seccomp: check TSYNC host capability

Remove -sandbox option if the host is not capable of TSYNC, since the
sandbox will fail at setup time otherwise. This will help libvirt, for
ex, to figure out if -sandbox will work.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit 5780760f5e)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>

MAINTAINERS

@@ -1125,6 +1125,7 @@ R: Fam Zheng <famz@redhat.com>
 S: Supported
 F: include/hw/scsi/*
 F: hw/scsi/*
+F: tests/scsi-disk-test.c
 F: tests/virtio-scsi-test.c
 T: git git://github.com/bonzini/qemu.git scsi-next
 
@@ -1685,6 +1686,7 @@ F: qom/
 X: qom/cpu.c
 F: tests/check-qom-interface.c
 F: tests/check-qom-proplist.c
+F: tests/check-qom-props.c
 F: tests/qom-test.c
 
 QMP

Makefile

@@ -547,7 +547,7 @@ fsdev/virtfs-proxy-helper$(EXESUF): LIBS += -lcap
 
 scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
 ifdef CONFIG_MPATH
-scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmultipath -lmpathpersist
+scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmpathpersist -lmultipath
 endif
 
 qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx $(SRC_PATH)/scripts/hxtool

Makefile.target

@@ -41,6 +41,10 @@ ifdef CONFIG_USER_ONLY
 include $(SRC_PATH)/tests/tcg/Makefile.include
 endif
 
+ifdef CONFIG_LINUX_USER
+PROGS+=$(QEMU_PROG)-binfmt
+endif
+
 config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
@@ -119,6 +123,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) \
 obj-y += linux-user/
 obj-y += gdbstub.o thunk.o
 
+obj-binfmt-y += linux-user/
+
 endif #CONFIG_LINUX_USER
 
 #########################################################
@@ -161,7 +167,11 @@ endif # CONFIG_SOFTMMU
 # Workaround for http://gcc.gnu.org/PR55489, see configure.
 %/translate.o: QEMU_CFLAGS += $(TRANSLATE_OPT_CFLAGS)
 
+ifdef CONFIG_LINUX_USER
+dummy := $(call unnest-vars,,obj-y obj-binfmt-y)
+else
 dummy := $(call unnest-vars,,obj-y)
+endif
 all-obj-y := $(obj-y)
 
 target-obj-y :=
@@ -202,6 +212,9 @@ ifdef CONFIG_DARWIN
 	$(call quiet-command,SetFile -a C $@,"SETFILE","$(TARGET_DIR)$@")
 endif
 
+$(QEMU_PROG)-binfmt: $(obj-binfmt-y)
+	$(call LINK,$^)
+
 gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/scripts/feature_to_c.sh
 	$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES),"GEN","$(TARGET_DIR)$@")
 

block/block-backend.c

@@ -23,6 +23,7 @@
 #include "qemu/option.h"
 #include "trace.h"
 #include "migration/misc.h"
+#include "hw/xen/xen.h"
 
 /* Number of coroutines to reserve per attached device model */
 #define COROUTINE_POOL_RESERVATION 64
@@ -900,7 +901,9 @@ char *blk_get_attached_dev_id(BlockBackend *blk)
 {
     DeviceState *dev;
 
-    assert(!blk->legacy_dev);
+    if (blk->legacy_dev) {
+        return xen_blk_get_attached_dev_id(blk->dev);
+    }
     dev = blk->dev;
 
     if (!dev) {
@@ -2005,6 +2008,13 @@ int blk_truncate(BlockBackend *blk, int64_t offset, PreallocMode prealloc,
     return bdrv_truncate(blk->root, offset, prealloc, errp);
 }
 
+void blk_legacy_resize_cb(BlockBackend *blk)
+{
+	if (blk->legacy_dev) {
+	    xen_blk_resize_cb(blk->dev);
+        }
+}
+
 static void blk_pdiscard_entry(void *opaque)
 {
     BlkRwCo *rwco = opaque;

blockdev.c

@@ -3175,6 +3175,7 @@ void qmp_block_resize(bool has_device, const char *device,
 {
     Error *local_err = NULL;
     BlockBackend *blk = NULL;
+    BlockBackend *cb_blk = NULL;
     BlockDriverState *bs;
     AioContext *aio_context;
     int ret;
@@ -3187,6 +3188,10 @@ void qmp_block_resize(bool has_device, const char *device,
         return;
     }
 
+    if (has_device) {
+        cb_blk = blk_by_name(device);
+    }
+
     aio_context = bdrv_get_aio_context(bs);
     aio_context_acquire(aio_context);
 
@@ -3213,6 +3218,9 @@ void qmp_block_resize(bool has_device, const char *device,
 
     bdrv_drained_begin(bs);
     ret = blk_truncate(blk, size, PREALLOC_MODE_OFF, errp);
+    if (!ret && cb_blk) {
+        blk_legacy_resize_cb(cb_blk);
+    }
     bdrv_drained_end(bs);
 
 out:

chardev/char-fe.c

@@ -21,6 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
+#define HW_POISON_H // avoid poison since we patch against rules it "enforces"
 #include "qemu/osdep.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"

chardev/char-mux.c

@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 
+#define HW_POISON_H // avoid poison since we patch against rules it "enforces"
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu/option.h"
@@ -190,6 +191,15 @@ static void mux_chr_accept_input(Chardev *chr)
         be->chr_read(be->opaque,
                      &d->buffer[m][d->cons[m]++ & MUX_BUFFER_MASK], 1);
     }
+
+#if defined(TARGET_S390X)
+    /* We're still not able to sync producer and consumer, so let's wait a bit
+       and try again by then. */
+    if (d->prod[m] != d->cons[m]) {
+        qemu_mod_timer(d->accept_timer, qemu_get_clock_ns(vm_clock)
+                                        + (int64_t)100000);
+    }
+#endif
 }
 
 static int mux_chr_can_read(void *opaque)
@@ -324,6 +334,10 @@ static void qemu_chr_open_mux(Chardev *chr,
     }
 
     d->focus = -1;
+#if defined(TARGET_S390X)
+    d->accept_timer = qemu_new_timer_ns(vm_clock,
+                                     (QEMUTimerCB*)mux_chr_accept_input, chr);
+#endif
     /* only default to opened state if we've realized the initial
      * set of muxes
      */

chardev/char.c

@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 
+#define HW_POISON_H // avoid poison since we patch against rules it "enforces"
 #include "qemu/osdep.h"
 #include "qemu/cutils.h"
 #include "monitor/monitor.h"

configure

@@ -2216,13 +2216,10 @@ fi
 ##########################################
 # libseccomp check
 
+libseccomp_minver="2.2.0"
 if test "$seccomp" != "no" ; then
     case "$cpu" in
-    i386|x86_64)
-        libseccomp_minver="2.1.0"
-        ;;
-    mips)
-        libseccomp_minver="2.2.0"
+    i386|x86_64|mips)
         ;;
     arm|aarch64)
         libseccomp_minver="2.2.3"
@@ -3577,7 +3574,7 @@ int main(void) {
     return 0;
 }
 EOF
-  if compile_prog "" "-ludev -lmultipath -lmpathpersist" ; then
+  if compile_prog "" "-ludev -lmpathpersist -lmultipath" ; then
     mpathpersist=yes
   else
     mpathpersist=no
@@ -7418,7 +7415,7 @@ iotests_check="tests/qemu-iotests/check"
 
 echo "# Automatically generated by configure - do not modify" > "$iotests_common_env"
 echo >> "$iotests_common_env"
-echo "export PYTHON='$python'" >> "$iotests_common_env"
+echo "export PYTHON='/usr/bin/python2 -B'" >> "$iotests_common_env"
 
 if [ ! -e "$iotests_check" ]; then
     symlink "$source_path/$iotests_check" "$iotests_check"

cpus.c

@@ -2367,6 +2367,18 @@ exit:
     fclose(f);
 }
 
+bool spec_ctrl_is_inconsistent(void)
+{
+#if defined(TARGET_I386)
+    X86CPU *x86_cpu = X86_CPU(current_cpu);
+    CPUX86State *env = x86_cpu != NULL ? &x86_cpu->env : NULL;
+    if (env && !(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_SPEC_CTRL) &&
+	    env->spec_ctrl)
+        return true;
+#endif
+    return false;
+}
+
 void qmp_inject_nmi(Error **errp)
 {
     nmi_monitor_handle(monitor_get_cpu_index(), errp);

exec.c

@@ -2270,11 +2270,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr,
         return NULL;
     }
 
+#ifndef TARGET_PPC
     if (kvm_enabled() && !kvm_has_sync_mmu()) {
         error_setg(errp,
                    "host lacks kvm mmu notifiers, -mem-path unsupported");
         return NULL;
     }
+#endif
 
     if (phys_mem_alloc != qemu_anon_ram_alloc) {
         /*

hw/acpi/piix4.c

@@ -310,7 +310,7 @@ static const VMStateDescription vmstate_cpuhp_state = {
 static const VMStateDescription vmstate_acpi = {
     .name = "piix4_pm",
     .version_id = 3,
-    .minimum_version_id = 3,
+    .minimum_version_id = 2, /* qemu-kvm */
     .minimum_version_id_old = 1,
     .load_state_old = acpi_load_old,
     .post_load = vmstate_acpi_post_load,

hw/block/xen_disk.c

@@ -90,6 +90,8 @@ struct XenBlkDev {
     int                 requests_finished;
     unsigned int        max_requests;
 
