRY(mon_fd_t) next;
+};
+
 struct Monitor {
    CharDriverState *chr;
    int flags;
@@ -80,6 +88,7 @@ struct Monitor {
    CPUState *mon_cpu;
    BlockDriverCompletionFunc *password_completion_cb;
    void *password_opaque;
+    LIST_HEAD(,mon_fd_t) fds;
    LIST_ENTRY(Monitor) entry;
 };

@@ -248,9 +257,10 @@ static void do_commit(Monitor *mon, const char *device)

    all_devices = !strcmp(device, "all");
    for (i = 0; i < nb_drives; i++) {
-            if (all_devices ||
-                !strcmp(bdrv_get_device_name(drives_table[i].bdrv), device))
-                bdrv_commit(drives_table[i].bdrv);
+        if (!all_devices)
+            if (strcmp(bdrv_get_device_name(drives_table[i].bdrv), device))
+                continue;
+        bdrv_commit(drives_table[i].bdrv);
    }
 }

@@ -1705,6 +1715,90 @@ static void do_inject_mce(Monitor *mon,
 }
 #endif

+static void do_getfd(Monitor *mon, const char *fdname)
+{
+    mon_fd_t *monfd;
+    int fd;
+
+    fd = qemu_chr_get_msgfd(mon->chr);
+    if (fd == -1) {
+        monitor_printf(mon, "getfd: no file descriptor supplied via SCM_RIGHTS\n");
+        return;
+    }
+
+    if (qemu_isdigit(fdname[0])) {
+        monitor_printf(mon, "getfd: monitor names may not begin with a number\n");
+        return;
+    }
+
+    fd = dup(fd);
+    if (fd == -1) {
+        monitor_printf(mon, "Failed to dup() file descriptor: %s\n",
+                       strerror(errno));
+        return;
+    }
+
+    LIST_FOREACH(monfd, &mon->fds, next) {
+        if (strcmp(monfd->name, fdname) != 0) {
+            continue;
+        }
+
+        close(monfd->fd);
+        monfd->fd = fd;
+        return;
+    }
+
+    monfd = qemu_mallocz(sizeof(mon_fd_t));
+    monfd->name = qemu_strdup(fdname);
+    monfd->fd = fd;
+
+    LIST_INSERT_HEAD(&mon->fds, monfd, next);
+}
+
+static void do_closefd(Monitor *mon, const char *fdname)
+{
+    mon_fd_t *monfd;
+
+    LIST_FOREACH(monfd, &mon->fds, next) {
+        if (strcmp(monfd->name, fdname) != 0) {
+            continue;
+        }
+
+        LIST_REMOVE(monfd, next);
+        close(monfd->fd);
+        qemu_free(monfd->name);
+        qemu_free(monfd);
+        return;
+    }
+
+    monitor_printf(mon, "Failed to find file descriptor named %s\n",
+                   fdname);
+}
+
+int monitor_get_fd(Monitor *mon, const char *fdname)
+{
+    mon_fd_t *monfd;
+
+    LIST_FOREACH(monfd, &mon->fds, next) {
+        int fd;
+
+        if (strcmp(monfd->name, fdname) != 0) {
+            continue;
+        }
+
+        fd = monfd->fd;
+
+        /* caller takes ownership of fd */
+        LIST_REMOVE(monfd, next);
+        qemu_free(monfd->name);
+        qemu_free(monfd);
+
+        return fd;
+    }
+
+    return -1;
+}
+
 static const mon_cmd_t mon_cmds[] = {
 #include "qemu-monitor.h"
    { NULL, NULL, },
@@ -2175,7 +2269,7 @@ static int get_monitor_def(target_long *pval, const char *name)

 static void next(void)
 {
-    if (pch != '\0') {
+    if (*pch != '\0') {
        pch++;
        while (qemu_isspace(*pch))
            pch++;
@@ -2965,6 +3059,9 @@ static void monitor_find_completion(const char *cmdline)
            }
        }
        str = args[nb_args - 1];
+        if (*ptype == '-' && ptype[1] != '\0') {
+            ptype += 2;
+        }
        switch(*ptype) {
        case 'F':
            /* file completion */
--- a/monitor.h
+++ b/monitor.h
@@ -20,6 +20,8 @@ void monitor_read_bdrv_key_start(Monitor *mon, BlockDriverState *bs,
                                 BlockDriverCompletionFunc *completion_cb,
                                 void *opaque);