+    gboolean            cache_unsafe;
+    /* Persistent grants extension */
     gboolean            feature_discard;
 
     /* qemu block driver */
@@ -642,6 +644,16 @@ static void blk_parse_discard(struct XenBlkDev *blkdev)
     }
 }
 
+static void blk_parse_cache_unsafe(struct XenBlkDev *blkdev)
+{
+    int enable;
+
+    blkdev->cache_unsafe = false;
+
+    if (xenstore_read_be_int(&blkdev->xendev, "suse-diskcache-disable-flush", &enable) == 0)
+	    blkdev->cache_unsafe = !!enable;
+}
+
 static int blk_init(struct XenDevice *xendev)
 {
     struct XenBlkDev *blkdev = container_of(xendev, struct XenBlkDev, xendev);
@@ -717,6 +729,7 @@ static int blk_init(struct XenDevice *xendev)
                           MAX_RING_PAGE_ORDER);
 
     blk_parse_discard(blkdev);
+    blk_parse_cache_unsafe(blkdev);
 
     g_free(directiosafe);
     return 0;
@@ -746,6 +759,7 @@ static int blk_connect(struct XenDevice *xendev)
     int order, ring_ref;
     unsigned int ring_size, max_grants;
     unsigned int i;
+    Error *errp = NULL;
 
     trace_xen_disk_connect(xendev->name);
 
@@ -764,6 +778,9 @@ static int blk_connect(struct XenDevice *xendev)
         qflags |= BDRV_O_UNMAP;
     }
 
+    if (blkdev->cache_unsafe)
+        qflags |= BDRV_O_NO_FLUSH;
+
     /* init qemu block driver */
     index = (xendev->dev - 202 * 256) / 16;
     blkdev->dinfo = drive_get(IF_XEN, 0, index);
@@ -802,6 +819,13 @@ static int blk_connect(struct XenDevice *xendev)
         blk_ref(blkdev->blk);
     }
     blk_attach_dev_legacy(blkdev->blk, blkdev);
+    if (!monitor_add_blk(blkdev->blk, g_strdup(blkdev->dev), &errp)) {
+        xen_pv_printf(&blkdev->xendev, 0, "error: %s\n",
+                      error_get_pretty(errp));
+        error_free(errp);
+        return -1;
+    }
+
     blkdev->file_size = blk_getlength(blkdev->blk);
     if (blkdev->file_size < 0) {
         BlockDriverState *bs = blk_bs(blkdev->blk);
@@ -952,6 +976,7 @@ static void blk_disconnect(struct XenDevice *xendev)
     if (blkdev->blk) {
         blk_set_aio_context(blkdev->blk, qemu_get_aio_context());
         blk_detach_dev(blkdev->blk, blkdev);
+        monitor_remove_blk(blkdev->blk);
         blk_unref(blkdev->blk);
         blkdev->blk = NULL;
     }
@@ -999,6 +1024,21 @@ static void blk_event(struct XenDevice *xendev)
     qemu_bh_schedule(blkdev->bh);
 }
 
+void xen_blk_resize_cb(void *dev)
+{
+    struct XenBlkDev *blkdev = dev;
+    blkdev->file_size = blk_getlength(blkdev->blk);
+    xenstore_write_be_int64(&blkdev->xendev, "sectors",
+                            blkdev->file_size / blkdev->file_blk);
+    xen_be_set_state(&blkdev->xendev, blkdev->xendev.be_state);
+}
+
+char *xen_blk_get_attached_dev_id(void *dev)
+{
+    struct XenBlkDev *blkdev = dev;
+    return g_strdup_printf("xen-qdisk-%i", blkdev->xendev.dev);
+}
+
 struct XenDevOps xen_blkdev_ops = {
     .flags      = DEVOPS_FLAG_NEED_GNTDEV,
     .size       = sizeof(struct XenBlkDev),

hw/i386/pc_piix.c

@@ -809,7 +809,32 @@ DEFINE_I440FX_MACHINE(v1_0, "pc-1.0", pc_compat_1_2,
 
 
 #define PC_COMPAT_0_15 \
-        PC_CPU_MODEL_IDS("0.15")
+        PC_CPU_MODEL_IDS("0.15")\
+        {\
+            .driver   = "VGA",\
+            .property = "vgamem_mb",\
+            .value    = stringify(16),\
+        },{\
+            .driver   = "vmware-svga",\
+            .property = "vgamem_mb",\
+            .value    = stringify(16),\
+        },{\
+            .driver   = "qxl-vga",\
+            .property = "vgamem_mb",\
+            .value    = stringify(16),\
+        },{\
+            .driver   = "qxl",\
+            .property = "vgamem_mb",\
+            .value    = stringify(16),\
+        },{\
+            .driver   = "isa-cirrus-vga",\
+            .property = "vgamem_mb",\
+            .value    = stringify(16),\
+        },{\
+            .driver   = "cirrus-vga",\
+            .property = "vgamem_mb",\
+            .value    = stringify(16),\
+        },
 
 static void pc_i440fx_0_15_machine_options(MachineClass *m)
 {

hw/smbios/smbios.c

@@ -952,6 +952,9 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
 {
     const char *val;
 
+    int i, terminator_count = 2, table_str_field_count = 0;
+    int *tables_str_field_offset = NULL;
+
     assert(!smbios_immutable);
 
     val = qemu_opt_get(opts, "file");
@@ -993,7 +996,94 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
             smbios_type4_count++;
         }
 
+        switch (header->type) {
+        case 0:
+            tables_str_field_offset = g_malloc0(sizeof(int) * \
+                                                TYPE_0_STR_FIELD_COUNT);
+            tables_str_field_offset = (int []){\
+                                    TYPE_0_STR_FIELD_OFFSET_VENDOR, \
+                                    TYPE_0_STR_FIELD_OFFSET_BIOS_VERSION, \
+                                    TYPE_0_STR_FIELD_OFFSET_BIOS_RELEASE_DATE};
+            table_str_field_count = sizeof(tables_str_field_offset) / \
+                                    sizeof(tables_str_field_offset[0]);
+            break;
+        case 1:
+            tables_str_field_offset = g_malloc0(sizeof(int) * \
+                                                TYPE_1_STR_FIELD_COUNT);
+            tables_str_field_offset = (int []){
+                                    TYPE_1_STR_FIELD_OFFSET_MANUFACTURER, \
+                                    TYPE_1_STR_FIELD_OFFSET_PRODUCT, \
+                                    TYPE_1_STR_FIELD_OFFSET_VERSION, \
+                                    TYPE_1_STR_FIELD_OFFSET_SERIAL, \
+                                    TYPE_1_STR_FIELD_OFFSET_SKU, \
+                                    TYPE_1_STR_FIELD_OFFSET_FAMILY};
+            table_str_field_count = sizeof(tables_str_field_offset) / \
+                                    sizeof(tables_str_field_offset[0]);
+            break;
+        case 2:
+            tables_str_field_offset = g_malloc0(sizeof(int) * \
+                                                TYPE_2_STR_FIELD_COUNT);
+            tables_str_field_offset = (int []){\
+                                    TYPE_2_STR_FIELD_OFFSET_MANUFACTURER, \
+                                    TYPE_2_STR_FIELD_OFFSET_PRODUCT, \
+                                    TYPE_2_STR_FIELD_OFFSET_VERSION, \
+                                    TYPE_2_STR_FIELD_OFFSET_SERIAL, \
+                                    TYPE_2_STR_FIELD_OFFSET_ASSET, \
+                                    TYPE_2_STR_FIELD_OFFSET_LOCATION};
+            table_str_field_count = sizeof(tables_str_field_offset) / \
+                                    sizeof(tables_str_field_offset[0]);
+            break;
+        case 3:
+            tables_str_field_offset = g_malloc0(sizeof(int) * \
+                                                TYPE_3_STR_FIELD_COUNT);
+            tables_str_field_offset = (int []){\
+                                    TYPE_3_STR_FIELD_OFFSET_MANUFACTURER, \
+                                    TYPE_3_STR_FIELD_OFFSET_VERSION, \
+                                    TYPE_3_STR_FIELD_OFFSET_SERIAL, \
+                                    TYPE_3_STR_FIELD_OFFSET_ASSET, \
+                                    TYPE_3_STR_FIELD_OFFSET_SKU};
+            table_str_field_count = sizeof(tables_str_field_offset) / \
+                                    sizeof(tables_str_field_offset[0]);
+            break;
+        case 4:
+            tables_str_field_offset = g_malloc0(sizeof(int) * \
+                                                TYPE_4_STR_FIELD_COUNT);
+            tables_str_field_offset = (int []){\
+                                    TYPE_4_STR_FIELD_OFFSET_SOCKET, \
+                                    TYPE_4_STR_FIELD_OFFSET_PROCESSOR_MANUFACTURER, \
+                                    TYPE_4_STR_FIELD_OFFSET_PROCESSOR_VERSION, \
+                                    TYPE_4_STR_FIELD_OFFSET_SERIAL, \
+                                    TYPE_4_STR_FIELD_OFFSET_ASSET, \
+                                    TYPE_4_STR_FIELD_OFFSET_PART};
+            table_str_field_count = sizeof(tables_str_field_offset) / \
+                                    sizeof(tables_str_field_offset[0]);
+            break;
+        case 17:
+            tables_str_field_offset = g_malloc0(sizeof(int) * \
+                                                TYPE_17_STR_FIELD_COUNT);
+            tables_str_field_offset = (int []){\
+                                    TYPE_17_STR_FIELD_OFFSET_DEVICE_LOCATOR, \
+                                    TYPE_17_STR_FIELD_OFFSET_BANK_LOCATOR, \
+                                    TYPE_17_STR_FIELD_OFFSET_MANUFACTURER, \
+                                    TYPE_17_STR_FIELD_OFFSET_SERIAL, \
+                                    TYPE_17_STR_FIELD_OFFSET_ASSET, \
+                                    TYPE_17_STR_FIELD_OFFSET_PART};
+            table_str_field_count = sizeof(tables_str_field_offset) / \
+                                    sizeof(tables_str_field_offset[0]);
+            break;
+        default:
+            break;
+        }
+
+        for (i = 0; i < table_str_field_count; i++) {
+            if (*(uint8_t *)(smbios_tables + tables_str_field_offset[i]) > 0) {
+                terminator_count = 1;
+                break;
+            }
+        }
+
         smbios_tables_len += size;
+        smbios_tables_len += terminator_count;
         if (size > smbios_table_max) {
             smbios_table_max = size;
         }

hw/timer/i8254_common.c

@@ -259,6 +259,12 @@ static int pit_dispatch_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool is_qemu_kvm(void *opaque, int version_id)
+{
+    /* HACK: We ignore incoming migration from upstream qemu */
+    return version_id < 3;
+}
+
 static const VMStateDescription vmstate_pit_common = {
     .name = "i8254",
     .version_id = 3,
@@ -268,6 +274,7 @@ static const VMStateDescription vmstate_pit_common = {
     .pre_save = pit_dispatch_pre_save,
     .post_load = pit_dispatch_post_load,
     .fields = (VMStateField[]) {
+        VMSTATE_UNUSED_TEST(is_qemu_kvm, 4),
         VMSTATE_UINT32_V(channels[0].irq_disabled, PITCommonState, 3),
         VMSTATE_STRUCT_ARRAY(channels, PITCommonState, 3, 2,
                              vmstate_pit_channel, PITChannelState),

include/chardev/char-mux.h

@@ -34,6 +34,9 @@ typedef struct MuxChardev {
     Chardev parent;
     CharBackend *backends[MAX_MUX];
     CharBackend chr;
+#if defined(TARGET_S390X)
+    QEMUTimer *accept_timer;
+#endif
     int focus;
     int mux_cnt;
     int term_got_escape;

include/hw/smbios/smbios.h

@@ -272,4 +272,48 @@ void smbios_get_tables(const struct smbios_phys_mem_area *mem_array,
                        const unsigned int mem_array_size,
                        uint8_t **tables, size_t *tables_len,
                        uint8_t **anchor, size_t *anchor_len);
+
+#define TYPE_0_STR_FIELD_OFFSET_VENDOR 0x4
+#define TYPE_0_STR_FIELD_OFFSET_BIOS_VERSION 0x5
+#define TYPE_0_STR_FIELD_OFFSET_BIOS_RELEASE_DATE 0x8
+#define TYPE_0_STR_FIELD_COUNT 3
+
+#define TYPE_1_STR_FIELD_OFFSET_MANUFACTURER 0x4
+#define TYPE_1_STR_FIELD_OFFSET_PRODUCT 0x5
+#define TYPE_1_STR_FIELD_OFFSET_VERSION 0x6
+#define TYPE_1_STR_FIELD_OFFSET_SERIAL 0x7
+#define TYPE_1_STR_FIELD_OFFSET_SKU 0x19
+#define TYPE_1_STR_FIELD_OFFSET_FAMILY 0x1a
+#define TYPE_1_STR_FIELD_COUNT 6
+
+#define TYPE_2_STR_FIELD_OFFSET_MANUFACTURER 0x4
+#define TYPE_2_STR_FIELD_OFFSET_PRODUCT 0x5
+#define TYPE_2_STR_FIELD_OFFSET_VERSION 0x6
+#define TYPE_2_STR_FIELD_OFFSET_SERIAL 0x7
+#define TYPE_2_STR_FIELD_OFFSET_ASSET 0x8
+#define TYPE_2_STR_FIELD_OFFSET_LOCATION 0xa
+#define TYPE_2_STR_FIELD_COUNT 6
+
+#define TYPE_3_STR_FIELD_OFFSET_MANUFACTURER 0x4
+#define TYPE_3_STR_FIELD_OFFSET_VERSION 0x6
+#define TYPE_3_STR_FIELD_OFFSET_SERIAL 0x7
+#define TYPE_3_STR_FIELD_OFFSET_ASSET 0x8
+#define TYPE_3_STR_FIELD_OFFSET_SKU 0x14
+#define TYPE_3_STR_FIELD_COUNT 5
+
+#define TYPE_4_STR_FIELD_OFFSET_SOCKET 0x4
+#define TYPE_4_STR_FIELD_OFFSET_PROCESSOR_MANUFACTURER 0x7
+#define TYPE_4_STR_FIELD_OFFSET_PROCESSOR_VERSION 0x10
+#define TYPE_4_STR_FIELD_OFFSET_SERIAL 0x20
+#define TYPE_4_STR_FIELD_OFFSET_ASSET 0x21
+#define TYPE_4_STR_FIELD_OFFSET_PART 0x22
+#define TYPE_4_STR_FIELD_COUNT 6
+
+#define TYPE_17_STR_FIELD_OFFSET_DEVICE_LOCATOR 0x10
+#define TYPE_17_STR_FIELD_OFFSET_BANK_LOCATOR 0x11
+#define TYPE_17_STR_FIELD_OFFSET_MANUFACTURER 0x17
+#define TYPE_17_STR_FIELD_OFFSET_SERIAL 0x18
+#define TYPE_17_STR_FIELD_OFFSET_ASSET 0x19
+#define TYPE_17_STR_FIELD_OFFSET_PART 0x1a
+#define TYPE_17_STR_FIELD_COUNT 6
 #endif /* QEMU_SMBIOS_H */

include/hw/xen/xen.h

@@ -48,4 +48,8 @@ void xen_hvm_modified_memory(ram_addr_t start, ram_addr_t length);
 
 void xen_register_framebuffer(struct MemoryRegion *mr);
 
+void xen_blk_resize_cb(void *dev);
+
+char *xen_blk_get_attached_dev_id(void *dev);
+
 #endif /* QEMU_HW_XEN_H */

include/qemu/thread.h

@@ -240,4 +240,5 @@ void qemu_lockcnt_inc_and_unlock(QemuLockCnt *lockcnt);
  */
 unsigned qemu_lockcnt_count(QemuLockCnt *lockcnt);
 
+bool spec_ctrl_is_inconsistent(void);
 #endif

include/sysemu/block-backend.h

@@ -236,5 +236,6 @@ int coroutine_fn blk_co_copy_range(BlockBackend *blk_in, int64_t off_in,
                                    BlockBackend *blk_out, int64_t off_out,
                                    int bytes, BdrvRequestFlags read_flags,
                                    BdrvRequestFlags write_flags);
+void blk_legacy_resize_cb(BlockBackend *blk);
 