+int monitor_get_fd(Monitor *mon, const char *fdname);
+
 void monitor_vprintf(Monitor *mon, const char *fmt, va_list ap);
 void monitor_printf(Monitor *mon, const char *fmt, ...)
    __attribute__ ((__format__ (__printf__, 2, 3)));
--- a/net.c
+++ b/net.c
@@ -465,33 +465,28 @@ qemu_deliver_packet(VLANClientState *sender, const uint8_t *buf, int size)

 void qemu_purge_queued_packets(VLANClientState *vc)
 {
-    VLANPacket **pp = &vc->vlan->send_queue;
-
-    while (*pp != NULL) {
-        VLANPacket *packet = *pp;
+    VLANPacket *packet, *next;

+    TAILQ_FOREACH_SAFE(packet, &vc->vlan->send_queue, entry, next) {
        if (packet->sender == vc) {
-            *pp = packet->next;
+            TAILQ_REMOVE(&vc->vlan->send_queue, packet, entry);
            qemu_free(packet);
-        } else {
-            pp = &packet->next;
        }
    }
 }

 void qemu_flush_queued_packets(VLANClientState *vc)
 {
-    VLANPacket *packet;
-
-    while ((packet = vc->vlan->send_queue) != NULL) {
+    while (!TAILQ_EMPTY(&vc->vlan->send_queue)) {
+        VLANPacket *packet;
        int ret;

-        vc->vlan->send_queue = packet->next;
+        packet = TAILQ_FIRST(&vc->vlan->send_queue);
+        TAILQ_REMOVE(&vc->vlan->send_queue, packet, entry);

        ret = qemu_deliver_packet(packet->sender, packet->data, packet->size);
        if (ret == 0 && packet->sent_cb != NULL) {
-            packet->next = vc->vlan->send_queue;
-            vc->vlan->send_queue = packet;
+            TAILQ_INSERT_HEAD(&vc->vlan->send_queue, packet, entry);
            break;
        }

@@ -509,12 +504,12 @@ static void qemu_enqueue_packet(VLANClientState *sender,
    VLANPacket *packet;

    packet = qemu_malloc(sizeof(VLANPacket) + size);
-    packet->next = sender->vlan->send_queue;
    packet->sender = sender;
    packet->size = size;
    packet->sent_cb = sent_cb;
    memcpy(packet->data, buf, size);
-    sender->vlan->send_queue = packet;
+
+    TAILQ_INSERT_TAIL(&sender->vlan->send_queue, packet, entry);
 }

 ssize_t qemu_send_packet_async(VLANClientState *sender,
@@ -626,7 +621,6 @@ static ssize_t qemu_enqueue_packet_iov(VLANClientState *sender,
    max_len = calc_iov_length(iov, iovcnt);

    packet = qemu_malloc(sizeof(VLANPacket) + max_len);
-    packet->next = sender->vlan->send_queue;
    packet->sender = sender;
    packet->sent_cb = sent_cb;
    packet->size = 0;
@@ -638,7 +632,7 @@ static ssize_t qemu_enqueue_packet_iov(VLANClientState *sender,
        packet->size += len;
    }

-    sender->vlan->send_queue = packet;
+    TAILQ_INSERT_TAIL(&sender->vlan->send_queue, packet, entry);

    return packet->size;
 }
@@ -1150,7 +1144,7 @@ static void slirp_smb(SlirpState* s, Monitor *mon, const char *exported_dir,
    snprintf(smb_cmdline, sizeof(smb_cmdline), "%s -s %s",
             SMBD_COMMAND, smb_conf);

-    if (slirp_add_exec(s->slirp, 0, smb_cmdline, vserver_addr, 139) < 0) {
+    if (slirp_add_exec(s->slirp, 0, smb_cmdline, &vserver_addr, 139) < 0) {
        slirp_smb_cleanup(s);
        config_error(mon, "conflicting/invalid smbserver address\n");
    }
@@ -1239,16 +1233,17 @@ static void slirp_guestfwd(SlirpState *s, Monitor *mon, const char *config_str,
        qemu_free(fwd);
        return;
    }
-    fwd->server = server;
-    fwd->port = port;
-    fwd->slirp = s->slirp;