 #endif

linux-headers/asm-s390/kvm.h

@@ -4,7 +4,7 @@
 /*
  * KVM s390 specific structures and definitions
  *
- * Copyright IBM Corp. 2008
+ * Copyright IBM Corp. 2008, 2018
  *
  *    Author(s): Carsten Otte <cotte@de.ibm.com>
  *               Christian Borntraeger <borntraeger@de.ibm.com>
@@ -225,6 +225,7 @@ struct kvm_guest_debug_arch {
 #define KVM_SYNC_FPRS   (1UL << 8)
 #define KVM_SYNC_GSCB   (1UL << 9)
 #define KVM_SYNC_BPBC   (1UL << 10)
+#define KVM_SYNC_ETOKEN (1UL << 11)
 /* length and alignment of the sdnx as a power of two */
 #define SDNXC 8
 #define SDNXL (1UL << SDNXC)
@@ -258,6 +259,8 @@ struct kvm_sync_regs {
 		struct {
 			__u64 reserved1[2];
 			__u64 gscb[4];
+			__u64 etoken;
+			__u64 etoken_extension;
 		};
 	};
 };

linux-user/Makefile.objs

@@ -7,3 +7,5 @@ obj-$(TARGET_HAS_BFLT) += flatload.o
 obj-$(TARGET_I386) += vm86.o
 obj-$(TARGET_ARM) += arm/nwfpe/
 obj-$(TARGET_M68K) += m68k-sim.o
+
+obj-binfmt-y = binfmt.o

linux-user/binfmt.c

@@ -0,0 +1,68 @@
+#include <stdio.h>
+#include <stdarg.h>
+#include <unistd.h>
+#include <libgen.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef __x86_64__
+#define ARCH_NAME "x86_64"
+#endif
+
+int main(int argc, char **argv, char **envp)
+{
+    char *binfmt;
+    char **new_argv;
+
+    /*
+     * Check if our file name ends with -binfmt
+     */
+    binfmt = argv[0] + strlen(argv[0]) - strlen("-binfmt");
+    if (strcmp(binfmt, "-binfmt")) {
+        fprintf(stderr, "%s: Invalid executable name\n", argv[0]);
+        exit(1);
+    }
+    if (argc < 3) {
+        fprintf(stderr, "%s: Please use me through binfmt with P flag\n",
+                argv[0]);
+        exit(1);
+    }
+
+    binfmt[0] = '\0';
+    /* Now argv[0] is the real qemu binary name */
+
+#ifdef ARCH_NAME
+    {
+        char *hostbin;
+        char *guestarch;
+        int r;
+
+        guestarch = strrchr(argv[0], '-') ;
+        if (!guestarch) {
+            goto skip;
+        }
+        guestarch++;
+        r = asprintf(&hostbin, "/emul/" ARCH_NAME "-for-%s/%s", guestarch, argv[1]);
+        if ((r > 0) && !access(hostbin, X_OK)) {
+            /*
+             * We found a host binary replacement for the non-host binary. Let's
+             * use that instead!
+             */
+            return execve(hostbin, &argv[2], envp);
+        }
+    }
+skip:
+#endif
+
+    new_argv = (char **)malloc((argc + 2) * sizeof(*new_argv));
+    if (argc > 3) {
+        memcpy(&new_argv[4], &argv[3], (argc - 3) * sizeof(*new_argv));
+    }
+    new_argv[0] = argv[0];
+    new_argv[1] = (char *)"-0";
+    new_argv[2] = argv[2];
+    new_argv[3] = argv[1];
+    new_argv[argc + 1] = NULL;
+
+    return execve(new_argv[0], new_argv, envp);
+}

linux-user/qemu.h

@@ -202,10 +202,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src,
 void target_set_brk(abi_ulong new_brk);
 abi_long do_brk(abi_ulong new_brk);
 void syscall_init(void);
-abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
-                    abi_long arg2, abi_long arg3, abi_long arg4,
-                    abi_long arg5, abi_long arg6, abi_long arg7,
-                    abi_long arg8);
+abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
+                    abi_ulong arg2, abi_ulong arg3, abi_ulong arg4,
+                    abi_ulong arg5, abi_ulong arg6, abi_ulong arg7,
+                    abi_ulong arg8);
 void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 extern __thread CPUState *thread_cpu;
 void cpu_loop(CPUArchState *env);

linux-user/signal.c

@@ -575,6 +575,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
     trace_user_force_sig(env, target_sig, host_sig);
     gdb_signalled(env, target_sig);
 
+    if (target_sig == 6) {
+        goto no_core;
+    }
+
     /* dump core if supported by target binary format */
     if (core_dump_signal(target_sig) && (ts->bprm->core_dump != NULL)) {
         stop_all_tasks();
@@ -592,6 +596,8 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
             target_sig, strsignal(host_sig), "core dumped" );
     }
 
+no_core:
+
     /* The proper exit code for dying from an uncaught signal is
      * -<signal>.  The kernel doesn't allow exit() or _exit() to pass
      * a negative value.  To get the proper exit code we need to

linux-user/syscall.c

@@ -5770,7 +5770,12 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
     ie = ioctl_entries;
     for(;;) {
         if (ie->target_cmd == 0) {
-            gemu_log("Unsupported ioctl: cmd=0x%04lx\n", (long)cmd);
+	    int i;
+            gemu_log("Unsupported ioctl: cmd=0x%04lx (%x)\n", (unsigned long)cmd, (unsigned int)(cmd & (TARGET_IOC_SIZEMASK << TARGET_IOC_SIZESHIFT)) >> TARGET_IOC_SIZESHIFT);
+            for (i = 0; ioctl_entries[i].target_cmd; i++) {
+		if ((ioctl_entries[i].target_cmd & ~(TARGET_IOC_SIZEMASK << TARGET_IOC_SIZESHIFT)) == (cmd & ~(TARGET_IOC_SIZEMASK << TARGET_IOC_SIZESHIFT)))
+		    gemu_log("%p\t->\t%s (%x)\n", (void *)(unsigned long)ioctl_entries[i].host_cmd, ioctl_entries[i].name, (ioctl_entries[i].target_cmd & (TARGET_IOC_SIZEMASK << TARGET_IOC_SIZESHIFT)) >> TARGET_IOC_SIZESHIFT);
+	    }
             return -TARGET_ENOSYS;
         }
         if (ie->target_cmd == cmd)
@@ -5802,6 +5807,11 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
         arg_type++;
         target_size = thunk_type_size(arg_type, 0);
         switch(ie->access) {
+	/* FIXME: actually the direction given in the ioctl should be
+	 * correct so we can assume the communication is uni-directional.
+	 * The alsa developers did not like this concept though and
+	 * declared ioctls IOC_R and IOC_W even though they were IOC_RW.*/
+/*
         case IOC_R:
             ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
             if (!is_error(ret)) {
@@ -5820,6 +5830,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
             unlock_user(argptr, arg, 0);
             ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
             break;
+*/
         default:
         case IOC_RW:
             argptr = lock_user(VERIFY_READ, arg, target_size, 1);
@@ -7691,6 +7702,25 @@ static int open_self_stat(void *cpu_env, int fd)
     return 0;
 }
 
+static int open_cpuinfo(void *cpu_env, int fd)
+{
+    dprintf(fd,
+"Processor       : ARMv7 Processor rev 5 (v7l)\n"
+"BogoMIPS        : 799.53\n"
+"Features        : swp half thumb fastmult vfp edsp thumbee neon vfpv3\n"
+"CPU implementer : 0x41\n"
+"CPU architecture: 7\n"
+"CPU variant     : 0x2\n"
+"CPU part        : 0xc08\n"
+"CPU revision    : 5\n"
+"\n"
+"Hardware        : Genesi Efika MX (Smarttop)\n"
+"Revision        : 51030\n"
+"Serial          : 0000000000000000\n");
+
+    return 0;
+}
+
 static int open_self_auxv(void *cpu_env, int fd)
 {
     CPUState *cpu = ENV_GET_CPU((CPUArchState *)cpu_env);
@@ -7805,6 +7835,7 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
 #if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
         { "/proc/net/route", open_net_route, is_proc },
 #endif
+        { "cpuinfo", open_cpuinfo, is_proc_myself },
         { NULL, NULL, NULL }
     };
 
@@ -7989,10 +8020,10 @@ static int host_to_target_cpu_mask(const unsigned long *host_mask,
 /* do_syscall() should always have a single exit point at the end so
    that actions, such as logging of syscall results, can be performed.
    All errnos that do_syscall() returns must be -TARGET_<errcode>. */
-abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
-                    abi_long arg2, abi_long arg3, abi_long arg4,
-                    abi_long arg5, abi_long arg6, abi_long arg7,
-                    abi_long arg8)
+abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
+                    abi_ulong arg2, abi_ulong arg3, abi_ulong arg4,
+                    abi_ulong arg5, abi_ulong arg6, abi_ulong arg7,
+                    abi_ulong arg8)
 {
     CPUState *cpu = ENV_GET_CPU(cpu_env);
     abi_long ret;
@@ -8365,9 +8396,14 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     case TARGET_NR_oldstat:
         goto unimplemented;
 #endif
-    case TARGET_NR_lseek:
-        ret = get_errno(lseek(arg1, arg2, arg3));
+    case TARGET_NR_lseek: {
+        off_t off = arg2;
+        if (arg3 != SEEK_SET) {
+            off = (abi_long)arg2;
+        }
+        ret = get_errno(lseek(arg1, off, arg3));
         break;
+    }
 #if defined(TARGET_NR_getxpid) && defined(TARGET_ALPHA)
     /* Alpha specific */
     case TARGET_NR_getxpid:
@@ -9292,6 +9328,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     case TARGET_NR_gettimeofday:
         {
             struct timeval tv;
+            if(copy_from_user_timeval(&tv, arg1))
+		goto efault;
             ret = get_errno(gettimeofday(&tv, NULL));
             if (!is_error(ret)) {
                 if (copy_to_user_timeval(arg1, &tv))
@@ -10542,7 +10580,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             {
                 struct timespec ts, *pts;
 