-    if (slirp_add_exec(s->slirp, 3, fwd->hd, server, port) < 0) {
+    if (slirp_add_exec(s->slirp, 3, fwd->hd, &server, port) < 0) {
        config_error(mon, "conflicting/invalid host:port in guest forwarding "
                     "rule '%s'\n", config_str);
        qemu_free(fwd);
        return;
    }
+    fwd->server = server;
+    fwd->port = port;
+    fwd->slirp = s->slirp;
+
    qemu_chr_add_handlers(fwd->hd, guestfwd_can_read, guestfwd_read,
                          NULL, fwd);
    return;
@@ -1383,17 +1378,15 @@ static void tap_send(void *opaque)
    TAPState *s = opaque;
    int size;

-    do {
-        size = tap_read_packet(s->fd, s->buf, sizeof(s->buf));
-        if (size <= 0) {
-            break;
-        }
+    size = tap_read_packet(s->fd, s->buf, sizeof(s->buf));
+    if (size <= 0) {
+        return;
+    }

-        size = qemu_send_packet_async(s->vc, s->buf, size, tap_send_completed);
-        if (size == 0) {
-            tap_read_poll(s, 0);
-        }
-    } while (size > 0);
+    size = qemu_send_packet_async(s->vc, s->buf, size, tap_send_completed);
+    if (size == 0) {
+        tap_read_poll(s, 0);
+    }
 }

 #ifdef TUNSETSNDBUF
@@ -2358,6 +2351,7 @@ VLANState *qemu_find_vlan(int id, int allocate)
    }
    vlan = qemu_mallocz(sizeof(VLANState));
    vlan->id = id;
+    TAILQ_INIT(&vlan->send_queue);
    vlan->next = NULL;
    pvlan = &first_vlan;
    while (*pvlan != NULL)
@@ -2410,6 +2404,23 @@ void qemu_check_nic_model_list(NICInfo *nd, const char * const *models,
    exit(exit_status);
 }

+static int net_handle_fd_param(Monitor *mon, const char *param)
+{
+    if (!qemu_isdigit(param[0])) {
+        int fd;
+
+        fd = monitor_get_fd(mon, param);
+        if (fd == -1) {
+            config_error(mon, "No file descriptor named %s found", param);
+            return -1;
+        }
+
+        return fd;
+    } else {
+        return strtol(param, NULL, 0);
+    }
+}
+
 int net_client_init(Monitor *mon, const char *device, const char *p)
 {
    char buf[1024];
@@ -2650,14 +2661,20 @@ int net_client_init(Monitor *mon, const char *device, const char *p)
            static const char * const fd_params[] = {
                "vlan", "name", "fd", "sndbuf", NULL
            };
+            ret = -1;
            if (check_params(chkbuf, sizeof(chkbuf), fd_params, p) < 0) {
                config_error(mon, "invalid parameter '%s' in '%s'\n", chkbuf, p);
-                ret = -1;
                goto out;
            }
-            fd = strtol(buf, NULL, 0);
+            fd = net_handle_fd_param(mon, buf);
+            if (fd == -1) {
+                goto out;
+            }
            fcntl(fd, F_SETFL, O_NONBLOCK);
            s = net_tap_fd_init(vlan, device, name, fd);
+            if (!s) {
+                close(fd);
+            }
        } else {
            static const char * const tap_params[] = {
                "vlan", "name", "ifname", "script", "downscript", "sndbuf", NULL
@@ -2697,15 +2714,20 @@ int net_client_init(Monitor *mon, const char *device, const char *p)
                "vlan", "name", "fd", NULL
            };
            int fd;
+            ret = -1;
            if (check_params(chkbuf, sizeof(chkbuf), fd_params, p) < 0) {
                config_error(mon, "invalid parameter '%s' in '%s'\n", chkbuf, p);
-                ret = -1;
                goto out;
            }
-            fd = strtol(buf, NULL, 0);
-            ret = -1;
-            if (net_socket_fd_init(vlan, device, name, fd, 1))
-                ret = 0;
+            fd = net_handle_fd_param(mon, buf);
+            if (fd == -1) {
+                goto out;
+            }
+            if (!net_socket_fd_init(vlan, device, name, fd, 1)) {
+                close(fd);
+                goto out;
+            }
+            ret = 0;
        } else if (get_param_value(buf, sizeof(buf), "listen", p) > 0) {
            static const char * const listen_params[] = {
                "vlan", "name", "listen", NULL
@@ -2905,7 +2927,7 @@ void do_info_network(Monitor *mon)
    }
 }

-int do_set_link(Monitor *mon, const char *name, const char *up_or_down)
+void do_set_link(Monitor *mon, const char *name, const char *up_or_down)
 {
    VLANState *vlan;
    VLANClientState *vc = NULL;
@@ -2917,8 +2939,8 @@ int do_set_link(Monitor *mon, const char *name, const char *up_or_down)
 done:

    if (!vc) {
-        monitor_printf(mon, "could not find network device '%s'", name);
-        return 0;
+        monitor_printf(mon, "could not find network device '%s'\n", name);
+        return;
    }

    if (strcmp(up_or_down, "up") == 0)
@@ -2931,8 +2953,6 @@ done:

    if (vc->link_status_changed)
        vc->link_status_changed(vc);
-
-    return 1;
 }

 void net_cleanup(void)
--- a/net.h
+++ b/net.h
@@ -1,6 +1,7 @@
 #ifndef QEMU_NET_H
 #define QEMU_NET_H

+#include "sys-queue.h"
 #include "qemu-common.h"

 /* VLANs support */
@@ -35,7 +36,7 @@ typedef struct VLANPacket VLANPacket;
 typedef void (NetPacketSent) (VLANClientState *, ssize_t);

 struct VLANPacket {
-    struct VLANPacket *next;
+    TAILQ_ENTRY(VLANPacket) entry;
    VLANClientState *sender;
    int size;
    NetPacketSent *sent_cb;
@@ -47,7 +48,7 @@ struct VLANState {
    VLANClientState *first_client;
    struct VLANState *next;
    unsigned int nb_guest_devs, nb_host_devs;
-    VLANPacket *send_queue;
+    TAILQ_HEAD(send_queue, VLANPacket) send_queue;
    int delivering;
 };

@@ -79,7 +80,7 @@ void qemu_check_nic_model_list(NICInfo *nd, const char * const *models,
 void qemu_handler_true(void *opaque);

 void do_info_network(Monitor *mon);
-int do_set_link(Monitor *mon, const char *name, const char *up_or_down);
+void do_set_link(Monitor *mon, const char *name, const char *up_or_down);

 void do_info_usernet(Monitor *mon);

--- a/pc-bios/optionrom/Makefile
+++ b/pc-bios/optionrom/Makefile
@@ -1,4 +1,6 @@
 all: build-all
+# Dummy command so that make thinks it has done something
+	@true

 include ../../config-host.mak

--- a/pc-bios/optionrom/signrom.sh
+++ b/pc-bios/optionrom/signrom.sh
@@ -31,14 +31,16 @@ x=`dd if="$1" bs=1 count=1 skip=2 2>/dev/null | od -t u1 -A n`
 size=$(( $x * 512 - 1 ))

 # now get the checksum
-for i in `od -A n -t u1 -v "$1"`; do
+nums=`od -A n -t u1 -v "$1"`
+for i in ${nums}; do
    # add each byte's value to sum
-    sum=$(( $sum + $i ))
+    sum=`expr $sum + $i`
 done

 sum=$(( $sum % 256 ))
 sum=$(( 256 - $sum ))
+sum_octal=$( printf "%o" $sum )

 # and write the output file
 cp "$1" "$2"
-printf "\\$sum" | dd of="$2" bs=1 count=1 seek=$size conv=notrunc 2>/dev/null
+printf "\\$sum_octal" | dd of="$2" bs=1 count=1 seek=$size conv=notrunc 2>/dev/null
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -168,6 +168,11 @@ void qemu_chr_read(CharDriverState *s, uint8_t *buf, int len)
    s->chr_read(s->handler_opaque, buf, len);
 }

+int qemu_chr_get_msgfd(CharDriverState *s)
+{
+    return s->get_msgfd ? s->get_msgfd(s) : -1;
+}
+
 void qemu_chr_accept_input(CharDriverState *s)
 {
    if (s->chr_accept_input)
@@ -1832,6 +1837,7 @@ typedef struct {
    int do_telnetopt;
    int do_nodelay;
    int is_unix;
+    int msgfd;
 } TCPCharDriver;

 static void tcp_chr_accept(void *opaque);
@@ -1907,6 +1913,70 @@ static void tcp_chr_process_IAC_bytes(CharDriverState *chr,
    *size = j;
 }