-                if (arg3 >= 0) {
+                if ((abi_long)arg3 >= 0) {
                     /* Convert ms to secs, ns */
                     ts.tv_sec = arg3 / 1000;
                     ts.tv_nsec = (arg3 % 1000) * 1000000LL;

migration/migration.c

@@ -2575,6 +2575,14 @@ static void migration_completion(MigrationState *s)
         migrate_set_state(&s->state, current_active_state,
                           MIGRATION_STATUS_COMPLETED);
     }
+    if (spec_ctrl_is_inconsistent()) {
+        fprintf(stderr, "WARNING! Migration from qemu with rudimentary "
+                        "Spectre v2 support to newer qemu\ndetected! To "
+                        "maintain proper protection, restart the guest as "
+                        "soon as possible\nusing the spec_ctrl cpu feature "
+                        "flag or a *-IBRS vcpu model specified\nas appropriate."
+                        "\n");
+    }
 
     return;
 

pc-bios/keymaps/en-us

@@ -343,12 +343,6 @@ KP_Decimal 0x53 numlock
 
 # evdev 85 (0x55): no evdev -> QKeyCode mapping (xkb keysym NoSymbol)
 
-# evdev 86 (0x56), QKeyCode "less", number 0x56
-less 0x56
-greater 0x56 shift
-bar 0x56 altgr
-brokenbar 0x56 shift altgr
-
 # evdev 87 (0x57), QKeyCode "f11", number 0x57
 F11 0x57
 

qapi/string-input-visitor.c

@@ -44,7 +44,8 @@ static void free_range(void *range, void *dummy)
     g_free(range);
 }
 
-static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
+static int parse_str(StringInputVisitor *siv, const char *name, bool u64,
+                     Error **errp)
 {
     char *str = (char *) siv->string;
     long long start, end;
@@ -61,7 +62,11 @@ static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
 
     do {
         errno = 0;
-        start = strtoll(str, &endptr, 0);
+        if (u64) {
+            start = strtoull(str, &endptr, 0);
+        } else {
+            start = strtoll(str, &endptr, 0);
+        }
         if (errno == 0 && endptr > str) {
             if (*endptr == '\0') {
                 cur = g_malloc0(sizeof(*cur));
@@ -72,7 +77,11 @@ static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
             } else if (*endptr == '-') {
                 str = endptr + 1;
                 errno = 0;
-                end = strtoll(str, &endptr, 0);
+                if (u64) {
+                    end = strtoull(str, &endptr, 0);
+                } else {
+                    end = strtoll(str, &endptr, 0);
+                }
                 if (errno == 0 && endptr > str && start <= end &&
                     (start > INT64_MAX - 65536 ||
                      end < start + 65536)) {
@@ -128,7 +137,7 @@ start_list(Visitor *v, const char *name, GenericList **list, size_t size,
     assert(list);
     siv->list = list;
 
-    if (parse_str(siv, name, errp) < 0) {
+    if (parse_str(siv, name, false, errp) < 0) {
         *list = NULL;
         return;
     }
@@ -216,7 +225,7 @@ static void parse_type_int64(Visitor *v, const char *name, int64_t *obj,
 {
     StringInputVisitor *siv = to_siv(v);
 
-    if (parse_str(siv, name, errp) < 0) {
+    if (parse_str(siv, name, false, errp) < 0) {
         return;
     }
 
@@ -252,15 +261,43 @@ error:
 static void parse_type_uint64(Visitor *v, const char *name, uint64_t *obj,
                               Error **errp)
 {
-    /* FIXME: parse_type_int64 mishandles values over INT64_MAX */
-    int64_t i;
-    Error *err = NULL;
-    parse_type_int64(v, name, &i, &err);
-    if (err) {
-        error_propagate(errp, err);
-    } else {
-        *obj = i;
+    StringInputVisitor *siv = to_siv(v);
+
+    if (!siv->string) {
+        error_setg(errp, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
+                   "integer");
+        return;
     }
+
+    parse_str(siv, name, true, errp);
+
+    if (!siv->ranges) {
+        goto error;
+    }
+
+    if (!siv->cur_range) {
+        Range *r;
+
+        siv->cur_range = g_list_first(siv->ranges);
+        if (!siv->cur_range) {
+            goto error;
+        }
+
+        r = siv->cur_range->data;
+        if (!r) {
+            goto error;
+        }
+
+        siv->cur = range_lob(r);
+    }
+
+    *obj = siv->cur;
+    siv->cur++;
+    return;
+
+error:
+    error_setg(errp, QERR_INVALID_PARAMETER_VALUE, name,
+               "a uint64 value or range");
 }
 
 static void parse_type_size(Visitor *v, const char *name, uint64_t *obj,

qemu-bridge-helper.c

@@ -110,7 +110,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
         *argend = 0;
 
         if (strcmp(cmd, "deny") == 0) {
-            acl_rule = g_malloc(sizeof(*acl_rule));
+            acl_rule = calloc(1, sizeof(*acl_rule));
+            if (!acl_rule) {
+                fclose(f);
+                errno = ENOMEM;
+                return -1;
+            }
             if (strcmp(arg, "all") == 0) {
                 acl_rule->type = ACL_DENY_ALL;
             } else {
@@ -119,7 +124,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
             }
             QSIMPLEQ_INSERT_TAIL(acl_list, acl_rule, entry);
         } else if (strcmp(cmd, "allow") == 0) {
-            acl_rule = g_malloc(sizeof(*acl_rule));
+            acl_rule = calloc(1, sizeof(*acl_rule));
+            if (!acl_rule) {
+                fclose(f);
+                errno = ENOMEM;
+                return -1;
+            }
             if (strcmp(arg, "all") == 0) {
                 acl_rule->type = ACL_ALLOW_ALL;
             } else {
@@ -413,6 +423,17 @@ int main(int argc, char **argv)
         goto cleanup;
     }
 
+#ifndef CONFIG_LIBCAP
+    /* avoid sending the fd as root user if running suid to not fool
+     * peer credentials to daemons that dont expect that
+     */
+    if (setuid(getuid()) < 0) {
+        fprintf(stderr, "Failed to drop privileges.\n");
+        ret = EXIT_FAILURE;
+        goto cleanup;
+    }
+#endif
+
     /* write fd to the domain socket */
     if (send_fd(unixfd, fd) == -1) {
         fprintf(stderr, "failed to write fd to unix socket: %s\n",
@@ -434,7 +455,7 @@ cleanup:
     }
     while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&acl_list, entry);
-        g_free(acl_rule);
+        free(acl_rule);
     }
 
     return ret;

qemu-seccomp.c

@@ -20,6 +20,7 @@
 #include <sys/prctl.h>
 #include <seccomp.h>
 #include "sysemu/seccomp.h"
+#include <linux/seccomp.h>
 
 /* For some architectures (notably ARM) cacheflush is not supported until
  * libseccomp 2.2.3, but configure enforces that we are using a more recent
@@ -107,12 +108,39 @@ static const struct QemuSeccompSyscall blacklist[] = {
     { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
 };
 
+static inline __attribute__((unused)) int
+qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
+{
+#ifdef __NR_seccomp
+    return syscall(__NR_seccomp, operation, flags, args);
+#else
+    errno = ENOSYS;
+    return -1;
+#endif
+}
+
+static uint32_t qemu_seccomp_get_kill_action(void)
+{
+#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
+    defined(SECCOMP_RET_KILL_PROCESS)
+    {
+        uint32_t action = SECCOMP_RET_KILL_PROCESS;
+
+        if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
+            return SCMP_ACT_KILL_PROCESS;
+        }
+    }
+#endif
+
+    return SCMP_ACT_TRAP;
+}
 
 static int seccomp_start(uint32_t seccomp_opts)
 {
     int rc = 0;
     unsigned int i = 0;
     scmp_filter_ctx ctx;
+    uint32_t action = qemu_seccomp_get_kill_action();
 
     ctx = seccomp_init(SCMP_ACT_ALLOW);
     if (ctx == NULL) {
@@ -120,12 +148,17 @@ static int seccomp_start(uint32_t seccomp_opts)
         goto seccomp_return;
     }
 
+    rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+    if (rc != 0) {
+        goto seccomp_return;
+    }
+
     for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
         if (!(seccomp_opts & blacklist[i].set)) {
             continue;
         }
 
-        rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
+        rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
                                     blacklist[i].narg, blacklist[i].arg_cmp);
         if (rc < 0) {
             goto seccomp_return;
@@ -248,7 +281,24 @@ static QemuOptsList qemu_sandbox_opts = {
 
 static void seccomp_register(void)
 {
-    qemu_add_opts(&qemu_sandbox_opts);
+    bool add = false;
+
+    /* FIXME: use seccomp_api_get() >= 2 check when released */
+
+#if defined(SECCOMP_FILTER_FLAG_TSYNC)
+    int check;
+
+    /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */
+    check = qemu_seccomp(SECCOMP_SET_MODE_FILTER,
+                         SECCOMP_FILTER_FLAG_TSYNC, NULL);
+    if (check < 0 && errno == EFAULT) {
+        add = true;
+    }
+#endif
+
+    if (add) {
+        qemu_add_opts(&qemu_sandbox_opts);
+    }
 }
 opts_init(seccomp_register);
 #endif

roms/Makefile

@@ -52,6 +52,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu-project.org"
 #
 EFIROM ?= $(shell which EfiRom 2>/dev/null)
 
+# NB: Certain SUSE qemu subpackages use date information, but we want
+#  reproducible builds, so we use a pre-determined timestamp, rather
+#  than the current timestamp to acheive consistent results build to
+#  build.
+PACKAGING_TIMESTAMP = $(shell date -r ../VERSION +%s)
+
 default:
 	@echo "nothing is build by default"
 	@echo "available build targets:"
@@ -95,7 +101,7 @@ build-seabios-config-%: config.%
 
 .PHONY: sgabios skiboot
 sgabios:
-	$(MAKE) -C sgabios
+	$(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP)
 	cp sgabios/sgabios.bin ../pc-bios
 
 
@@ -115,18 +121,22 @@ efi-rom-%: build-pxe-roms build-efi-roms
 
 build-pxe-roms:
 	$(MAKE) -C ipxe/src CONFIG=qemu \
+		PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
 		CROSS_COMPILE=$(x86_64_cross_prefix) \
 		$(patsubst %,bin/%.rom,$(pxerom_targets))
 
 build-efi-roms: build-pxe-roms
 	$(MAKE) -C ipxe/src CONFIG=qemu \
+		PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
 		CROSS_COMPILE=$(x86_64_cross_prefix) \
 		$(patsubst %,bin-i386-efi/%.efidrv,$(pxerom_targets)) \
 		$(patsubst %,bin-x86_64-efi/%.efidrv,$(pxerom_targets))
 
 
 slof:
-	$(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) qemu
+	$(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) \
+		PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
+		qemu
 	cp SLOF/boot_rom.bin ../pc-bios/slof.bin
 
 u-boot.e500:

scripts/analyze-migration.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
 #
 #  Migration Stream Analyzer
 #

scripts/qemu-binfmt-conf.sh

@@ -258,7 +258,7 @@ qemu_generate_register() {
         flags="${flags}F"
     fi
 
-    echo ":qemu-$cpu:M::$magic:$mask:$qemu:$flags"
+    echo ":qemu-$cpu:M::$magic:$mask:$qemu:P$flags"
 }
 
 qemu_register_interpreter() {
@@ -297,9 +297,9 @@ qemu_set_binfmts() {
             continue
         fi
 
-        qemu="$QEMU_PATH/qemu-$cpu"
+        qemu="$QEMU_PATH/qemu-$cpu-binfmt"
         if [ "$cpu" = "i486" ] ; then
-            qemu="$QEMU_PATH/qemu-i386"
+            qemu="$QEMU_PATH/qemu-i386-binfmt"
         fi
 
         qemu="$qemu$QEMU_SUFFIX"
@@ -315,7 +315,7 @@ BINFMT_SET=qemu_register_interpreter
 SYSTEMDDIR="/etc/binfmt.d"
 DEBIANDIR="/usr/share/binfmts"
 
-QEMU_PATH=/usr/local/bin
+QEMU_PATH=/usr/bin
 CREDENTIAL=no
 PERSISTENT=no
 QEMU_SUFFIX=""

scripts/vmstate-static-checker.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 #
 # Compares vmstate information stored in JSON format, obtained from
 # the -dump-vmstate QEMU command.

stubs/xen-common.c

@@ -12,3 +12,12 @@
 void xenstore_store_pv_console_info(int i, Chardev *chr)
 {
 }
+
+void xen_blk_resize_cb(void *dev)
+{
+}
+
+char *xen_blk_get_attached_dev_id(void *dev)
+{
+    return g_strdup("");
+}

target/i386/cpu.h

@@ -1675,7 +1675,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
 /* XXX: This value should match the one returned by CPUID
  * and in exec.c */
 # if defined(TARGET_X86_64)
-# define TCG_PHYS_ADDR_BITS 40
+# define TCG_PHYS_ADDR_BITS 42
 # else
 # define TCG_PHYS_ADDR_BITS 36
 # endif

target/s390x/cpu.h

@@ -2,6 +2,7 @@
  * S/390 virtual CPU header
  *
  *  Copyright (c) 2009 Ulrich Hecht
+ *  Copyright IBM Corp. 2012, 2018
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -68,6 +69,8 @@ struct CPUS390XState {
     uint32_t aregs[16];    /* access registers */
     uint8_t riccb[64];     /* runtime instrumentation control */
     uint64_t gscb[4];      /* guarded storage control */
+    uint64_t etoken;       /* etoken */
+    uint64_t etoken_extension; /* etoken extension */
 
     /* Fields up to this point are not cleared by initial CPU reset */
     struct {} start_initial_reset_fields;

target/s390x/cpu_features.c

@@ -1,7 +1,7 @@
 /*
  * CPU features/facilities for s390x
  *
- * Copyright 2016 IBM Corp.
+ * Copyright IBM Corp. 2016, 2018
  *
  * Author(s): David Hildenbrand <dahi@linux.vnet.ibm.com>
  *
@@ -106,6 +106,7 @@ static const S390FeatDef s390_features[] = {
     FEAT_INIT("irbm", S390_FEAT_TYPE_STFL, 145, "Insert-reference-bits-multiple facility"),
     FEAT_INIT("msa8-base", S390_FEAT_TYPE_STFL, 146, "Message-security-assist-extension-8 facility (excluding subfunctions)"),
     FEAT_INIT("cmmnt", S390_FEAT_TYPE_STFL, 147, "CMM: ESSA-enhancement (no translate) facility"),
+    FEAT_INIT("etoken", S390_FEAT_TYPE_STFL, 156, "Etoken facility"),
 
     /* SCLP SCCB Byte 80 - 98  (bit numbers relative to byte-80) */
     FEAT_INIT("gsls", S390_FEAT_TYPE_SCLP_CONF_CHAR, 40, "SIE: Guest-storage-limit-suppression facility"),

target/s390x/cpu_features_def.h

@@ -1,7 +1,7 @@
 /*
  * CPU features/facilities for s390
  *
- * Copyright 2016 IBM Corp.
+ * Copyright IBM Corp. 2016, 2018
  *
  * Author(s): Michael Mueller <mimu@linux.vnet.ibm.com>
  *            David Hildenbrand <dahi@linux.vnet.ibm.com>
@@ -93,6 +93,7 @@ typedef enum {
     S390_FEAT_INSERT_REFERENCE_BITS_MULT,
     S390_FEAT_MSA_EXT_8,
     S390_FEAT_CMM_NT,
+    S390_FEAT_ETOKEN,
 
     /* Sclp Conf Char */
     S390_FEAT_SIE_GSLS,

target/s390x/gen-features.c

@@ -1,7 +1,7 @@
 /*
  * S390 feature list generator
  *
- * Copyright 2016 IBM Corp.
+ * Copyright IBM Corp. 2016, 2018
  *
  * Author(s): Michael Mueller <mimu@linux.vnet.ibm.com>
  *            David Hildenbrand <dahi@linux.vnet.ibm.com>
@@ -471,6 +471,7 @@ static uint16_t full_GEN14_GA1[] = {
     S390_FEAT_GROUP_MSA_EXT_7,
     S390_FEAT_GROUP_MSA_EXT_8,
     S390_FEAT_CMM_NT,
+    S390_FEAT_ETOKEN,
     S390_FEAT_HPMA2,
     S390_FEAT_SIE_KSS,
     S390_FEAT_GROUP_MULTIPLE_EPOCH_PTFF,

target/s390x/kvm.c

@@ -493,6 +493,12 @@ int kvm_arch_put_registers(CPUState *cs, int level)
         cs->kvm_run->kvm_dirty_regs |= KVM_SYNC_BPBC;
     }
 
+    if (can_sync_regs(cs, KVM_SYNC_ETOKEN)) {
+        cs->kvm_run->s.regs.etoken = env->etoken;
+        cs->kvm_run->s.regs.etoken_extension  = env->etoken_extension;
+        cs->kvm_run->kvm_dirty_regs |= KVM_SYNC_ETOKEN;
+    }
+
     /* Finally the prefix */
     if (can_sync_regs(cs, KVM_SYNC_PREFIX)) {
         cs->kvm_run->s.regs.prefix = env->psa;
@@ -607,6 +613,11 @@ int kvm_arch_get_registers(CPUState *cs)
         env->bpbc = cs->kvm_run->s.regs.bpbc;
     }
 
+    if (can_sync_regs(cs, KVM_SYNC_ETOKEN)) {
+        env->etoken = cs->kvm_run->s.regs.etoken;
+        env->etoken_extension = cs->kvm_run->s.regs.etoken_extension;
+    }
+
     /* pfault parameters */
     if (can_sync_regs(cs, KVM_SYNC_PFAULT)) {
         env->pfault_token = cs->kvm_run->s.regs.pft;

target/s390x/machine.c

@@ -1,7 +1,7 @@
 /*
  * S390x machine definitions and functions
  *
- * Copyright IBM Corp. 2014
+ * Copyright IBM Corp. 2014, 2018
  *
  * Authors:
  *   Thomas Huth <thuth@linux.vnet.ibm.com>
@@ -216,6 +216,23 @@ const VMStateDescription vmstate_bpbc = {
     }
 };
 