+static int tcp_get_msgfd(CharDriverState *chr)
+{
+    TCPCharDriver *s = chr->opaque;
+
+    return s->msgfd;
+}
+
+#ifndef WIN32
+static void unix_process_msgfd(CharDriverState *chr, struct msghdr *msg)
+{
+    TCPCharDriver *s = chr->opaque;
+    struct cmsghdr *cmsg;
+
+    for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
+        int fd;
+
+        if (cmsg->cmsg_len != CMSG_LEN(sizeof(int)) ||
+            cmsg->cmsg_level != SOL_SOCKET ||
+            cmsg->cmsg_type != SCM_RIGHTS)
+            continue;
+
+        fd = *((int *)CMSG_DATA(cmsg));
+        if (fd < 0)
+            continue;
+
+        if (s->msgfd != -1)
+            close(s->msgfd);
+        s->msgfd = fd;
+    }
+}
+
+static ssize_t tcp_chr_recv(CharDriverState *chr, char *buf, size_t len)
+{
+    TCPCharDriver *s = chr->opaque;
+    struct msghdr msg = { NULL, };
+    struct iovec iov[1];
+    union {
+        struct cmsghdr cmsg;
+        char control[CMSG_SPACE(sizeof(int))];
+    } msg_control;
+    ssize_t ret;
+
+    iov[0].iov_base = buf;
+    iov[0].iov_len = len;
+
+    msg.msg_iov = iov;
+    msg.msg_iovlen = 1;
+    msg.msg_control = &msg_control;
+    msg.msg_controllen = sizeof(msg_control);
+
+    ret = recvmsg(s->fd, &msg, 0);
+    if (ret > 0 && s->is_unix)
+        unix_process_msgfd(chr, &msg);
+
+    return ret;
+}
+#else
+static ssize_t tcp_chr_recv(CharDriverState *chr, char *buf, size_t len)
+{
+    TCPCharDriver *s = chr->opaque;
+    return recv(s->fd, buf, len, 0);
+}
+#endif
+
 static void tcp_chr_read(void *opaque)
 {
    CharDriverState *chr = opaque;
@@ -1919,7 +1989,7 @@ static void tcp_chr_read(void *opaque)
    len = sizeof(buf);
    if (len > s->max_size)
        len = s->max_size;
-    size = recv(s->fd, (void *)buf, len, 0);
+    size = tcp_chr_recv(chr, (void *)buf, len);
    if (size == 0) {
        /* connection closed */
        s->connected = 0;
@@ -1934,6 +2004,10 @@ static void tcp_chr_read(void *opaque)
            tcp_chr_process_IAC_bytes(chr, s, buf, &size);
        if (size > 0)
            qemu_chr_read(chr, buf, size);
+        if (s->msgfd != -1) {
+            close(s->msgfd);
+            s->msgfd = -1;
+        }
    }
 }

@@ -2095,12 +2169,14 @@ static CharDriverState *qemu_chr_open_tcp(const char *host_str,
    s->connected = 0;
    s->fd = -1;
    s->listen_fd = -1;
+    s->msgfd = -1;
    s->is_unix = is_unix;
    s->do_nodelay = do_nodelay && !is_unix;

    chr->opaque = s;
    chr->chr_write = tcp_chr_write;
    chr->chr_close = tcp_chr_close;
+    chr->get_msgfd = tcp_get_msgfd;

    if (is_listen) {
        s->listen_fd = fd;
@@ -2136,7 +2212,7 @@ CharDriverState *qemu_chr_open(const char *label, const char *filename, void (*i
    CharDriverState *chr;

    if (!strcmp(filename, "vc")) {
-        chr = text_console_init(0);
+        chr = text_console_init(NULL);
    } else
    if (strstart(filename, "vc:", &p)) {
        chr = text_console_init(p);
--- a/qemu-char.h
+++ b/qemu-char.h
@@ -51,6 +51,7 @@ struct CharDriverState {
    int (*chr_write)(struct CharDriverState *s, const uint8_t *buf, int len);
    void (*chr_update_read_handler)(struct CharDriverState *s);
    int (*chr_ioctl)(struct CharDriverState *s, int cmd, void *arg);
+    int (*get_msgfd)(struct CharDriverState *s);
    IOEventHandler *chr_event;
    IOCanRWHandler *chr_can_read;
    IOReadHandler *chr_read;
@@ -81,6 +82,7 @@ void qemu_chr_reset(CharDriverState *s);
 void qemu_chr_initial_reset(void);
 int qemu_chr_can_read(CharDriverState *s);
 void qemu_chr_read(CharDriverState *s, uint8_t *buf, int len);
+int qemu_chr_get_msgfd(CharDriverState *s);
 void qemu_chr_accept_input(CharDriverState *s);
 void qemu_chr_info(Monitor *mon);

--- a/qemu-img.c
+++ b/qemu-img.c
@@ -747,14 +747,20 @@ static int img_convert(int argc, char **argv)
                n = bs_offset + bs_sectors - sector_num;

            if (strcmp(drv->format_name, "host_device")) {
-                if (!bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
-                                       n, &n1)) {
-                    sector_num += n1;
-                    continue;
+                /* If the output image is being created as a copy on write image,
+                   assume that sectors which are unallocated in the input image
+                   are present in both the output's and input's base images (no
+                   need to copy them). */
+                if (out_baseimg) {
+                    if (!bdrv_is_allocated(bs[bs_i], sector_num - bs_offset,
+                                           n, &n1)) {
+                        sector_num += n1;
+                        continue;
+                    }
+                    /* The next 'n1' sectors are allocated in the input image. Copy
+                       only those as they may be followed by unallocated sectors. */
+                    n = n1;
                }
-                /* The next 'n1' sectors are allocated in the input image. Copy
-                   only those as they may be followed by unallocated sectors. */
-                n = n1;
            } else {
                n1 = n;
            }
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -7,10 +7,12 @@
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */
+#include <sys/time.h>
 #include <sys/types.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <getopt.h>
+#include <libgen.h>

 #include "qemu-common.h"
 #include "block_int.h"
@@ -1376,17 +1378,17 @@ int main(int argc, char **argv)
 	int growable = 0;
 	const char *sopt = "hVc:Crsnmg";
 	struct option lopt[] = {
-		{ "help", 0, 0, 'h' },
-		{ "version", 0, 0, 'V' },
-		{ "offset", 1, 0, 'o' },
-		{ "cmd", 1, 0, 'c' },
-		{ "create", 0, 0, 'C' },
-		{ "read-only", 0, 0, 'r' },
-		{ "snapshot", 0, 0, 's' },
-		{ "nocache", 0, 0, 'n' },
-		{ "misalign", 0, 0, 'm' },
-		{ "growable", 0, 0, 'g' },
-		{ NULL, 0, 0, 0 }
+		{ "help", 0, NULL, 'h' },
+		{ "version", 0, NULL, 'V' },
+		{ "offset", 1, NULL, 'o' },
+		{ "cmd", 1, NULL, 'c' },
+		{ "create", 0, NULL, 'C' },
+		{ "read-only", 0, NULL, 'r' },
+		{ "snapshot", 0, NULL, 's' },
+		{ "nocache", 0, NULL, 'n' },
+		{ "misalign", 0, NULL, 'm' },
+		{ "growable", 0, NULL, 'g' },
+		{ NULL, 0, NULL, 0 }
 	};
 	int c;
 	int opt_index = 0;
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -626,6 +626,24 @@ ETEXI
 STEXI
@item mce @var{cpu} @var{bank} @var{status} @var{mcgstatus} @var{addr} @var{misc}
 Inject an MCE on the given CPU (x86 only).
+ETEXI
+
+    { "getfd", "s", do_getfd, "getfd name",
+      "receive a file descriptor via SCM rights and assign it a name" },
+STEXI
+@item getfd @var{fdname}
+If a file descriptor is passed alongside this command using the SCM_RIGHTS
+mechanism on unix sockets, it is stored using the name @var{fdname} for
+later use by other monitor commands.
+ETEXI
+
+    { "closefd", "s", do_closefd, "closefd name",
+      "close a file descriptor previously passed via SCM rights" },
+STEXI
+@item closefd @var{fdname}
+Close the file descriptor previously assigned to @var{fdname} using the
+@code{getfd} command. This is only needed if the file descriptor was never
+used by another monitor command.
 ETEXI