+static bool etoken_needed(void *opaque)
+{
+    return s390_has_feat(S390_FEAT_ETOKEN);
+}
+
+const VMStateDescription vmstate_etoken = {
+    .name = "cpu/etoken",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = etoken_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(env.etoken, S390CPU),
+        VMSTATE_UINT64(env.etoken_extension, S390CPU),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 const VMStateDescription vmstate_s390_cpu = {
     .name = "cpu",
     .post_load = cpu_post_load,
@@ -251,6 +268,7 @@ const VMStateDescription vmstate_s390_cpu = {
         &vmstate_exval,
         &vmstate_gscb,
         &vmstate_bpbc,
+        &vmstate_etoken,
         NULL
     },
 };

tests/Makefile.include

@@ -129,6 +129,8 @@ check-unit-y += tests/check-qom-interface$(EXESUF)
 gcov-files-check-qom-interface-y = qom/object.c
 check-unit-y += tests/check-qom-proplist$(EXESUF)
 gcov-files-check-qom-proplist-y = qom/object.c
+check-unit-y += tests/check-qom-props$(EXESUF)
+gcov-files-check-qom-props-y = qom/object.c
 check-unit-y += tests/test-qemu-opts$(EXESUF)
 gcov-files-test-qemu-opts-y = util/qemu-option.c
 check-unit-y += tests/test-keyval$(EXESUF)
@@ -201,6 +203,8 @@ check-qtest-virtio-y += tests/virtio-rng-test$(EXESUF)
 gcov-files-virtio-y += hw/virtio/virtio-rng.c
 check-qtest-virtio-y += tests/virtio-scsi-test$(EXESUF)
 gcov-files-virtio-y += i386-softmmu/hw/scsi/virtio-scsi.c
+check-qtest-virtio-y += tests/scsi-disk-test$(EXESUF)
+gcov-files-virtio-y += i386-softmmu/hw/scsi/scsi-disk.c
 ifeq ($(CONFIG_VIRTIO)$(CONFIG_VIRTFS)$(CONFIG_PCI),yyy)
 check-qtest-virtio-y += tests/virtio-9p-test$(EXESUF)
 gcov-files-virtio-y += hw/9pfs/virtio-9p.c
@@ -629,6 +633,7 @@ tests/check-qjson$(EXESUF): tests/check-qjson.o $(test-util-obj-y)
 tests/check-qlit$(EXESUF): tests/check-qlit.o $(test-util-obj-y)
 tests/check-qom-interface$(EXESUF): tests/check-qom-interface.o $(test-qom-obj-y)
 tests/check-qom-proplist$(EXESUF): tests/check-qom-proplist.o $(test-qom-obj-y)
+tests/check-qom-props$(EXESUF): tests/check-qom-props.o $(test-qom-obj-y)
 
 tests/test-char$(EXESUF): tests/test-char.o $(test-util-obj-y) $(qtest-obj-y) $(test-io-obj-y) $(chardev-obj-y)
 tests/test-coroutine$(EXESUF): tests/test-coroutine.o $(test-block-obj-y)
@@ -837,6 +842,7 @@ tests/migration-test$(EXESUF): tests/migration-test.o
 tests/vhost-user-test$(EXESUF): tests/vhost-user-test.o $(test-util-obj-y) \
 	$(qtest-obj-y) $(test-io-obj-y) $(libqos-virtio-obj-y) $(libqos-pc-obj-y) \
 	$(chardev-obj-y)
+tests/scsi-disk-test$(EXESUF): tests/scsi-disk-test.o
 tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_helper.o
 tests/test-qemu-opts$(EXESUF): tests/test-qemu-opts.o $(test-util-obj-y)
 tests/test-keyval$(EXESUF): tests/test-keyval.o $(test-util-obj-y) $(test-qapi-obj-y)

tests/boot-serial-test.c

@@ -116,8 +116,8 @@ static bool check_guest_output(const testdef_t *test, int fd)
     int i, nbr = 0, pos = 0, ccnt;
     char ch;
 
-    /* Poll serial output... Wait at most 60 seconds */
-    for (i = 0; i < 6000; ++i) {
+    /* Poll serial output... Wait at most 360 seconds */
+    for (i = 0; i < 36000; ++i) {
         ccnt = 0;
         while (ccnt++ < 512 && (nbr = read(fd, &ch, 1)) == 1) {
             if (ch == test->expect[pos]) {

tests/check-qom-props.c

@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ * Copyright (c) 2015 SUSE Linux GmbH
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ *         Andreas Färber <afaerber@suse.com>
+ */
+
+#include "qemu/osdep.h"
+
+#include <glib.h>
+
+#include "qapi/visitor.h"
+#include "qom/object.h"
+#include "qemu/module.h"
+
+
+#define TYPE_DUMMY "qemu-dummy"
+
+typedef struct DummyObject DummyObject;
+typedef struct DummyObjectClass DummyObjectClass;
+
+#define DUMMY_OBJECT(obj)                               \
+    OBJECT_CHECK(DummyObject, (obj), TYPE_DUMMY)
+
+struct DummyObject {
+    Object parent_obj;
+
+    uint64_t u64val;
+};
+
+struct DummyObjectClass {
+    ObjectClass parent_class;
+};
+
+static void dummy_set_uint64(Object *obj, Visitor *v,
+                             const char *name, void *opaque,
+                             Error **errp)
+{
+    uint64_t *ptr = (uint64_t *)opaque;
+
+    visit_type_uint64(v, name, ptr, errp);
+}
+
+static void dummy_get_uint64(Object *obj, Visitor *v,
+                             const char *name, void *opaque,
+                             Error **errp)
+{
+    uint64_t value = *(uint64_t *)opaque;
+
+    visit_type_uint64(v, name, &value, errp);
+}
+
+static void dummy_init(Object *obj)
+{
+    DummyObject *dobj = DUMMY_OBJECT(obj);
+
+    object_property_add(obj, "u64val", "uint64",
+                              dummy_get_uint64,
+                              dummy_set_uint64,
+                              NULL, &dobj->u64val, NULL);
+}
+
+
+static const TypeInfo dummy_info = {
+    .name          = TYPE_DUMMY,
+    .parent        = TYPE_OBJECT,
+    .instance_size = sizeof(DummyObject),
+    .instance_init = dummy_init,
+    .class_size = sizeof(DummyObjectClass),
+};
+
+static void test_dummy_uint64(void)
+{
+    Error *err = NULL;
+    char *str;
+    DummyObject *dobj = DUMMY_OBJECT(object_new(TYPE_DUMMY));
+
+    g_assert(dobj->u64val == 0);
+
+    str = g_strdup_printf("%" PRIu64, UINT64_MAX);
+    object_property_parse(OBJECT(dobj), str, "u64val", &err);
+    g_free(str);
+    g_assert(!err);
+    g_assert_cmpint(dobj->u64val, ==, UINT64_MAX);
+
+    dobj->u64val = 0;
+    str = g_strdup_printf("0x%" PRIx64, UINT64_MAX);
+    object_property_parse(OBJECT(dobj), str, "u64val", &err);
+    g_free(str);
+    g_assert(!err);
+    g_assert_cmpint(dobj->u64val, ==, UINT64_MAX);
+
+    object_unref(OBJECT(dobj));
+}
+
+
+int main(int argc, char **argv)
+{
+    g_test_init(&argc, &argv, NULL);
+
+    module_call_init(MODULE_INIT_QOM);
+    type_register_static(&dummy_info);
+
+    g_test_add_func("/qom/props/uint64", test_dummy_uint64);
+
+    return g_test_run();
+}

tests/qemu-iotests/group

@@ -136,7 +136,7 @@
 127 rw auto backing quick
 128 rw auto quick
 129 rw auto quick
-130 rw auto quick
+#ISSUES 130 rw auto quick
 131 rw auto quick
 132 rw auto quick
 133 auto quick
@@ -159,7 +159,7 @@
 150 rw auto quick
 151 rw auto
 152 rw auto quick
-153 rw auto quick
+#ISSUES 153 rw auto quick
 154 rw auto backing quick
 155 rw auto
 156 rw auto quick
@@ -167,7 +167,7 @@
 158 rw auto quick
 159 rw auto quick
 160 rw auto quick
-162 auto quick
+#ISSUES 162 auto quick
 163 rw auto
 165 rw auto quick
 169 rw auto quick migration