 STEXI
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -191,22 +191,22 @@ int main(int argc, char **argv)
    char sockpath[128];
    const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
    struct option lopt[] = {
-        { "help", 0, 0, 'h' },
-        { "version", 0, 0, 'V' },
-        { "bind", 1, 0, 'b' },
-        { "port", 1, 0, 'p' },
-        { "socket", 1, 0, 'k' },
-        { "offset", 1, 0, 'o' },
-        { "read-only", 0, 0, 'r' },
-        { "partition", 1, 0, 'P' },
-        { "connect", 1, 0, 'c' },
-        { "disconnect", 0, 0, 'd' },
-        { "snapshot", 0, 0, 's' },
-        { "nocache", 0, 0, 'n' },
-        { "shared", 1, 0, 'e' },
-        { "persistent", 0, 0, 't' },
-        { "verbose", 0, 0, 'v' },
-        { NULL, 0, 0, 0 }
+        { "help", 0, NULL, 'h' },
+        { "version", 0, NULL, 'V' },
+        { "bind", 1, NULL, 'b' },
+        { "port", 1, NULL, 'p' },
+        { "socket", 1, NULL, 'k' },
+        { "offset", 1, NULL, 'o' },
+        { "read-only", 0, NULL, 'r' },
+        { "partition", 1, NULL, 'P' },
+        { "connect", 1, NULL, 'c' },
+        { "disconnect", 0, NULL, 'd' },
+        { "snapshot", 0, NULL, 's' },
+        { "nocache", 0, NULL, 'n' },
+        { "shared", 1, NULL, 'e' },
+        { "persistent", 0, NULL, 't' },
+        { "verbose", 0, NULL, 'v' },
+        { NULL, 0, NULL, 0 }
    };
    int ch;
    int opt_ind = 0;
--- a/qemu-thread.c
+++ b/qemu-thread.c
@@ -158,6 +158,6 @@ void qemu_thread_self(QemuThread *thread)

 int qemu_thread_equal(QemuThread *thread1, QemuThread *thread2)
 {
-   return (thread1->thread == thread2->thread);
+   return pthread_equal(thread1->thread, thread2->thread);
 }

--- a/qemu-tool.c
+++ b/qemu-tool.c
@@ -15,11 +15,14 @@
 #include "monitor.h"
 #include "sysemu.h"
 #include "qemu-timer.h"
+#include "qemu-log.h"

 #include <sys/time.h>

 QEMUClock *rt_clock;

+FILE *logfile;
+
 struct QEMUBH
 {
    QEMUBHFunc *cb;
--- a/sdl.c
+++ b/sdl.c
@@ -53,7 +53,7 @@ static SDL_Cursor *sdl_cursor_hidden;
 static int absolute_enabled = 0;
 static int guest_cursor = 0;
 static int guest_x, guest_y;
-static SDL_Cursor *guest_sprite = 0;
+static SDL_Cursor *guest_sprite = NULL;
 static uint8_t allocator;
 static SDL_PixelFormat host_format;
 static int scaling_active = 0;
@@ -720,6 +720,10 @@ static void sdl_refresh(DisplayState *ds)
                bpp = 32;
            do_sdl_resize(rev->w, rev->h, bpp);
            scaling_active = 1;
+            if (!is_buffer_shared(ds->surface)) {
+                ds->surface = qemu_resize_displaysurface(ds, ds_get_width(ds), ds_get_height(ds));
+                dpy_resize(ds);
+            }
            vga_hw_invalidate();
            vga_hw_update();
            break;
@@ -767,6 +771,9 @@ static void sdl_mouse_define(int width, int height, int bpp,
        line = image;
        for (x = 0; x < width; x ++, dst ++) {
            switch (bpp) {
+            case 32:
+                src = *(line ++); src |= *(line ++); src |= *(line ++); line++;
+                break;
            case 24:
                src = *(line ++); src |= *(line ++); src |= *(line ++);
                break;
--- a/sdl_keysym.h
+++ b/sdl_keysym.h
@@ -273,5 +273,5 @@ static const name2keysym_t name2keysym[]={
 {"Pause", SDLK_PAUSE},
 {"Escape", SDLK_ESCAPE},

-{0,0},
+{NULL, 0},
 };
--- a/slirp/libslirp.h
+++ b/slirp/libslirp.h
@@ -33,7 +33,7 @@ int slirp_add_hostfwd(Slirp *slirp, int is_udp,
 int slirp_remove_hostfwd(Slirp *slirp, int is_udp,
                         struct in_addr host_addr, int host_port);
 int slirp_add_exec(Slirp *slirp, int do_pty, const void *args,
-                   struct in_addr guest_addr, int guest_port);
+                   struct in_addr *guest_addr, int guest_port);

 void slirp_connection_info(Slirp *slirp, Monitor *mon);