tests/scsi-disk-test.c

@@ -0,0 +1,83 @@
+/*
+ * QTest testcase for SCSI disks
+ * See virtio-scsi-test for more integrated tests.
+ *
+ * Copyright (c) 2015 SUSE Linux GmbH
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include <glib.h>
+#include "libqtest.h"
+#include "qapi/qmp/qnum.h"
+#include "qapi/qmp/qdict.h"
+
+static void test_scsi_disk_common(const char *type, const char *id)
+{
+    char *cmdline, *path;
+    QDict *response;
+    QNum *value;
+
+    cmdline = g_strdup_printf(
+        "-drive id=drv0,if=none,file=/dev/null,format=raw "
+        "-device virtio-scsi-pci,id=scsi0 "
+        "-device %s,id=%s,bus=scsi0.0,drive=drv0"
+        ",wwn=0x%" PRIx64 ",port_wwn=0x%" PRIx64,
+        type, id, UINT64_MAX, UINT64_C(1) << 63);
+    qtest_start(cmdline);
+    g_free(cmdline);
+
+    path = g_strdup_printf("/machine/peripheral/%s", id);
+
+    response = qmp("{ 'execute': 'qom-get',"
+                   "  'arguments': { 'path': %s,"
+                   "                 'property': 'wwn' } }",
+                   path);
+    g_assert(response);
+    g_assert(qdict_haskey(response, "return"));
+    value = qobject_to(QNum, qdict_get(response, "return"));
+    g_assert_cmpint(qnum_get_uint(value), ==, UINT64_MAX);
+
+    response = qmp("{ 'execute': 'qom-get',"
+                   "  'arguments': { 'path': %s,"
+                   "                 'property': 'port_wwn' } }",
+                   path);
+    g_assert(response);
+    g_assert(qdict_haskey(response, "return"));
+    value = qobject_to(QNum, qdict_get(response, "return"));
+    g_assert_cmpint(qnum_get_uint(value), ==, UINT64_C(1) << 63);
+
+    g_free(path);
+    qtest_end();
+}
+
+static void test_scsi_disk(void)
+{
+    test_scsi_disk_common("scsi-disk", "disk0");
+}
+
+static void test_scsi_hd(void)
+{
+    test_scsi_disk_common("scsi-hd", "hd0");
+}
+
+static void test_scsi_cd(void)
+{
+    test_scsi_disk_common("scsi-cd", "cd0");
+}
+
+int main(int argc, char **argv)
+{
+    int ret;
+
+    g_test_init(&argc, &argv, NULL);
+    qtest_add_func("/scsi-disk/props", test_scsi_disk);
+    qtest_add_func("/scsi-hd/props", test_scsi_hd);
+    qtest_add_func("/scsi-cd/props", test_scsi_cd);
+
+    ret = g_test_run();
+
+    return ret;
+}

tests/test-char.c

@@ -1,3 +1,4 @@
+#define HW_POISON_H // avoid poison since we patch against rules it "enforces"
 #include "qemu/osdep.h"
 #include <glib/gstdio.h>
 

tests/test-string-input-visitor.c

@@ -53,6 +53,14 @@ static void test_visitor_in_int(TestInputVisitorData *data,
 
     v = visitor_input_test_init(data, "-42");
 
+    visit_type_int(v, NULL, &res, &err);
+    g_assert(!err);
+    g_assert_cmpint(res, ==, value);
+    visitor_input_teardown(data, unused);
+
+    value = INT64_MAX;
+    v = visitor_input_test_init(data, g_strdup_printf("%" PRId64, value));
+
     visit_type_int(v, NULL, &res, &err);
     g_assert(!err);
     g_assert_cmpint(res, ==, value);
@@ -68,6 +76,27 @@ static void test_visitor_in_int(TestInputVisitorData *data,
     error_free_or_abort(&err);
 }
 
+static void test_visitor_in_uint64(TestInputVisitorData *data,
+                                   const void *unused)
+{
+    uint64_t res = 0, value = UINT64_MAX;
+    Error *err = NULL;
+    Visitor *v;
+
+    v = visitor_input_test_init(data, g_strdup_printf("%" PRIu64, value));
+
+    visit_type_uint64(v, NULL, &res, &err);
+    g_assert(!err);
+    g_assert_cmpint(res, ==, value);
+    visitor_input_teardown(data, unused);
+
+    v = visitor_input_test_init(data, g_strdup_printf("0x%" PRIx64, value));
+
+    visit_type_uint64(v, NULL, &res, &err);
+    g_assert(!err);
+    g_assert_cmpint(res, ==, value);
+}
+
 static void check_ilist(Visitor *v, int64_t *expected, size_t n)
 {
     int64List *res = NULL;
@@ -354,6 +383,8 @@ int main(int argc, char **argv)
 
     input_visitor_test_add("/string-visitor/input/int",
                            &in_visitor_data, test_visitor_in_int);
+    input_visitor_test_add("/string-visitor/input/uint64",
+                           &in_visitor_data, test_visitor_in_uint64);
     input_visitor_test_add("/string-visitor/input/intList",
                            &in_visitor_data, test_visitor_in_intList);
     input_visitor_test_add("/string-visitor/input/bool",

tests/test-thread-pool.c

@@ -171,6 +171,7 @@ static void do_test_cancel(bool sync)
     /* Cancel the jobs that haven't been started yet.  */
     num_canceled = 0;
     for (i = 0; i < 100; i++) {
+	smp_mb();
         if (atomic_cmpxchg(&data[i].n, 0, 3) == 0) {
             data[i].ret = -ECANCELED;
             if (sync) {
@@ -185,6 +186,7 @@ static void do_test_cancel(bool sync)
     g_assert_cmpint(num_canceled, <, 100);
 
     for (i = 0; i < 100; i++) {
+	smp_mb();
         if (data[i].aiocb && data[i].n != 3) {
             if (sync) {
                 /* Canceling the others will be a blocking operation.  */
@@ -201,6 +203,7 @@ static void do_test_cancel(bool sync)
     }
     g_assert_cmpint(active, ==, 0);
     for (i = 0; i < 100; i++) {
+	smp_mb();
         if (data[i].n == 3) {
             g_assert_cmpint(data[i].ret, ==, -ECANCELED);
             g_assert(data[i].aiocb == NULL);

ui/vnc.c

@@ -1825,6 +1825,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
         if (down)
             vs->modifiers_state[keycode] ^= 1;
         break;
+    default:
+        if (qemu_console_is_graphic(NULL)) {
+            /* record key 'down' info. Some client like tigervnc
+             * will send key down repeatedly if user pressing a
+             * a key for long time. In this case, we should add
+             * additional key up event before repeated key down,
+             * so that it can display the key multiple times.
+             */
+            if (down) {
+                if (vs->modifiers_state[keycode]) {
+                    /* add a key up event */
+                    do_key_event(vs, 0, keycode, sym);
+                }
+                vs->modifiers_state[keycode] = 1;
+            } else {
+                vs->modifiers_state[keycode] = 0;
+            }
+        }
+        break;
     }
 
     /* Turn off the lock state sync logic if the client support the led

util/thread-pool.c

@@ -308,7 +308,12 @@ static void thread_pool_init_one(ThreadPool *pool, AioContext *ctx)
     qemu_mutex_init(&pool->lock);
     qemu_cond_init(&pool->worker_stopped);
     qemu_sem_init(&pool->sem, 0);
-    pool->max_threads = 64;
+    if (sizeof(pool) == 4) {
+        /* 32bit systems run out of virtual memory quickly */
+        pool->max_threads = 4;
+    } else {
+        pool->max_threads = 64;
+    }
     pool->new_thread_bh = aio_bh_new(ctx, spawn_thread_bh_fn, pool);
 
     QLIST_INIT(&pool->head);

vl.c

@@ -29,6 +29,7 @@
 #include "qemu/cutils.h"
 #include "qemu/help_option.h"
 #include "qemu/uuid.h"
+#include <sys/resource.h>
 #include "sysemu/seccomp.h"
 
 #ifdef CONFIG_SDL
@@ -2949,6 +2950,7 @@ int main(int argc, char **argv, char **envp)
     } BlockdevOptions_queue;
     QSIMPLEQ_HEAD(, BlockdevOptions_queue) bdo_queue
         = QSIMPLEQ_HEAD_INITIALIZER(bdo_queue);
+    struct rlimit rlimit_as;
 
     module_call_init(MODULE_INIT_TRACE);
 
@@ -2957,6 +2959,16 @@ int main(int argc, char **argv, char **envp)
 
     qemu_mutex_lock_iothread();
 
+    /*
+     * Try to raise the soft address space limit.
+     * Default on SLES 11 SP2 is 80% of physical+swap memory.
+     */
+    getrlimit(RLIMIT_AS, &rlimit_as);
+    if (rlimit_as.rlim_cur < rlimit_as.rlim_max) {
+        rlimit_as.rlim_cur = rlimit_as.rlim_max;
+        setrlimit(RLIMIT_AS, &rlimit_as);
+    }
+
     atexit(qemu_run_exit_notifiers);
     error_set_progname(argv[0]);
     qemu_init_exec_dir(argv[0]);
@@ -4003,8 +4015,8 @@ int main(int argc, char **argv, char **envp)
     }
 
 #ifdef CONFIG_SECCOMP
-    if (qemu_opts_foreach(qemu_find_opts("sandbox"),
-                          parse_sandbox, NULL, NULL)) {
+    olist = qemu_find_opts_err("sandbox", NULL);
+    if (olist && qemu_opts_foreach(olist, parse_sandbox, NULL, NULL)) {
         exit(1);
     }
 #endif