--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -95,8 +95,8 @@ m_free(struct mbuf *m)
 	 * Either free() it or put it on the free list
 	 */
 	if (m->m_flags & M_DOFREE) {
-		free(m);
 		m->slirp->mbuf_alloced--;
+		free(m);
 	} else if ((m->m_flags & M_FREELIST) == 0) {
 		insque(m,&m->slirp->m_freelist);
 		m->m_flags = M_FREELIST; /* Clobber other flags */
--- a/slirp/slirp.c
+++ b/slirp/slirp.c
@@ -22,6 +22,7 @@
 * THE SOFTWARE.
 */
 #include "qemu-common.h"
+#include "qemu-timer.h"
 #include "qemu-char.h"
 #include "slirp.h"
 #include "hw/hw.h"
@@ -47,7 +48,7 @@ u_int curtime;
 static u_int time_fasttimo, last_slowtimo;
 static int do_slowtimo;

-TAILQ_HEAD(slirp_instances, Slirp) slirp_instances =
+static TAILQ_HEAD(slirp_instances, Slirp) slirp_instances =
    TAILQ_HEAD_INITIALIZER(slirp_instances);

 #ifdef _WIN32
@@ -244,29 +245,6 @@ void slirp_cleanup(Slirp *slirp)
 #define CONN_CANFRCV(so) (((so)->so_state & (SS_FCANTRCVMORE|SS_ISFCONNECTED)) == SS_ISFCONNECTED)
 #define UPD_NFDS(x) if (nfds < (x)) nfds = (x)

-/*
- * curtime kept to an accuracy of 1ms
- */
-#ifdef _WIN32
-static void updtime(void)
-{
-    struct _timeb tb;
-
-    _ftime(&tb);
-
-    curtime = tb.time * 1000 + tb.millitm;
-}
-#else
-static void updtime(void)
-{
-    struct timeval tv;
-
-    gettimeofday(&tv, NULL);
-
-    curtime = tv.tv_sec * 1000 + tv.tv_usec / 1000;
-}
-#endif
-
 void slirp_select_fill(int *pnfds,
                       fd_set *readfds, fd_set *writefds, fd_set *xfds)
 {
@@ -405,8 +383,7 @@ void slirp_select_poll(fd_set *readfds, fd_set *writefds, fd_set *xfds,
    global_writefds = writefds;
    global_xfds = xfds;

-	/* Update time */
-	updtime();
+    curtime = qemu_get_clock(rt_clock);

    TAILQ_FOREACH(slirp, &slirp_instances, entry) {
 	/*
@@ -794,19 +771,19 @@ int slirp_add_hostfwd(Slirp *slirp, int is_udp, struct in_addr host_addr,
 }

 int slirp_add_exec(Slirp *slirp, int do_pty, const void *args,
-                   struct in_addr guest_addr, int guest_port)
+                   struct in_addr *guest_addr, int guest_port)
 {
-    if (!guest_addr.s_addr) {
-        guest_addr.s_addr = slirp->vnetwork_addr.s_addr |
+    if (!guest_addr->s_addr) {
+        guest_addr->s_addr = slirp->vnetwork_addr.s_addr |
            (htonl(0x0204) & ~slirp->vnetwork_mask.s_addr);
    }
-    if ((guest_addr.s_addr & slirp->vnetwork_mask.s_addr) !=
+    if ((guest_addr->s_addr & slirp->vnetwork_mask.s_addr) !=
        slirp->vnetwork_addr.s_addr ||
-        guest_addr.s_addr == slirp->vhost_addr.s_addr ||
-        guest_addr.s_addr == slirp->vnameserver_addr.s_addr) {
+        guest_addr->s_addr == slirp->vhost_addr.s_addr ||
+        guest_addr->s_addr == slirp->vnameserver_addr.s_addr) {
        return -1;
    }
-    return add_exec(&slirp->exec_list, do_pty, (char *)args, guest_addr,
+    return add_exec(&slirp->exec_list, do_pty, (char *)args, *guest_addr,
                    htons(guest_port));
 }

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .10.90
 .11.1